What changes are applicable to SAQ B-IP?

SAQ B-IP: Merchants who use standalone, PCI PTS approved point-of-interaction (POI) device connected via IP.

As with the v3.2.1 SAQ B-IP, under version 4.0 the SAQ B-IP continues to be applicable to merchants using standalone, PCI-listed approved PTS POI devices (connected via IP to merchant’s payment processor).

The SAQ’s eligibility criteria now exclude not just approved PTS POI devices classified as Secure Card Readers (SCRs) but also devices classified as Secure Card Reader – PIN (SCRPs).

  • An encrypting card reader that either:
    • Is intended for use with a non-secure device, such as a mobile phone or other device; or
    • May be defined as an Original Equipment Manufacturer (OEM) product type to be integrated into a POI terminal or ATM.

SECURE (ENCRYPTING) CARD READER (SCR):

  • An encrypting card reader that is intended for use with a commercial-off-the-shelf (COTS) device, such as a mobile phone or tablet.

A new footnote advises merchants using PCI PTS POI devices with expired approval to check the acceptability of the SAQ B-IP with their acquirer or with the payment brands.

The SAQ B-IP includes only:

  • 4 new or additional Requirements that are all effective immediately.

While 19 consolidated, redundant, or no longer applicable version 3.2.1 SAQ Requirements have been removed from SAQ B-IP: 1.1.4 a&b, 1.3.4, 1.3.5, 4.1 a-e, 4.1.1, 4.2 b, 8.3.1, 9.6 a,

9.7, 12.3.1, 12.3.3, 12.3.5, 12.3.9, 12.5.3.

The most significant of the new or additional Requirements are highlighted below:

Effective Immediately:

  • Security policies and operational procedures for:
    • Protecting stored account data in hard copy (3.1.1)
    • Identifying users and authenticating access to system components (8.1.1)
    • Restricting physical access to cardholder data (9.1.1)
  • Secure storage of offline media backups with cardholder data (9.4.1.1)
    • Applicable only if the merchant has paper storage of account data.

What changes are applicable to SAQ B-IP?

SAQ B-IP: Merchants who use standalone, PCI PTS approved point-of-interaction (POI) device connected via IP.

As with the v3.2.1 SAQ B-IP, under version 4.0 the SAQ B-IP continues to be applicable to merchants using standalone, PCI-listed approved PTS POI devices (connected via IP to merchant’s payment processor).

The SAQ’s eligibility criteria now exclude not just approved PTS POI devices classified as Secure Card Readers (SCRs) but also devices classified as Secure Card Reader – PIN (SCRPs).

  • An encrypting card reader that either:
    • Is intended for use with a non-secure device, such as a mobile phone or other device; or
    • May be defined as an Original Equipment Manufacturer (OEM) product type to be integrated into a POI terminal or ATM.

SECURE (ENCRYPTING) CARD READER (SCR):

  • An encrypting card reader that is intended for use with a commercial-off-the-shelf (COTS) device, such as a mobile phone or tablet.

A new footnote advises merchants using PCI PTS POI devices with expired approval to check the acceptability of the SAQ B-IP with their acquirer or with the payment brands.

The SAQ B-IP includes only:

  • 4 new or additional Requirements that are all effective immediately.

While 19 consolidated, redundant, or no longer applicable version 3.2.1 SAQ Requirements have been removed from SAQ B-IP: 1.1.4 a&b, 1.3.4, 1.3.5, 4.1 a-e, 4.1.1, 4.2 b, 8.3.1, 9.6 a,

9.7, 12.3.1, 12.3.3, 12.3.5, 12.3.9, 12.5.3.

The most significant of the new or additional Requirements are highlighted below:

Effective Immediately:

  • Security policies and operational procedures for:
    • Protecting stored account data in hard copy (3.1.1)
    • Identifying users and authenticating access to system components (8.1.1)
    • Restricting physical access to cardholder data (9.1.1)
  • Secure storage of offline media backups with cardholder data (9.4.1.1)
    • Applicable only if the merchant has paper storage of account data.