SAQ B: Merchants who use I]imprint-only, or standalone, dial-out terminals

As with the other version 4.0 SAQs, SAQ B now references ‘merchant’ instead of ‘company’ and ‘account data’ instead of ‘cardholder data’. Eligibility criteria have been simplified with ‘Your company does not transmit cardholder data over a network (either an internal network or the Internet)’ removed and Part 2h ‘Eligibility to Complete SAQ B’ now accurately reflecting the ‘Merchant Eligibility Criteria’ on page iii.

The SAQ B includes only:

2 new or additional Requirements that are both effective immediately.

While 7 consolidated, redundant or no longer applicable version 3.2.1 SAQ Requirements have been removed from SAQ B: 4.2 b, 9.6 a, 9.7, 12.3.1, 12.3.3, 12.3.5, 12.5.3.

The version 4.0 SAQ B new or additional Requirements are highlighted below:

Effective Immediately

• Security policies and operational procedures for protecting stored account data (3.1.1)
  • Applicable only if the merchant has paper storage of account data.
• Secure storage of offline media backups with cardholder data (9.4.1.1)