PCI DSS v4.0.1 Self-Assessment Questionnaire (SAQ B-IP) — Cardholder Data Security Controls for Standalone IP-Connected Terminals
SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting. Framework text may require a separate license unless explicitly provided.
Overview
PCI DSS v4.0.1 Self-Assessment Questionnaire (SAQ B-IP) is a cybersecurity and compliance assessment tool that enables merchants with standalone IP-connected payment terminals to validate their handling of cardholder data and adherence to critical security controls. The SAQ B-IP specifically addresses the unique requirements for securing card data in environments with minimal payment processing systems connected via IP.
Developed and published by the PCI Security Standards Council, the PCI DSS SAQ B-IP is used by merchants, compliance teams, and assessors to evaluate technical and procedural safeguards related to data protection, network security, and compliance oversight. Its focus areas include securing payment terminals, managing network access, protecting stored cardholder data, and enabling compliance with the broader PCI DSS ecosystem.
Organizations complete the SAQ B-IP by self-attesting to their implementation of required security controls, documenting compliance measures, and mitigating risk through regular assessments. The tool supports risk management, audit readiness, and alignment with industry card payment standards, helping organizations demonstrate compliance to acquirers and regulatory bodies.
Why it Matters
PCI DSS v4.0.1 SAQ B-IP establishes essential security controls to protect cardholder data in organizations using standalone IP-connected payment terminals.
Key benefits include:
- Strengthen cardholder data protection
Reduce the risk of unauthorized access and data exposure by implementing targeted controls for IP-connected payment terminal environments.
- Simplify compliance scope
Focus PCI DSS assessment requirements on systems and processes specific to SAQ B-IP scope, reducing compliance complexity.
- Enhance visibility and oversight
Establish clear accountability for monitoring and managing security controls protecting cardholder data in terminal environments.
- Support compliance obligations
Facilitate adherence to PCI DSS requirements, helping organizations avoid penalties and demonstrate responsible payment data management.
- Improve incident response preparedness
Establish structured processes for identifying and responding to security breaches involving IP-connected payment terminals.
How it Works
PCI DSS v4.0.1 SAQ B-IP is structured as a self-assessment questionnaire for merchants using standalone IP-connected payment terminals that are not connected to other systems or broader networks. The SAQ organizes its requirements into control domains addressing network security, access controls, encryption, and logging practices, tailored to the specific scope of IP-connected terminal environments similar to SAQ B but with additional network security controls.
Organizations implement SAQ B-IP by confirming their terminal environment qualifies, applying the prescribed security controls including network segmentation and encryption, and maintaining documentation for compliance validation. Typical activities include ensuring personnel understand security responsibilities, managing access controls to payment systems, conducting periodic assessments, and maintaining the documentation required to demonstrate ongoing adherence to PCI DSS requirements for IP-connected terminals.
With SmartSuite, organizations can operationalize SAQ B-IP compliance by leveraging control libraries mapped to SAQ B-IP requirements, maintaining risk registers, and managing policy governance for terminal security. The platform supports evidence collection, compliance tracking, and reporting dashboards that provide visibility into control effectiveness and readiness for PCI DSS assessments.
Key Elements
- IP Terminal Network Security
Describes structural requirements for protecting network connections used by standalone IP-connected payment terminals.
- Cardholder Data Encryption Controls
Specifies encryption requirements for protecting cardholder data transmitted through IP-connected terminal environments.
- Physical and Logical Access Controls
Outlines controls for restricting physical and logical access to payment terminals and cardholder data environments.
- Security Monitoring and Logging
Establishes requirements for audit logging and monitoring of activity within IP-connected terminal environments.
- Vulnerability and Patch Management
Defines processes for identifying and remediating security weaknesses in IP-connected terminal systems.
- Incident Response Procedures
Outlines structured processes for detecting, reporting, and responding to security incidents involving payment terminals.
Framework Scope
PCI DSS v4.0.1 SAQ B-IP is used by merchants that process cardholder data through standalone IP-connected payment terminals not connected to other systems or broader network environments. It governs IP terminal security controls and associated compliance practices, and is typically implemented to protect cardholder data, simplify PCI DSS compliance scope, and support assurance programs for terminal-based payment security.
Framework Objectives
PCI DSS v4.0.1 SAQ B-IP defines targeted security requirements to protect cardholder data in IP-connected terminal environments and support PCI DSS compliance.
Protect cardholder data through encryption and access controls for IP-connected terminals
Simplify PCI DSS compliance scope for merchants using qualifying IP terminal environments
Strengthen governance and oversight of terminal security practices and policies
Enhance visibility and monitoring of security controls in payment terminal environments
Support audit readiness through structured documentation and compliance monitoring
Promote operational resilience by securing IP-connected payment terminal environments
Framework in Context
PCI DSS v4.0.1 SAQ B-IP applies PCI DSS requirements to merchants using standalone IP-connected terminals, bridging the scope between SAQ B and broader SAQ types. Organizations use it to fulfill PCI DSS obligations for IP terminal environments, balancing simplified scope with the additional network security controls required for IP connectivity.
Common Framework Mappings
PCI DSS v4.0.1 SAQ B-IP is commonly mapped to broader payment and information security frameworks to demonstrate control coverage and align security practices across payment terminal environments.
Mapped frameworks include:
ISO/IEC 27001
ISO/IEC 27002
NIST Cybersecurity Framework
NIST SP 800-53
PCI DSS v4.0.1
SOC 2
- ClassificationCategoryPayment SecurityDomainCybersecurityFramework FamilyPCI Security Standards
- Regulatory ContextTypeAssessment / Maturity ModelLegal InstrumentStandardSectorFinancial SectorIndustryPayment & FinTech
- Region / PublisherRegionGlobalRegion DetailThe specific jurisdiction associated with the **PCI DSS v4.0.1 Self‑Assessment Questionnaire (SAQ B‑IP)**—namely, the issuing “region” of this regulation or framework—is: United StatesPublisherPayment Card Industry Security Standards Council (PCI SSC)
- VersioningVersionv4.0.1Effective DateJune 11, 2024Issue DateJune 11, 2024
- AdoptionAdoption ModelRegulatory ComplianceImplementation ComplexityHigh
- Official ReferenceOpen Link in New TabSource
License included / downloadable: Yes
The PCI DSS v4.0.1 SAQ B-IP is published by the PCI Security Standards Council and is freely available for download from the PCI SSC website.License included with platform
How SmartSuite Supports PCI DSS SAQ B-IP
Manage PCI DSS v4.0.1 SAQ B-IP requirements by tracking controls for IP-connected payment terminals, maintaining evidence, and ensuring compliance for merchants with standalone payment environments.
SAQ B-IP Control Library
Organize PCI DSS controls specific to standalone IP-connected terminal environments.
Payment Environment Scoping and Segmentation
Define cardholder data environment (CDE) boundaries and track network segmentation controls.
Terminal Security and Configuration Management
Track secure configurations, device hardening, and approved payment terminal controls.
Vulnerability and Patch Management for Payment Systems
Monitor vulnerabilities, patch status, and remediation activities for connected payment systems.
Evidence Collection and SAQ Documentation
Capture required evidence and responses supporting SAQ B-IP self-assessment submissions.
Compliance Reporting and Attestation Readiness
Provide dashboards showing control status, gaps, and readiness for PCI attestation.
Related frameworks
CIS Controls v8.1 provides prioritized, practical security actions to help organizations mitigate common cyber threats and strengthen defenses.
ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.
ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.
NIST Cybersecurity Framework (CSF) v2.0 is a risk-based framework that helps organizations manage and reduce cybersecurity risks.
NIST SP 800-53 Rev. 5 provides a catalog of security and privacy controls to manage risks to information systems.
SOC 2 assesses and reports on a service organization's controls for security, availability, processing integrity, confidentiality, and privacy.
Frequently Asked Questions For PCI DSS v4.0.1 SAQ B-IP (Cardholder Data Security Controls for Standalone IP-Connected Terminals)
PCI DSS v4.0.1 SAQ B-IP is used by merchants that process cardholder data solely via standalone IP-connected payment terminals. Its primary purpose is to establish the security controls necessary to protect cardholder data during payment transactions and maintain PCI DSS compliance.
PCI DSS compliance, including SAQ B-IP, is mandatory for all organizations that store, process, or transmit cardholder data. Merchants use SAQ B-IP to self-assess their compliance, but a formal certification may still require validation and submission to acquiring banks or card brands as prescribed.
SAQ B-IP is applicable to merchants who use only standalone, PIN Transaction Security (PTS)-approved payment terminals with IP connectivity, and that have no electronic storage of cardholder data. Merchants with more complex environments or additional payment channels must use other appropriate SAQs.
Key controls required by SAQ B-IP include secure configuration and management of payment terminals, strong network segmentation, firewall protection, encrypted communications, strong passwords, and maintaining updated anti-malware solutions. Physical security measures and restricted access to terminals are also essential.
Implementation involves performing an environment review, ensuring only eligible devices are in use, segmenting payment systems from other networks, configuring firewalls, and establishing security policies and procedures. Ongoing employee training and regular system monitoring are critical for sustained compliance.
SAQ B-IP is one of several PCI DSS Self-Assessment Questionnaires, each tailored for different merchant environments. Organizations should review all SAQ eligibility criteria to select the correct form; using the wrong SAQ may result in non-compliance.
Maintaining compliance requires annual completion of the SAQ, regular network and control monitoring, periodic vulnerability scans, staff security awareness training, and prompt remediation of identified issues. Documentation and evidence of ongoing compliance activities must be retained for review.
SmartSuite can help organizations manage PCI DSS SAQ B-IP requirements by tracking risks, assigning and monitoring control ownership, collecting compliance evidence, and maintaining audit trails. The platform supports audit readiness with centralized documentation, workflow automation, and compliance reporting to streamline assessment and validation processes.
Manage controls, risks, evidence, and audits in one platform designed for modern governance, risk, and compliance.