PCI DSS v4.0.1 Self-Assessment Questionnaire (SAQ B-IP) — Cardholder Data Security Controls for Standalone IP-Connected Terminals

Overview

PCI DSS v4.0.1Self-Assessment Questionnaire (SAQ B-IP) is a cybersecurity andcompliance assessment tool that enables merchants with standaloneIP-connected payment terminals to validate their handling ofcardholder data and adherence to critical security controls. The SAQB-IP specifically addresses the unique requirements for securing carddata in environments with minimal payment processing systemsconnected via IP.

Developed andpublished by the PCI Security Standards Council, the PCI DSS SAQ B-IPis used by merchants, compliance teams, and assessors to evaluatetechnical and procedural safeguards related to data protection,network security, and compliance oversight. Its focus areas includesecuring payment terminals, managing network access, protectingstored cardholder data, and enabling compliance with the broader PCIDSS ecosystem.

Organizationscomplete the SAQ B-IP by self-attesting to their implementation ofrequired security controls, documenting compliance measures, andmitigating risk through regular assessments. The tool supports riskmanagement, audit readiness, and alignment with industry card paymentstandards, helping organizations demonstrate compliance to acquirersand regulatory bodies.

Why it Matters

PCI DSS v4.0.1SAQ B-IP establishes essential security controls to protectcardholder data in organizations using standalone IP-connectedpayment terminals.

Key benefitsinclude:

•  Strengthen cardholder data protection

Reduce thelikelihood of data compromise by requiring controls tailoredspecifically to terminals processing payment card information.

•  Improve security oversight

Enhancevisibility into payment terminal environments, promoting regularmonitoring and effective security policy enforcement.

•  Enhance regulatory alignment

Supportcompliance with global payment card industry mandates and facilitateadherence to broader financial data protection requirements.

•  Increase audit readiness

Enableorganizations to efficiently document and demonstrate their securitypractices during compliance assessments and external audits.

•  Reduce operational risk

Lower the riskof business disruption and reputational harm resulting from securitybreaches affecting payment processing systems.

How it Works

PCI DSS v4.0.1Self-Assessment Questionnaire (SAQ B-IP) structures its requirementsaround specific security controls and regulatory requirementsnecessary for organizations handling cardholder data throughstandalone IP-connected payment terminals. The SAQ B-IP encompasses afocused subset of PCI DSS control objectives related to physical andlogical security, network segmentation, regular vulnerabilitymanagement, and secure transmission of cardholder data. Theserequirements are outlined in a checklist format, guidingorganizations through each critical safeguard and complianceobligation.

Organizationsimplement PCI DSS SAQ B-IP by validating that only eligible paymentterminals are in use, applying required security controls, anddocumenting adherence to each requirement. Typical implementationactivities include isolating cardholder data environments,configuring firewalls, maintaining secure configurations forterminals, and documenting procedures for incident response andongoing monitoring. Organizations periodically review controls,perform self-assessments for compliance, and ensure personnel aretrained in secure payment processing and threat mitigation practices.

SmartSuiteenables organizations to operationalize PCI DSS SAQ B-IP byleveraging integrated control libraries and configurable compliancetracking. Risk registers within the platform help document potentialexposures related to payment environments, while policy governanceand evidence collection tools facilitate ongoing documentation andaudit readiness. Reporting dashboards and remediation workflowssupport continuous monitoring, enabling organizations to trackcompliance status, manage corrective actions, and maintain governanceover payment security controls.

Key Elements

•  Network Segmentation Requirements

Describesstructural measures for isolating cardholder data environments fromother networks.

•  Terminal Security Controls

Specifiesprotections for standalone IP-connected payment terminals againstunauthorized access and threats.

•  Data Transmission Safeguards

Outlinesrequirements for encrypting and securing cardholder data duringtransmission over open networks.

•  Access Management Practices

Establishesprocesses for granting, restricting, and monitoring access tosensitive data and systems.

•  Vulnerability Management Procedures

Defines periodicassessment activities for identifying and addressing securityweaknesses in the environment.

•  Physical Security Measures

Describesprotocols for securing areas and devices handling cardholder datafrom physical threats.

•  Security Policy Governance

Organizes thedocumentation and oversight mechanisms for maintaining consistentcompliance and enforcement.

Framework Scope

PCI DSS v4.0.1SAQ B-IP is adopted by merchants processing card payments solelythrough standalone IP-connected payment terminals. This frameworkgoverns payment card data environments restricted to these terminalsand networking components, and is typically implemented forsupporting compliance with payment card industry requirements,reducing payment data risk, and demonstrating security controleffectiveness.

Framework Objectives

PCI DSS v4.0.1SAQ B-IP defines essential cybersecurity and data protectionobjectives for standalone IP-connected payment terminals.

•  Safeguard cardholder data through robust security controls andrisk management practices

•  Ensure compliance with regulatory and industry requirements forpayment environments

•  Strengthen governance and oversight of payment terminalcybersecurity

•  Enhance operational resilience by reducing vulnerabilities instandalone payment terminals

•  Improve audit readiness and demonstrate effective controlimplementation

•  Support ongoing data protection and privacy for cardholderinformation PCI DSS SAQ B-IP aligns with data security requirementssimilar to those in NIST SP 800-53 and ISO 27001, focusingspecifically on standalone IP-connected payment terminals.Organizations typically complete SAQ B-IP for self-attestation of PCIDSS compliance, especially when seeking to simplify compliance forcard-present transaction environments using such terminals.

Common Framework Mappings

Organizationsoften map PCI DSS SAQ B-IP to other widely accepted securityframeworks to streamline compliance efforts and ensure acomprehensive approach to cardholder data protection and regulatoryrequirements.

Mappedframeworks include:

CIS Controls

COBIT

HIPAA SecurityRule

ISO/IEC 27001

ISO/IEC 27017

ISO/IEC 27701

NISTCybersecurity Framework

NIST SP 800-53

SOC 2