PCI DSS v4.0.1 Self-Assessment Questionnaire (SAQ B) — Cardholder Data Security Controls for Imprint and Standalone Dial-Out Terminals

Overview

PCI DSS v4.0.1Self-Assessment Questionnaire (SAQ B) is a compliance assessment toolthat supports organizations in evaluating cardholder data securitycontrols specifically for imprint and standalone dial-out paymentterminals. The questionnaire is part of the Payment Card IndustryData Security Standard, which establishes requirements forsafeguarding payment card data and minimizing risks related topayment card processing environments.

Published by thePCI Security Standards Council, PCI DSS SAQ B is intended formerchants who do not store electronic cardholder data and onlyprocess card payments through non-integrated imprint or standalonedial-out terminals. The SAQ covers key areas such as physicalsecurity, device protection, and secure handling of cardholderinformation, ensuring that organizations meet industry-mandatedcybersecurity and data protection obligations.

Organizationscomplete the SAQ B as a self-validation exercise to demonstrateadherence to PCI DSS requirements. This process involves reviewingsecurity practices, documenting evidence of compliance, andaddressing any control gaps. Integration with broader complianceprograms and risk management initiatives allows organizations tostrengthen security posture and ensure ongoing regulatory compliance.

Why it Matters

PCI DSS v4.0.1SAQ B establishes clear requirements that help organizations protectpayment card data processed on imprint and standalone dial-outterminals.

Key benefitsinclude:

•  Enhance cardholder data protection

Reduce the riskof payment card data compromise by applying dedicated securitymeasures to isolated payment terminals.

•  Strengthen compliance support

Facilitatevalidation efforts and simplify reporting by providing targetedrequirements designed for specific payment terminal environments.

•  Improve audit readiness

Document andalign security practices, enabling organizations to respondconfidently during regulatory assessments or third-party audits.

•  Reduce fraud and data breaches

Lower thelikelihood of fraud incidents and breaches by minimizing the storageand transmission of sensitive cardholder data.

•  Increase operational focus

Alloworganizations to concentrate security resources on relevant controls,reducing complexity for environments not connected to broadernetworks.

How it Works

The PCI DSSv4.0.1 Self-Assessment Questionnaire (SAQ B) structures requirementsinto a set of focused security controls specifically fororganizations that process cardholder data exclusively via imprintmachines or standalone, dial-out payment terminals. The frameworkorganizes controls into distinct requirements, covering areas such asdata protection, physical device security, secure payment practices,and ongoing security monitoring. Each requirement addressesregulatory expectations for protecting cardholder information andpreventing unauthorized access, reflecting the broader PCI DSScontrol framework but scoped for environments with limited dataexposure.

In practice,organizations complete the SAQ B by assessing and documenting theirimplementation of required security controls for eligible paymentenvironments. Activities include restricting physical access tostandalone terminals, ensuring device integrity, maintaining secureconfigurations, and enforcing policies for secure cardholder datahandling. Regular self-assessment supports internal governance andrisk management by helping organizations verify the consistentapplication of security practices tailored to their specific paymentprocessing methods.

SmartSuiteenables organizations to operationalize PCI DSS SAQ B requirements byleveraging pre-built control libraries, tracking assessment evidence,and managing compliance documentation in a centralized workspace.Features such as compliance tracking, policy governance, andreporting dashboards streamline ongoing monitoring and support auditreadiness, while remediation workflows help organizations address anyidentified gaps in security or compliance.

Key Elements

•  Scope Definition and Applicability

Specifiesrequirements relevant to merchants using only imprint machines orstandalone dial-out terminals without electronic storage.

•  Cardholder Data Protection Requirements

Outlines dataprotection measures focused on limiting physical and logical accessto cardholder data.

•  Terminal Security Controls

Describescontrols for ensuring security and integrity of standalone dial-outpayment terminals.

•  Physical Security of Devices

Establishessafeguards to prevent unauthorized tampering or removal of paymentprocessing devices.

•  Access Management Procedures

Detailsprocesses for restricting personnel access to cardholder data andrelated devices.

•  Policy and Training Expectations

Definesexpectations for merchant security policies and mandatory staffsecurity awareness training.

Framework Scope

PCI DSS v4.0.1Self-Assessment Questionnaire (SAQ B) is adopted by merchantsutilizing standalone dial-out or imprint cardholder data terminals.The framework governs payment card processing environments withlimited connectivity, specifically where electronic cardholder datastorage is absent, and is commonly implemented when supportingcompliance assessments and adhering to data protection requirementsfor payment transactions.

Framework Objectives

PCI DSS v4.0.1Self-Assessment Questionnaire (SAQ B) guides organizations insecuring cardholder data processed by imprint and standalone dial-outterminals.

•  Safeguard cardholder data through effective security controlsand data protection measures

•  Strengthen cybersecurity governance for payment processingenvironments to reduce risk

•  Support compliance with regulatory and industry payment carddata requirements

•  Promote operational resilience by minimizing data breach andfraud risks

•  Enable ongoing audit readiness through documented evidence ofsecurity control effectiveness

•  Maintain robust risk management practices aligned with evolvingthreat landscapes PCI DSS v4.0.1 SAQ B is a targeted subset of PCIDSS requirements designed for merchants using imprint or standalonedial-out terminals. It aligns with broader cardholder data securitystandards such as PCI DSS, ISO 27001, and NIST CybersecurityFramework. Organizations use SAQ B for regulatory compliance whenminimizing cardholder data handling and streamlining assessmentefforts.

Common Framework Mappings

PCI DSS SAQ Brequirements are often mapped to other industry-recognized securityand privacy frameworks to ensure comprehensive protection ofcardholder data and to streamline regulatory compliance effortsacross multiple standards.

Mappedframeworks include:

CIS CriticalSecurity Controls

COBIT

GLBA SafeguardsRule

HIPAA SecurityRule

ISO/IEC 27001

ISO/IEC 27002

NISTCybersecurity Framework

NIST SP 800-53

SOC 2