PCI DSS v4.0.1 Self-Assessment Questionnaire (SAQ B) — Cardholder Data Security Controls for Imprint and Standalone Dial-Out Terminals

Why it Matters

PCI DSS v4.0.1 SAQ B establishes clear requirements that help organizations protect payment card data processed on imprint and standalone dial-out terminals.

Key benefits include:

• Enhance cardholder data protection

Reduce the risk of unauthorized access and data exposure by implementing targeted security controls for imprint and dial-out terminal environments.

• Simplify compliance scope

Restrict PCI DSS assessment requirements to the specific systems and processes in scope for SAQ B, reducing compliance burden and assessment efforts.

• Improve security oversight

Establish clear accountability and control ownership for physical and logical security of payment terminals and cardholder data.

• Increase audit readiness

Maintain structured documentation and evidence of security controls to support efficient PCI DSS assessments and streamlining compliance reporting.

• Promote operational resilience

Reduce disruption risks by implementing security measures that restrict physical access and protect cardholder data throughout terminal operations.

How it Works

PCI DSS v4.0.1 SAQ B is structured as a targeted self-assessment questionnaire for merchants that process cardholder data using imprint machines or standalone dial-out terminals not connected to broader networks. The SAQ organizes requirements into focused control domains addressing physical security, access controls, and data requirements, tailored to the reduced scope of these terminal environments.

Organizations implement SAQ B by confirming their processing methods qualify for SAQ B scope, applying the required physical and logical security controls to their terminals, and maintaining documentation for compliance validation. Typical activities include restricting physical access to terminals, ensuring secure cardholder data processing, implementing internal governance and policy management, and conducting periodic compliance reviews to demonstrate ongoing adherence to PCI DSS security standards.

With SmartSuite, organizations can operationalize SAQ B compliance by leveraging pre-built control libraries mapped to SAQ B requirements, maintaining risk registers, and managing policy governance for payment terminal security. The platform supports evidence collection, compliance tracking, and reporting dashboards that provide visibility into control status and readiness for PCI DSS assessment efforts.

Key Elements

• Physical Terminal Security Controls

Specifies physical safeguards for protecting imprint machines and standalone terminals from unauthorized access or tampering.

• Cardholder Data Handling Requirements

Describes controls for securing cardholder data processed through imprint or dial-out terminal environments.

• Access Control and User Management

Establishes criteria for restricting physical and logical access to payment terminals and associated cardholder data.

• Security Policy and Governance

Outlines documentation and policy requirements for maintaining internal governance over terminal security practices.

• Incident Response Procedures

Defines processes for identifying and responding to security breaches or suspected compromise of payment terminals.

• Vendor and Service Provider Oversight

Describes responsibilities for managing third-party service providers with access to terminal environments.

Framework Scope

PCI DSS v4.0.1 SAQ B is used by merchants that process cardholder data exclusively through imprint machines or standalone dial-out terminals not connected to any other systems or networks. It governs physical terminal environments and associated security practices, and is typically implemented to simplify PCI DSS compliance scope, protect cardholder data, and support assurance programs for payment terminal security.

Framework Objectives

PCI DSS v4.0.1 SAQ B defines targeted security controls for protecting cardholder data processed on imprint and standalone dial-out terminals.

Protect cardholder data through physical security controls and terminal access restrictions

Simplify PCI DSS compliance scope for merchants using qualifying terminal environments

Strengthen governance and oversight of payment terminal security practices

Enhance data protection and reduce the risk of cardholder data compromise

Support audit readiness through structured documentation and compliance monitoring

Promote operational resilience by securing physical and logical access to payment terminals

Framework in Context

PCI DSS v4.0.1 SAQ B applies a targeted subset of PCI DSS v4.0.1 requirements to merchants using imprint machines or standalone dial-out terminals. Organizations use it to meet PCI DSS obligations within a simplified compliance scope, demonstrating adequate protection for cardholder data in low-complexity terminal environments.

Common Framework Mappings

PCI DSS v4.0.1 SAQ B is commonly mapped to broader payment security and information security frameworks to demonstrate control coverage and align security practices across payment environments.

Mapped frameworks include:

ISO/IEC 27001

ISO/IEC 27002

NIST Cybersecurity Framework

NIST SP 800-53

PCI DSS v4.0.1

SOC 2