saqb imageTo translate, the SAQ B-IP is a more specific set of PCI DSS questions for merchants that process through a standalone terminal (typically about the size of a brick and equipped with a card reader, display and keypad) that is connected to the Internet. Because the terminal accesses the Internet (as opposed to terminals that dial into a bank of modems at the processor), it is more vulnerable to hackers that are out trolling cyberspace for poorly protected payment applications. Therefore, it must be better protected.

Under PCI DSS version 2.0, merchants fitting the above criteria were required to complete an SAQ C.  While the 3.0 SAQ B-IP has three more requirements than the version 2.0 SAQ C, the good news is it has 59 fewer requirements than the brand new version 3.0 SAQ C.

Why the new SAQ B-IP?

IP terminals are typically standalone units and are built for one purpose:  processing card payments. As a result, they tend to be less vulnerable than multi-function POS systems that are the more typical target for SAQ Cs. Because of the embedded operating system in these devices, you also cannot implement many of the SAQ C-required controls on an IP terminal, such as maintaining anti-virus software (requirement 5.1 in the PCI DSS). The fact is, if the payment terminals are operating in a locked down network segment (i.e., communications can only take place with the payment processor), the merchant simply doesn’t have access to the devices at a level where anti-virus software can be maintained.

IP terminals are deployed broadly in large numbers out in the market, so it makes sense to target them with a more specific SAQ that includes appropriate questions and controls that can be clearly implemented. Kudos to the PCI Security Standards Council (SSC) for recognizing that payment applications that make up large segments of the market deserve their own focused SAQ.

Who has to use the new SAQ B-IP?

Again, the new SAQ B-IP is specifically designed for merchants who use a standalone payment terminal (not a POS system) that is Internet-connected to the payment processor. It is an extension of the version 3.0 SAQ B, which contains 12 new controls (10 of which focus on physical tampering).

The version 3.0 SAQ B-IP goes well beyond the SAQ B to add requirements for the following controls:

  • Quarterly external vulnerability scans must be conducted by a qualified ASV; this is completed via the PCI Portal.
  • Anti-skimming policies and procedures must be in place and communicated;
  • Incident response policies must be developed and in place;
  • A firewall must be maintained with the network segmented to isolate the payment acceptance terminals and limit their access to only the card processor;
  • Strong passwords and security parameters must be utilized; NEVER use default or weak credentials;
  • All systems associated with the terminal must be kept up to date (patched) to eliminate known vulnerabilities; and
  • Any access to system components in the card data environment must be fully authenticated.

Incidentally, merchants who use the new SAQ B and SAQ B-IP will find that they are required to implement some new processes and training.

SAQ B Changes

In addition to the new SAQ B-IP, version 3.0 of SAQ B contains 12 new controls:

  • 10 focus on preventing the possibility of someone physically tampering with the terminal;
  • 1 ensures that information is maintained regarding which PCI DSS requirements are managed by each service provider and which are managed by the merchant; and
  • 1 requires that an incident response plan (IRP) be in place that can be implemented in the event of a suspected system breach.

The changes to SAQ B are primarily administrative and require additional process and training. For example, in the case of physical tampering, merchants are now required to maintain a list of the make, model and location of all card-reading devices, to inspect those devices regularly for tampering, and to train personnel to be vigilant.

 

Are you a merchant that is currently using a physical credit card machine connected via high speed internet? If so, get started by finding out and writing down your external IP address. You can do this by going here: FIND MY EXTERNAL IP

You will need this IP address the next time you complete your SAQ as a  quarterly scan will now be required of your network.

 

Have Questions? Give us a call 866-783-7200.

Get in Touch!

Toll-Free: 866.783.7200
Fax: 866.783.7201
Email: Email Us!

3701 W. Plano Pkwy #130
Plano, TX 75075

logo