Overview
The Self-Assessment Questionnaire (SAQ) B-IP is intended for payment channels where cardholder data is processed using IP-connected PTS-approved point-of-interaction terminals.
Qualifying Criteria
For merchants to qualify to use the SAQ B-IP to validate their PCI DSS compliance, they must use only standalone PTS approved terminals. No other systems can be used to transmit or process payment data.
SAQ B-IP merchants are allowed to store physical media containing cardholder data (order forms, invoices, etc.), they are not allowed to have any electronic storage of cardholder data.
The following existing PCI DSS requirements were added to the SAQ B-IP in version 4.0:
| Requirements 3.1.1, 8.1.1, and 9.1.1 All security policies and operational procedures for said requirements are:Documented.Kept up to date.In use.Known to all affected parties. |
| Well-documented security policies and procedures can help merchants maintain a PCI DSS-compliant environment if employees working in the environment are aware of policies and procedures that apply to their job responsibilities. PCI DSS Requirements 3.1.1, 8.1.1, and 9.1.1 focus on ensuring policies related to these sections are up to date and are distributed to affected parties. For example, for Requirement 3, a merchant should have a defined data retention policy that prohibits any electronic storage of cardholder data within the merchant environment and defines data retention and data destruction procedures for any physical media containing cardholder data. |
Overview of Applicable Security Requirements
From Requirement 1, a merchant will need to maintain a network diagram (Req 1.2.3) that details all connections between the cardholder data environment (CDE) and other networks managed by the merchant. The merchant should also have a defined firewall/NSC configuration standard that outlines all traffic allowed into and out of the CDE. Only traffic required for ther terminals to operate should be allowed through the firewall (Req 1.3). Network Security Controls should also be configured in a way that prevents IP spoofing attacks against the CDE (Req 1.4.3).
Requirement 2 focuses primarily on account security. In Requirement 2.2.2, merchants are required to ensure vendor default accounts in the CDE have been removed or passwords for these accounts have been changed. While this can apply to the PTS terminal if such an account exists, it also applies to the devices that provide network security for the CDE. Also, merchants need to ensure that non-console administrative access to the CDE firewall/network devices protects authentication credentials during the login process with strong encryption (Req 2.2.7). This is typically done by requiring SSH or TLS-encrypted browser-based connections for administrative access.
As stated earlier, for Requirement 3, merchants will need to have a data retention policy in place that defines policies and procedures for stored cardholder data. Merchants will need to ensure that sensitive authentication data is not being stored, either by their POI terminals or on file, after the payment has been authorized (Req 3.3). Sensitive Authentication Data (SAD) includes full track data (data held on the magnetic stripe and the chip on the customer’s card), Card Verification Codes (the 3 or 4-digit number printed typically on the back of the customer’s card), and PIN-block data (typically used in debit card transactions). If CVC is collected by the merchant, these codes need to be shredded or blacked out after the payment is authorized.
To comply with Requirement 3.4, merchants need to ensure that the credit card number (PAN) is masked whenever it is displayed. For most SAQ B-IP merchants, the only display of PAN will be the receipt that is printed out of the POI terminal. For PCI DSS compliance, merchants should ensure the receipt never displays more than the BIN and last four digits of the PAN. For US-based merchants, only the last four digits of the customer’s credit card number should be displayed. This will help ensure compliance with both PCI DSS and FACTA.
Requirement 6.3 centers around a merchant’s vulnerability management program. Vulnerability management for the POI terminals will likely be conducted by the terminal provider or processor. The merchant should contact their terminal provider to clarify who owns this responsibility. Vulnerability management also applies to the firewall/router or other devices that provide network security to the CDE. Merchants need to be receiving information about vulnerabilities that may affect devices in their CDE. This can come from their device providers or from industry-recognized sources like CERT. Newly discovered vulnerabilities must be assigned a risk level (typically done by reviewing the CVSS score assigned to the vulnerability). Vendor-supplied patches for critical or high-security patches must be installed within one month of release.
Requirements 7 and 8 focus on user account permissions and authentication controls. Like with most other security controls listed in the SAQ B-IP, these controls will mostly focus on the firewall or network devices that provide segmentation and security for the CDE. User accounts on these devices need to follow the principal of least privilege where user permissions are based on user’s job responsibilities (Req 7.2). Users should be assigned individual accounts (Req 8.2) and controls need to be put in place to manage any accounts used by third-party providers (Req 8.2.7).
Merchants will need to have documented physical security policies and procedures in place to protect the terminals and any stored media containing PAN data (Req 9.1.1). If merchants store cardholder data on file, they will need to ensure this data is stored securely and properly destroyed once no longer needed (Req 9.4). Merchants also need to have processes in place to prevent and identify physical tampering of POI terminals (Req 9.5). This would include maintaining an inventory of POI terminals, performing periodic inspections of the terminals, and training staff to be aware of suspicious behavior around the terminals and to report suspicious behavior or signs of tampering to appropriate personnel.
External vulnerability scans will need to be performed quarterly using an Approved Scanning Vendor (Req 11.3). If these ASV scans identify vulnerabilities that cause a scan failure, the vulnerability will need to be resolved and a rescan performed. Merchants will also need to test their network security controls to verify that the network segmentation in place to protect the POI terminals if functioning as required. This is accomplished by performing a penetration test on the segmentation controls (Req 11.4.5).
In Requirement 12 we see that the information security policy must be reviewed at least annually and updated as needed (Req 12.1.2). Employees working in the CDE should review and acknowledge related policies annually and receive formal security awareness training at least annually (Req 12.6.1). Merchants are also required to maintain a list of any third party service provider (TPSP) who has access to the merchant’s cardholder data or can affect the security of their CDE (Req 12.8). For each listed provider, the merchant should have a written agreement where the TPSP acknowledges their responsibility to protect the data they are processing on behalf of the merchant. The merchant is also responsible to verify that each provider is maintaining their own PCI DSS compliance.
We finish up the SAQ B-IP with a requirement that the merchant has an incident response plan in place to address any suspected or confirmed security incident.