SAQ B-IP vs SAQ C: Which PCI Compliance Questionnaire Do You Really Need?
The Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and feel overwhelmed, take a deep breath. For most small businesses, PCI compliance is simpler than it sounds — and you’re probably looking at either SAQ B-IP or SAQ C, two of the more straightforward questionnaires. The difference between them comes down to one key factor: whether your payment terminal connects to the internet. That’s it. No complex security architecture required, no expensive consultants needed — just a clear understanding of how your payment setup works.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover — through an organization called the PCI Security Standards Council. Think of it as a security checklist designed to protect credit card data from theft.
Here’s what matters: if you accept credit cards in any form — whether through a terminal, online, or over the phone — these requirements apply to you. Your acquirer (the bank or payment processor that handles your card transactions) enforces these rules because they’re on the hook if something goes wrong.
The consequences of non-compliance aren’t theoretical. Your payment processor can fine you monthly until you comply, typically starting at $25-100 per month and escalating from there. If a breach occurs and you weren’t compliant, you could face fines up to $100,000 per month and become liable for fraud losses. Worst case? You could lose the ability to accept credit cards entirely.
But here’s the good news: most small businesses qualify for the simplest SAQ types, which are self-assessment questionnaires you can complete in an afternoon. No expensive audits, no security consultants — just straightforward questions about your payment setup.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards, yes. It doesn’t matter if you’re a food truck processing five transactions a day or a retail store handling hundreds — the requirements apply to everyone who touches cardholder data.
Your merchant level determines how you demonstrate compliance. Most small businesses fall into Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). At this level, you complete a self-assessment questionnaire (SAQ) rather than hiring a QSA for a full audit.
That compliance questionnaire your processor sent? It’s their way of saying “prove to us you’re protecting card data properly.” They need this documentation to show the card brands they’re doing their job. Miss their deadline, and those monthly non-compliance fees start rolling in.
Which SAQ Do You Need?
The SAQ you need depends entirely on how you accept and process payments. Here’s the decision tree in plain language:
| How You Accept Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | 22 | Simplest |
| E-commerce with payment fields on your site | SAQ A-EP | 191 | Moderate |
| Standalone terminal, no electronic storage | SAQ B | 41 | Simple |
| Terminal connected to internet (IP-based) | SAQ B-IP | 91 | Simple |
| Virtual terminal or phone orders | SAQ C-VT | 125 | Moderate |
| POS system connected to internet | SAQ C | 160 | Moderate |
| Store card data electronically | SAQ D | 329+ | Complex |
If you use a payment terminal from Square, Clover, or similar providers, you’re likely looking at SAQ B or SAQ B-IP. The difference? SAQ B is for old-school terminals that dial out over phone lines. SAQ B-IP is for modern terminals that connect via the internet.
If you have an e-commerce site using hosted checkout (where customers get redirected to pay), you probably need SAQ A — the easiest one. If you take payments over the phone using a virtual terminal, that’s SAQ C-VT.
And if you’re storing card numbers in any electronic format — spreadsheets, databases, even email — you’re in SAQ D territory. Fair warning: that’s the complex one. Consider changing your processes to avoid storing card data.
Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guessing required.
SAQ B-IP vs SAQ C: The Key Differences
Since you’re here comparing SAQ B-IP and SAQ C, let’s dive into what sets them apart. Both apply to merchants using internet-connected payment devices, but the scope differs significantly.
SAQ B-IP covers merchants using standalone, PCI PTS-approved payment terminals that connect to payment processors via IP (internet). Think of a restaurant with a wireless terminal that processes payments tableside, or a retail store with a countertop terminal connected to their internet router. The key requirement: these terminals must be isolated from other systems — they can’t be integrated with your POS system or computer.
SAQ C applies when your payment acceptance involves more integration — typically a POS system where payment functionality is built in, or situations where payment data passes through your computer systems before reaching the processor. If your payment terminal is part of a larger POS ecosystem, or if you’re using payment software on a general-purpose computer, you’re in SAQ C territory.
The practical difference? SAQ B-IP has 91 questions focused mainly on the terminal itself and the network it connects to. SAQ C has 160 questions because it assumes payment data touches more of your technology environment, requiring broader security controls.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your payment security practices. “Yes” means you’ve implemented that security control. “No” means you haven’t — and you’ll need to either implement it or explain why it doesn’t apply to your environment.
Here’s what you’ll need before starting:
- Network diagram showing how your payment systems connect
- Inventory of all payment terminals and software
- Vendor agreements showing who’s responsible for what
- Security policies (even basic ones count)
Most questions are straightforward: “Do you change default passwords?” “Is your payment terminal in a secure location?” For each “no” answer, you’ll need an action plan to fix it or a valid reason why it doesn’t apply.
The quarterly ASV scan trips up many merchants. If you have any internet-facing systems (even just a basic website), you need an Approved Scanning Vendor to scan for vulnerabilities every three months. The scan takes minutes to run and generates a report showing any security issues. Fix any failures, rescan, and you’re done.
Once complete, you’ll generate an Attestation of Compliance (AOC) — a formal document stating you’ve met all applicable requirements. Submit this to your acquirer along with your scanning reports, and you’re officially compliant.
What It Costs
Let’s talk real numbers. For most small merchants, annual PCI compliance costs include:
Compliance platform and SAQ tools: $200-500 per year for a guided questionnaire platform that walks you through each requirement. Some payment processors include basic tools free.
Quarterly ASV scanning: $200-400 per year for four quarterly scans. Many compliance platforms bundle this with their SAQ tools.
Professional help (if needed): $150-300 per hour for a consultant to help with specific issues. Most Level 4 merchants don’t need this.
Compare that to non-compliance costs:
- Monthly non-compliance fees: $25-100+ from your processor
- Breach fines: $5,000-100,000 depending on severity
- Forensic investigation: $20,000+ if a breach occurs
- Lost business and reputation damage: immeasurable
The math is clear — compliance costs less than a single month of serious breach fines. Think of it as insurance that actually prevents problems rather than just paying for them after they happen.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly scanning obligations. Mark your calendar for:
- Annual SAQ completion (usually on your merchant account anniversary)
- Quarterly ASV scans (every 90 days if required)
- Security updates for all payment systems
- Password changes according to your policy
Changes to your payment setup can trigger a new assessment. Adding a new payment channel, switching processors, or upgrading your POS system might move you to a different SAQ type. When in doubt, re-run the SAQ wizard to confirm you’re using the right questionnaire.
PCICompliance.com’s compliance dashboard tracks all these dates for you, sending reminders before deadlines and maintaining your compliance history in one place. No more scrambling when your processor asks for last quarter’s scan results.
Frequently Asked Questions
What happens if I just ignore PCI compliance?
Your payment processor will start charging monthly non-compliance fees, typically $25-100 but sometimes higher. These continue until you comply. Worse, if a breach occurs and you weren’t compliant, you become liable for fraud losses and investigation costs. Some processors will eventually terminate your merchant account, leaving you unable to accept cards.
Is PCI compliance really necessary for tiny businesses?
Yes, but the requirements scale with your size. A food truck with a mobile card reader has far simpler requirements than a chain restaurant. The card brands don’t care if you process five transactions or five million — if you handle card data, you need to protect it. The good news: smaller operations usually qualify for the simplest SAQ types.
How long does it take to complete an SAQ?
For SAQ B-IP, budget 2-4 hours for your first time, less once you’re familiar with the questions. SAQ C takes a bit longer — perhaps 4-6 hours initially. The actual questionnaire completion is quick; gathering documentation and understanding what’s being asked takes the most time. Using a guided platform cuts this time significantly.
Do I need to hire a QSA or security consultant?
Most Level 4 merchants (processing less than 1 million transactions annually) don’t need a QSA — self-assessment is sufficient. You might want consultant help if you’re struggling with specific technical requirements or need help reducing scope, but it’s rarely required. Save the consultant budget for if you actually need help rather than assuming you do.
What if my payment processor has never asked about PCI compliance?
Some processors are more diligent about enforcement than others, but the requirements still apply. Starting compliance proactively puts you in control — you can take your time, understand the requirements, and avoid rushed decisions when they eventually do ask. Plus, you’re actually protecting your business from fraud and breaches.
Can I just say “yes” to all the questions and be done with it?
Technically you could, but you’re signing a legal attestation. False statements expose you to liability if a breach occurs. More practically, many requirements are easily verifiable — if you claim to do quarterly scanning but can’t produce reports, or say you don’t store card data but do, you’ll face serious consequences. Answer honestly and fix what needs fixing.
How do I know if I’m SAQ B-IP or SAQ C?
The key question: is your payment terminal a standalone device that only processes payments, or is it integrated with other systems? Standalone terminal connected to internet = SAQ B-IP. Payment function integrated with your POS system or computer = SAQ C. When in doubt, check if your terminal is on the PCI PTS approved devices list — those qualify for SAQ B-IP.
What if I need to switch from SAQ C to SAQ B-IP?
This usually means moving from an integrated POS system to standalone terminals. While this might seem like a step backward, many merchants find the reduced compliance burden worth it. Modern standalone terminals offer most features merchants need while dramatically simplifying compliance. Talk to your payment processor about terminal options that qualify for SAQ B-IP.
Take Control of Your PCI Compliance
PCI compliance might seem overwhelming at first glance, but for most small businesses, it’s a manageable process that protects both you and your customers. Whether you need SAQ B-IP or SAQ C, the key is starting with a clear understanding of your payment setup and working through the requirements methodically.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Instead of dreading that annual compliance notice from your processor, you’ll have everything ready to go. Start with the free SAQ Wizard or talk to our compliance team — we’ve helped thousands of merchants navigate this process, and we can help you too.
