Bottom Line
SAQ B is for merchants using standalone terminals or imprinters — it’s simpler but increasingly rare in modern payment environments. SAQ C applies to merchants with payment applications connected to the internet, making it the more common choice for retailers using integrated POS systems, but it requires significantly more security controls.
What’s Being Compared and Why It Matters
When your acquirer sends that annual compliance questionnaire, determining whether you’re SAQ B or SAQ C often becomes the first major decision point. Both questionnaires apply to card-present merchants who don’t store cardholder data electronically, but the similarities end there.
SAQ B covers merchants using only standalone payment terminals with dial-up connections or manual imprint machines — think of the old “knuckle-buster” credit card imprinters or basic terminals that connect via phone line.
SAQ C applies to merchants whose payment systems connect to the internet in any way — modern POS systems, terminals that use IP connectivity, or any payment application installed on computers.
This comparison matters because choosing wrong means either implementing unnecessary controls (costing time and money) or missing critical security requirements (risking non-compliance and potential breaches). The difference between 22 questions and 160+ questions isn’t just paperwork — it’s the difference between a few hours of work and potentially months of implementation.
Comparison Table
| Criteria | SAQ B | SAQ C |
|---|---|---|
| Scope | Standalone terminals only (dial-up/analog) or imprinters | Payment systems with any internet connectivity |
| Requirements | 22 questions | 160+ questions |
| Complexity | Low – Basic physical security | High – Full network security program |
| Time Investment | 2-4 hours annually | 40-80 hours initial, 10-20 hours annually |
| Typical Cost | $0-500 (mainly time) | $5,000-25,000 initial, $2,000-10,000 annually |
| Common Merchant Types | Food trucks with dial-up terminals, antique shops with imprinters | Retail stores with modern POS, restaurants with integrated systems |
Detailed Breakdown
SAQ B: The Vanishing Breed
SAQ B represents PCI compliance at its simplest. You’re essentially confirming that your standalone terminals are physically secure and that you’re not storing card data electronically.
What it covers:
- Physical security of payment terminals
- Secure storage of paper receipts
- Basic vendor management for terminal providers
- Minimal technical requirements
Who it’s for:
- Merchants using dial-up terminals exclusively
- Businesses still using manual imprint machines
- Mobile vendors with cellular terminals that have no IP connectivity
Strengths:
- Minimal technical expertise required
- Can be completed in one afternoon
- No network security requirements
- No need for vulnerability scanning
Limitations:
- Becoming obsolete as dial-up infrastructure disappears
- Doesn’t support modern payment features (contactless, mobile wallets)
- Limited payment processor options
- Slower transaction processing
The critical factor: your terminals must have zero internet connectivity. If your terminal has an ethernet port (even if unused), Wi-Fi capability (even if disabled), or any IP-based communication, you’re not SAQ B eligible.
SAQ C: The Modern Reality
SAQ C acknowledges that payment systems need internet connectivity to function in today’s retail environment. It requires a comprehensive security program but stops short of the full PCI DSS requirements that SAQ D merchants face.
What it covers:
- Network segmentation and firewall rules
- Quarterly vulnerability scanning by an ASV
- Anti-virus on all systems in payment environment
- Access controls and user management
- Security policies and procedures
- Vendor and service provider management
Who it’s for:
- Retail stores with integrated POS systems
- Restaurants using modern payment terminals
- Any merchant with IP-connected payment devices
- Businesses using payment applications on computers
Strengths:
- Supports all modern payment types
- Enables integrated business operations
- Provides meaningful security improvements
- Prepares you for potential growth to SAQ D
Limitations:
- Significant implementation effort required
- Ongoing maintenance obligations
- Technical expertise needed
- Annual costs for scanning and security tools
The defining characteristic: any payment system component that can communicate via IP protocol puts you in SAQ C territory. This includes cloud-connected POS systems, terminals that use your internet connection, and payment software on networked computers.
Decision Framework
Choose SAQ B if:
- Your only payment method is dial-up terminals
- You use manual imprint machines exclusively
- Your terminals have no ethernet ports or Wi-Fi capability
- You have no plans to upgrade payment technology
- Your processor still supports dial-up authorization
Choose SAQ C if:
- Your terminals connect via ethernet or Wi-Fi
- You use a modern POS system
- Your payment software runs on computers
- Your terminals have IP connectivity (even if unused)
- You process payments through a payment gateway
Questions to Confirm Your Category:
For SAQ B consideration:
1. Do your terminals connect using only telephone lines?
2. Can you process payments if your internet goes down?
3. Are your terminals completely standalone devices?
For SAQ C validation:
1. Do your terminals have ethernet ports or Wi-Fi symbols?
2. Does your POS system run on a computer or tablet?
3. Can you view transaction reports online?
Common Misidentification Scenarios
“Our terminals use phone lines” — But check if they’re actually IP-enabled terminals using analog backup. If the terminal has an ethernet port, you’re SAQ C.
“We don’t use the internet features” — Capability matters more than usage. Disabled features don’t change SAQ eligibility.
“We have standalone terminals” — Modern “standalone” terminals often have IP connectivity. True standalone means dial-up only.
“Our POS vendor said we’re SAQ B” — Vendors sometimes misunderstand SAQ eligibility. If their system requires any network connection, you’re not SAQ B.
What Happens If You Choose Wrong
Completing SAQ B When You Should Be SAQ C
This creates immediate compliance risk. Your AOC becomes invalid the moment a QSA or acquiring bank identifies the mismatch. You’re essentially attesting to a security posture that ignores your actual risks — network attacks, malware, unauthorized access — none of which SAQ B addresses.
When discovered, you’ll face:
- Immediate non-compliance status
- Required completion of proper SAQ C
- Potential fines from your acquirer
- Increased scrutiny on future assessments
Completing SAQ C When You Could Use SAQ B
While technically over-compliant, this wastes significant resources. You’ll implement network security controls for systems that don’t connect to networks, conduct ASV scans on infrastructure that doesn’t exist, and maintain policies for risks you don’t face.
The main consequence is opportunity cost — time and money spent on unnecessary controls instead of growing your business.
How to Course-Correct
1. Stop current assessment — Don’t submit an incorrect AOC
2. Document your actual environment — List all payment devices and their connectivity
3. Complete the correct SAQ — Start fresh with the right questionnaire
4. Implement missing controls — If moving from B to C, budget 2-3 months
5. Notify your acquirer — Proactive communication prevents penalties
When to Get a QSA’s Opinion
Engage a QSA when:
- Terminal documentation is unclear about connectivity options
- You have mixed environments (some dial-up, some IP)
- Your acquirer challenges your SAQ selection
- You’re planning payment system changes
A few hours of QSA consultation beats months of implementing the wrong controls.
FAQ
Can I be SAQ B if my terminal has an ethernet port but I only use dial-up?
No. SAQ eligibility is based on device capability, not actual usage. Terminals with IP connectivity options require SAQ C compliance even if those features remain unused.
What if I have both dial-up and IP-connected terminals?
Your highest-risk payment channel determines your SAQ type. One IP-connected terminal makes your entire environment SAQ C, regardless of how many dial-up terminals you have.
Do mobile card readers (Square, PayPal) change my SAQ type?
If you only use validated P2PE solutions from these providers, you might qualify for SAQ P2PE instead. But mixing them with traditional terminals typically results in SAQ C requirements.
Can I segment my network to stay in SAQ B?
No. Network segmentation is an SAQ C concept. SAQ B assumes no network connectivity at all — segmentation implies you have networks that need separating.
What about cellular terminals — are they SAQ B or C?
It depends on the connection type. Older cellular terminals using analog cellular (like 3G voice channels) may qualify for SAQ B. Modern 4G/5G terminals using data connections require SAQ C.
Conclusion
The SAQ B vs SAQ C decision often resolves itself once you examine your actual payment environment. In today’s payment landscape, truly eligible SAQ B merchants are increasingly rare — if you’re reading this article online, you probably have payment systems sophisticated enough to require SAQ C.
The key is honest assessment of your payment technology. That terminal sitting on your counter might look standalone, but if it has an ethernet port or Wi-Fi capability, you’re in SAQ C territory. While the additional requirements seem daunting, they address real security risks that come with network-connected payment systems.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team to ensure you’re on the right compliance path from day one.
