SAQ B is designed for imprint-only merchants with no electronic cardholder data storage.

SAQ B: Who should use it and why it fits small, in-person merchants

If you run a little storefront or a café where customers still swipe cards with a physical reader, you’ve probably heard about SAQ types in PCI DSS. Here’s a friendly, practical guide to SAQ B—the one that’s tailor-made for merchants who process cards with an imprinting device or a manual card swiper and don’t store cardholder data electronically. Let me explain what it is, who it’s for, and why it matters in the real world.

What SAQ B is in plain terms

SAQ B stands for Self-Assessment Questionnaire B. It’s a focused set of security questions designed for businesses that handle card data through physical methods—think card imprinters, legacy swipers, and other non-electronic capture tools. The key point is simple: no electronic storage of cardholder data (CHD). If you’re capturing data with a physical device but you’re not keeping a digital record, SAQ B is the fit for you.

You might picture it as the “low-tech, high-care” path. The goal isn’t to throw more tech at the problem; it’s to ensure you’re safeguarding the few places where CHD touches your processes and that you’re not creating digital footprints you don’t need to manage or protect.

Who qualifies for SAQ B?

The defining characteristic is pretty concrete: you process card data using imprinting or manual card swipes, and you do not electronically store CHD. If any of the following apply, SAQ B is the likely match:

• You run a brick-and-mortar shop where most card data is captured with a physical reader or an imprinter, not a website checkout.

• You do not store CHD in electronic form—no databases, no spreadsheets, no cloud copies, and no hidden backups with card numbers.

• Your business has a relatively low volume of card transactions and relies on older, hardware-based card capture rather than online or mobile payment streams.

It’s also worth noting what SAQ B is not designed for. If you regularly process charges through an e-commerce site, a mobile wallet, or any setup that ends up storing or transmitting CHD electronically, you’ll be in a different SAQ territory (more on that later). In short: SAQ B is the choice for the traditional storefront that keeps card data out of digital systems.

What SAQ B requires in practice

Even if you don’t store CHD digitally, you still have to prove you’re handling card data safely. Here are the kinds of controls and practices SAQ B focuses on:

• Physical security for card data. Cards in your custody should be treated like sensitive documents. That means secure storage for any paper receipts or carbon copies, and strict procedures for handling, transferring, and disposing of those records.

• Network and device basics. Use secure networks, change default passwords on any devices, and isolate card-processing devices from general office networks. If you have any wireless components, they must be secured and properly segmented.

• Secure capture devices. Ensure printers, swipers, and imprinters are up to date and tamper-evident where appropriate. If a device ever looks suspicious or breached, take it out of service until it’s inspected.

• Transmission practices. If card data must move off-site for any reason (for example, sending a batch to a processor), make sure that transmission is protected and that CHD isn’t exposed in transit.

• Storage practices. Since the card data isn’t stored electronically, the main job is to ensure that any paper CHD is kept to the minimum necessary, is stored securely, and is disposed of securely when it’s no longer needed.

• Access control. Limit who can see card data, even in paper form. Use role-based access where possible and keep a tight lid on who handles receipts and batch summaries.

• Security policy and training. Have a written information security policy that covers your card-handling practices and train staff so they know what to do—and what not to do—with CHD.

It’s not about turning your shop into a high-tech fortress; it’s about making sure the few moments you touch CHD are as safe as possible and that you’re not creating weak links by accident.

Why this matters for small, in-person businesses

You might wonder why PCI DSS even matters for a humble shop using a card imprinter. Here’s the perspective that helps it stick:

• The real risk is human error. A misplaced receipt, a forgotten shredder, or a careless tape job on a carbon copy can leave CHD exposed. SAQ B helps you lock down those moments so they don’t turn into a breach.

• “No digital CHD” isn’t a free pass. You still need good processes. If you decide to go digital later, you’ll build on the discipline you practiced with SAQ B, not suffer the embarrassment of learning it all at once.

• It’s about trust. Cardholders want to know their information is safe, even if you’re not storing it electronically. A solid SAQ B posture shows you’re serious about privacy and data protection.

How to decide if SAQ B fits you (a quick gut-check)

If you’re still unsure whether SAQ B is the right fit, ask yourself a few practical questions:

• Do you store CHD electronically anywhere? If yes, SAQ B probably isn’t the right fit.

• Do you capture card data with a physical device (imprinter or manual swiper) and then don’t keep electronic copies? That’s a green light for SAQ B.

• Is your business primarily in-person with occasional online sales, and you don’t retain CHD digitally? It could still be SAQ B, but you’ll want to review the specifics of your online processes.

• Do you process card data via a fully digital system (online checkout, mobile apps, e-commerce, or cloud storage of CHD)? Then you’re likely in SAQ A-EP, SAQ D, or another category, depending on the setup.

A few real-world digressions (to keep it relatable)

• The imprinter comeback. You might be surprised how durable a card imprinter is. It’s sturdy, simple, and doesn’t scream “hack me.” The flip side is that it’s easy to keep a paper trail—sometimes too easy—so the discipline of shredding receipts and limiting storage matters more than you’d expect.

• Old-school devices, fresh rules. If you’ve got a mix of old devices and new ones, map out where CHD travels and where it stops. That map is your best friend when deciding which SAQ to use and whether you need additional controls for a hybrid setup.

• When a digital thought sneaks in. It’s common to drift toward thinking “digital means easier” or “paper means tougher.” The truth is different stores have different risks. The smart approach is to assess your actual data flow, not the tools you wish you had.

Practical tips that make SAQ B work in the real world

• Keep a simple data map. Sketch where CHD touches your business—from initial capture to storage (paper only) to any transmission. A one-page map helps you spot gaps quickly.

• Secure the physical space. Lock away any CHD records in a secure cabinet. If you’re closing shop for the night, purge or securely store those records.

• Train without lecturing. A quick, friendly training session for staff goes a long way. Cover the basics: don’t leave receipts unattended, don’t write CHD on sticky notes, and report anything suspicious right away.

• Review devices periodically. A yearly check of card readers and printers helps catch tampering or configuration drift before it becomes a problem.

• Have a policy, then keep it handy. A short, clear security policy—posted in the back office and emailed to staff—saves headaches when questions come up at the counter.

Putting it all together: what you gain from understanding SAQ B

For students studying PCI DSS concepts, grasping SAQ B is less about memorizing a long checklist and more about understanding the philosophy behind it. It’s a reminder that security isn’t one grand gesture; it’s a series of practical habits that fit your business model. SAQ B reminds us that sometimes, the simplest setups—imprinter plus a careful hand on CHD—are the most robust when paired with solid physical and procedural controls.

If you’re building a mental model, think of SAQ B as a topping on a classic, reliable base. The base is your commitment to keeping CHD safe in the few places you touch it. The topping is your environment: a well-guarded storefront, a clean desk policy, and a culture that treats card data as precious. When you have those ingredients, the whole security posture feels steadier—and a lot less chaotic.

Final takeaways

• SAQ B is designed for imprint-only merchants who don’t store CHD electronically.

• It emphasizes physical security, controlled access to CHD, secure handling of paper records, and safeguarded transmission when needed.

• If you have any digital CHD, SAQ B isn’t the right fit. You’ll explore other SAQ types that match electronic storage and transmission risks.

• Real-world practices—secure storage, disciplined shredding, device integrity checks, and simple staff training—make SAQ B practical and effective.

• The core idea is straightforward: protect the few moments CHD is touched, and keep those moments as clean and traceable as possible.

If this all sounds like a sensible balance of careful habits and practical tools, you’re on the right track. SAQ B isn’t about complicating your operations; it’s about sharpening focus where it counts—on the physical handling of card data and the minimal, necessary electronic exposure that comes with modern card processing.