PCI DSS Self-Assessment Questionnaire (SAQ) for In-Store Payments

At Surfboard Payments, we make PCI DSS compliance as straightforward as possible for merchants handling in-store transactions. While every merchant falls under PCI DSS scope, the number of requirements you need to address depends on your payment setup, the certifications of your payment solution provider, and how transactions are processed.

Who Needs to Complete an SAQ?

Merchants processing fewer than 6 million card transactions annually can validate PCI DSS compliance using a Self-Assessment Questionnaire (SAQ). Those exceeding 6 million transactions per year must complete a Report on Compliance (RoC), which requires assessment by a Qualified Security Assessor (QSA).

The SAQ applicable to your business depends on how your in-store payment system is configured.

Which SAQ Applies to Your Business?

SAQ B-IP – Recommended for Surfboard Payments Merchants

Applies to: Merchants using standalone, PCI-approved payment terminals that connect directly to a payment processor over IP. All Surfboard Payments devices fall into this category.

Scope Reduction Options:

Primary Mobile Network Connectivity: If the payment terminal uses mobile network connectivity (e.g., LTE) as the primary connection, the SAQ can be pre-filled to reduce the merchant's required responses to 9.

Primary Wi-Fi Connectivity: If the terminal is connected via the merchant's own Wi-Fi network, 42 requirements must be addressed.

Why is Scope Reduced?

The reduction in merchant requirements is possible because Surfboard Payments, as a PCI DSS 4.0-certified provider, can supply evidence that many of the security controls are already in place. This does not mean the requirements are removed—all PCI DSS requirements must be met—but Surfboard Payments has already fulfilled many of them on the merchant's behalf.

SAQ P2PE – For Merchants Using Certified P2PE Solutions

Applies to: Merchants utilizing PCI-validated Point-to-Point Encryption (P2PE) payment terminals.

Scope Reduction:

None – the merchant must meet all 21 requirements.

Why Surfboard Payments Does Not Offer P2PE

Since our SAQ B-IP solution already minimizes compliance requirements beyond P2PE, adding P2PE certification would not provide additional benefits for merchants but would increase costs and operational complexity.

SAQ D – Not Applicable to Surfboard Payments Devices

Applies to: Merchants who do not qualify for any other SAQ.

Scope:

Merchants must address all requirements, making it the most comprehensive and demanding SAQ.

How Surfboard Payments Supports Compliance

We have built our payment solutions to minimize your PCI DSS compliance requirements while maintaining high-security standards:

• SAQ B-IP Eligibility → All Surfboard Payments devices qualify for SAQ B-IP, eliminating the need for SAQ D.
• Scope Reduction → Merchants using mobile network connectivity can reduce compliance requirements to just 9 questions, thanks to Surfboard Payments providing evidence for other requirements.
• Built-in Security & Compliance → Our PCI DSS 4.0 certification ensures compliance without additional complexity.
• Advisory Support for Level 1 Merchants → Expert Guidance for Level 1 Merchants (6M+ Transactions per Year)

Merchants processing more than 6 million card transactions annually must undergo a QSA-led Report on Compliance (RoC) assessment.

Surfboard Payments does not provide a QSA certification service. However, we offer advisory support to help merchants prepare for the QSA process, making it easier to achieve compliance.

Our team can:

• Provide guidance on meeting PCI DSS requirements.
• Assist in streamlining the preparation process for the QSA assessment.
• Recommend trusted external QSAs to complete the RoC.

Need Assistance?

Our goal is to help you stay compliant while keeping payment acceptance secure and simple. For detailed integration steps and PCI DSS guidance, visit our Developer Portal. By using Surfboard Payments, you ensure compliance with minimal effort, allowing you to focus on growing your business while we handle the security.