Find out who is eligible for PCI SAQ C-VT and what requirements apply.
PCI SAQ C-VT was created to meet merchants’ requirements that process cardholder data only through isolated virtual payment terminals on an Internet-connected personal computer.
A virtual payment terminal is a web browser-based access to the website of the recipient, processor, or third-party service provider in which the merchant manually enters payment card data via a secure web browser and authorizes payment card transactions.
Virtual payment terminals do not read data directly from a payment card, unlike physical terminals. Because payment card transactions are entered manually, virtual payment terminals are typically used with low transaction volumes instead of physical terminals in the merchant environment.
SAQ C-VT merchants process cardholder data only through a virtual payment terminal and do not store cardholder data on any computer system.
These virtual terminals connect to the internet to access a third party hosting the virtual terminal payment processing functionality. This third party may be a processor organization, card-accepting organization, or third-party service provider that stores, processes, or transmits cardholder data to authorize or fulfill merchants’ virtual terminal payment transactions.
The purpose of SAQ C-VT is to apply only to merchants that manually enter a single transaction at a time into an internet-based virtual terminal solution via a keyboard. SAQ C-VT merchants can be in traditional business (with card) or mail/phone order (without card).
It should be noted that e-commerce merchants are not subject to PCI SAQ C-VT.
You can check our PCI DSS SAQ article to review all PCI SAQ types and get detailed information.
Which types of companies are PCI SAQ C-VT suitable for?
Although their names are similar, there is a fundamental difference between SAQ C and SAQ C-VT. SAQ C applies only to businesses that conduct their business by mail/telephone or send card data from the point of sale terminals via an Internet connection. SAQ C-VT is valid for companies that use a virtual payment terminal system in their transactions.
In SAQ C-VT, you need to enter data through a web browser that can only be accessed via a PCI DSS compliant third-party service provider Internet-connected web browser.
The difference between e-commerce companies and organizations using virtual payment terminals is that the likelihood of a breach is much lower as access is minimal and requires only workstations and customers.
Also, since SAQ C-VT mostly refers to call centers, hotels, retail companies, and other organizations that receive card data over the phone, it is essential to make sure that you have such calls in your environment.
While it is perfectly reasonable to record some calls for review, if you record a phone call containing cardholder data, you are storing the data electronically. In this case, the Self-Assessment Questionnaire C-VT will not apply to you. For this reason, it is essential to consider such situations before choosing SAQ C-VT.
Here are the qualifications you need to complete the SAQ C-VT:
- The only payment transaction for your business is a virtual payment terminal accessed by an Internet-connected web browser.
- The virtual payment terminal system for your business is provided and managed by a third-party service provider certified by PCI DSS.
- Your company accesses a PCI DSS-compliant virtual payment terminal solution through a single isolated device that is not connected to other locations or systems in your environment.
- No software is installed on your company’s computer that causes the storage of cardholder data.
- There is no hardware device connected to your company’s computer used to collect or store cardholder data.
- Your company will not receive or transmit cardholder data electronically through any other channel.
- The organization keeps all cardholder data on paper, and these documents are not obtained electronically.
- Your organization does not store cardholder data electronically.
Also, it should be noted that SAQ C-VT is not valid for e-commerce merchants.
What are the requirements of the PCI SAQ C-VT?
In PCI SAQ C-VT, the PCI DSS requirements you have to overcome are as follows:
- PCI DSS Requirement 1: Set up and maintain a firewall configuration to protect data
- PCI DSS Requirement 2: Do not use manufacturer-supplied defaults for system passwords
- PCI DSS Requirement 3: Protect stored cardholder data
- PCI DSS Requirement 4: Encrypt transmission of cardholder data over open, public networks
- PCI DSS Requirement 6: Develop and maintain secure systems and applications
- PCI DSS Requirement 7: Restrict access to cardholder data by business need to know
- PCI DSS Requirement 8: Define and verify access to system components
- PCI DSS Requirement 9: Restrict physical access to cardholder data
- PCI DSS Requirement 11: Regularly test security systems and processes
- PCI DSS Requirement 12: Maintain a policy that addresses information security for all personnel
You can self-assess with PCI SAQ C-VT if you meet the above conditions. PCI SAQ C-VT covers ten requirements, but some PCI DSS requirement items have been reduced.
Although SAQ C-VT meets specific PCI DSS requirements, you must comply with all PCI compliance requirements when applicable.
What are the questions in the PCI C-VT SAQ?
SAQ C-VT is one of the shortest Self-Assessment Questionnaires. There are only 79 questions you have to answer. Each of these questions corresponds to a specific PCI DSS requirement, and the questions have multiple choices, such as “Yes,” “No,” “Not Applicable,” and “Compensating Control.”
Besides, each question usually includes a list of methods for “expected tests,” such as reviewing principles, procedures, or documentation. This list of ways is particularly useful when you are unsure about how to answer a question.
Some sample questions to answer when filling in the PCI SAQ C-VT are as follows:
- Is outbound traffic explicitly allowed from the cardholder data environment?
- Are passwords on access points changed when using wireless networks and during setup?
- Are admin access and web-based management interfaces encrypted with strong cryptography?
- Are the devices tightened using a custom configuration based on an industry-standard guideline?
- When the authorization process is complete, is sensitive authentication data deleted or made unrecoverable?
- Are only trusted keys or certificates accepted?
- Are antivirus software installed on all systems commonly affected by malware?
- Are all system components and software protected from known vulnerabilities by installing the manufacturers’ relevant security patches?
- Are access based on job classification and individual role of staff?
- Are all users given a unique ID so that they can access system components or cardholder data?
- Are the media classified to determine the sensitivity of the data?
- Do the security policy and procedures clearly define responsibilities regarding information security for all employees?
What is the difference between SAQ C and SAQ C-VT?
PCI SAQ C-VT is only valid for businesses that process payments through virtual payment terminals. SAQ C, on the other hand, is valid for companies connected to the internet, do not store electronic cardholder data, and operate with isolated payment application systems.
How to Complete the PCI DSS Self-Assessment Questionnaire C-VT?
There are several answers to each question on the SAQ C-VT form that you can indicate your company’s status regarding the requirement. Your answers to the questions may be “Yes, No, Compensating Control or Not Applicable.” Only one answer should be chosen for each question.
You can complete the SAQ C-VT form by following the steps below in order:
- First, determine the applicable SAQ for your environment.
- Confirm that your environment’s scope is defined correctly and meets the eligibility criteria for the SAQ you are using.
- Assess your compliance environment with applicable PCI DSS requirements for SAQ C-VT.
- Complete all required sections of the SAQ C-VT form.
- Communicate the SAQ and Attestation of Compliance (AOC), along with any other requested documentation, to the recipient, your payment brand, or other requestors.
Additional tips on how to fill in PCI SAQ C-VT
PCI DSS compliance can be a complicated process. Here are some additional tips to remember when filling in SAQ C-VT:
Document everything: Make sure all procedures and changes are appropriately documented. In this way, it will be easier for you to control your processes.
Perform vulnerability scanning: Although SAQ C-VT does not need vulnerability scanning, it would be good to scan networks for potential vulnerabilities.
Train your staff: Unless your employees follow your procedures and safety developments, your operational processes will not benefit you.
Consult an expert: If you don’t know much about security or are not technically savvy, seeking professional help will ensure your data is adequately protected.
You can view the latest (version 3.2.1) PCI Self-Assessment Questionnaire C-VT here.