Learn who qualifies for SAQ C-VT and what requirements apply.

By: Michael Simpson
Principal Security Analyst
SAQ C-VT addresses requirements applicable to merchants who process cardholder data only through isolated virtual payment terminals on a personal computer connected to the Internet.

SEE ALSO: SAQ C: Securing Your Payment Application

A virtual payment terminal is web-browser-based access to an acquirer, processor, or third-party service provider website to authorize payment card transactions, where the merchant manually enters payment card data through a securely connected web browser.
SAQ C-VT merchants may be brick-and-mortar or mail/telephone-order merchants.
Note: SAQ C-VT doesn’t apply to e-commerce only merchants. 

SEE ALSO: Updating PCI DSS SAQs to 3.2: The Changes You Should Know

Who qualifies for SAQ C-VT?

Not sure if you should fill out this SAQ? Here’s what qualifies you to fill out SAQ C-VT
  • Your company’s only payment processing is through a virtual payment terminal accessed by an Internet-connected web browser
  • Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider
  • Your company accesses the PCI DSS-compliant virtual payment terminal solution through a computer that is isolated in a single location, and is not connected to other locations or systems within your environment 
  • Your company’s computer does not have software installed that causes cardholder data to be stored 
  • Your company’s computer does not have any attached hardware devices that are used to capture or store cardholder data 
  • Your company does not otherwise receive or transmit cardholder data electronically through any channels 
  • Any cardholder data your company retains is on paper and these documents are not received electronically
  • Your company does not store cardholder data in electronic format 

Which requirements does this SAQ cover?

The requirements you will address in SAQ C-VT include:
Remember that while this SAQ covers specific requirements, it’s important that you are compliant with all aspects of PCI compliance where applicable.

What questions will I address?

Here are some sample questions that you’ll answer while filling out this SAQ:
  • Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
  • If wireless networks are used, are default passwords/passphrases on access points changed at installation?
  • Is administrator access to web-based management interfaces encrypted with strong cryptography?
  • Are systems hardened using a configuration standard based on an industry-standard hardening guide?
  • Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process?
  • Are only trusted keys and/or certificates accepted?
  • Is anti-virus software deployed on all systems commonly affected by malicious software?
  • Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?
  • Is access assigned based on individual personnel’s job classification and function?
  • Are all users assigned a unique ID before allowing them to access system components or cardholder data?
  • Is media classified so the sensitivity of the data can be determined?
  • Do security policy and procedures clearly define information security responsibilities for all personnel?

Additional tips

Getting compliant can be a complex process. Here are a few extra things to keep in mind while you fill out this SAQ:
  • Document everything: Make sure all processes and changes are properly documented. It keeps your business organized and reduces potential liability
  • Consider getting a vulnerability scan: while not required by this SAQ, it may be a good idea to scan your networks for potential vulnerabilities
  • Train employees: Your policies will do you no good if your employees aren’t following them
  • Work with an expert: If you don’t know much about security, or aren’t technically savvy, getting help from an expert will help make sure you’re protecting your data correctly
Remember, to determine your exact PCI DSS requirements, speak to a professional.

Need help getting PCI compliant? Talk to us! 

Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.