PCI Compliance – Completing an SAQ C-VT

We’re back again to discuss another SAQ in our series covering the different SAQs that an organization can complete to meet PCI DSS requirements. This decision is an important one, as your applicable SAQ will increase or decrease the number of requirements that you need to address (which equates to cost) as well as the scope of systems that those requirements apply to (also representing cost). Today we’ll cover SAQ C-VT, which is one of the “newer” SAQs that was developed to address a niche payment channel that is becoming increasingly prevalent. We’ll cover which merchants can use this SAQ and what an organization needs to do to say within this category of SAQ.

What Organizations Can Use This SAQ

This SAQ can be seen as a specific subset of SAQ C. It was developed to reduce the number of requirements levied upon organizations that are only processing payment data through an acquirer, payment processor, or third-party service provider website. This case applies when you’ve got employees sitting at a workstation and manually entering cardholder data (CHD) into one of these types of websites after receiving payment information through mail order, telephone order, or in-person transactions. It’s only intended for merchants processing a single transaction at a time, so any type of electronic storage of CHD or batch-processing features will disqualify you from using an SAQ C-VT.

As described in the criteria below, the big requirements if you’re thinking about using this level of SAQ as a merchant are the network segmentation and restriction of the workstations processing the CHD. These payment processing workstations have to be segmented from the rest of your internal network and their outbound Internet-access has to be limited to only destinations with a documented and justified business need. That means that Sally in accounting isn’t going to be able to get to her Facebook account on her lunch break from the same workstation she uses to process credit card transactions. While this definitely makes sense from a security perspective, it can be a hard pill for your users depending on company culture, and work-arounds in this realm usually aren’t great. We’d be happy to take a look at your specific situation in more depth and talk through some considerations for this payment channel.

What Does it Take to Complete an SAQ C-VT?

For your company to complete an SAQ C-VT, you’ve got to confirm for the applicable payment channel that:

  • Card processing workstations must be segmented from the rest of the internal network.
  • No electronic storage of cardholder data.
  • The only payment processing your organization does is via a virtual payment terminal using an Internet-connected web browser.
  • The virtual payment terminal solution is hosted by a PCI DSS validated third-party service provider.
  • There’s no batch-processing software installed on the workstations used for payment processing, or any other software that would cause electronic CHD to be stored.
  • No card readers are attached to the workstations.
  • No CHD is electronically transmitted or received besides via the virtual payment terminal application.
  • Any CHD storage is physical (e.g. paper receipts).