What is the PCI DSS SAQ C-VT?
In the intricate world of payment security, navigating the labyrinthine requirements of the Payment Card Industry Data Security Standard (PCI DSS) can feel like deciphering code. But for merchants using virtual payment terminals, the PCI DSS SAQ C-VT emerges as a beacon of hope that offers a simplified path towards compliance.
As highly experienced PCI DSS Qualified Security Assessors (QSA), we’re very familiar with every PCI SAQ option that organizations have when seeking compliance with the standard, and we know how important it is that you choose the right one for you. And while many organizations are often torn between SAQ A and SAQ EP, the SAQ C-VT may instead be the best path.
To help you discern if that’s true, in this article, we’re going to explain who qualifies for the SAQ C-VT, the benefits of this particular Self-Assessment Questionnaire, and key considerations for the organizations who choose it.
Who is Eligible for the PCI DSS SAQ C-VT?
Imagine a streamlined version of the PCI DSS tailored specifically for a merchant based on their acceptance methods. While that's the essence of all SAQs, it’s especially true for the SAQ C-VT.
However, you have to be eligible for this particular questionnaire, and unfortunately, if you’re an e-commerce channel or service provider, the SAQ C-VT is NOT APPLICABLE to you. Rather, the SAQ C-VT caters directly to brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants that:
- Do not store cardholder data locally—at all, on any computer system—and instead rely on trusty virtual terminal (VT) providers to handle the processing securely; and
- Process card data manually—a single transaction at a time via a keyboard—into an Internet-based, third-party virtual payment terminal solution on an isolated computing device. (So, no swiping, chip reading, or dipping.)
What is a Virtual Payment Terminal?
Given the criticality of virtual payment terminals to eligibility, it’s important to understand what they are.
The PCI SSC defines a virtual payment terminal as a third-party solution used to submit payment card transactions for authorization to a PCI DSS-compliant third-party service provider (TPSP) website. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card.
If you believe you qualify for this avenue to PCI DSS compliance, please note that SAQ C-VT merchants will be required to confirm the following:
- You do not otherwise receive, transmit, or store account data electronically through any channels (e.g., via an internal network or the Internet).
- Any account data you might retain is on paper—e.g., printed reports or receipts—and these documents are not received electronically.
You also must confirm the following regarding your environment:
- Your only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser.
- Your virtual payment terminal solution is provided and hosted by a PCI DSS-compliant third-party service provider.
- Your PCI DSS-compliant virtual payment terminal solution is only accessed via a computing device that is isolated in a single location and is not connected to other locations or systems.
- Said computing device does not have software installed that causes account data to be stored (e.g., there is no software for batch processing or store-and-forward).
- The computing device does not have any attached hardware devices that are used to capture or store account data (e.g., there are no card readers attached).
What are the Benefits of the PCI DSS SAQ C-VT?
If you meet those criteria and can confirm those items, going the SAQ C-VT route will unlock several helpful advantages for your organization:
- Simplified Compliance: With fewer requirements compared to the full PCI DSS, it'll be easier to understand and implement what’s necessary.
- Accelerated Compliance: Because completing this SAQ has fewer requirements, your validation process will take less time, allowing you to refocus on your core business sooner.
- Reduced Costs: Similarly, a smaller scope translates to reduced costs for scans and audits, freeing up resources for other endeavors.
- Stronger Security: Despite the streamlined, SAQ C-VT still emphasizes fundamentals like strong passwords, robust antivirus software, and restricted physical access to devices.
2 Key Considerations for SAQ C-VT
Despite this being a streamlined avenue to PCI DSS compliance, there are two things you should pay particular attention to when implementing controls to ensure you meet the standard’s requirements.
1. Be Wary of the Number of Payment Terminals You Deploy.
While the SAQ C-VT itself does not explicitly limit the number of payment terminals merchants can use, adhering to the spirit of the SAQ and maintaining PCI DSS compliance does imply limitations and makes it important to consider the following potential issues:
- Resource Constraints: The SAQ assumes you’re performing a single transaction at a time, meaning limited processing volume. Having numerous terminals could potentially exceed your staff's capacity to securely manage them all, impacting the effectiveness of your implemented controls.
- Scalability and Security: Implementing certain controls, like physical or network segmentation, might become impractical or excessively complex with a large number of terminals, but leaving those measures out could compromise overall security posture.
2. Make Sure to Secure Your Subnet.
Similarly, the SAQ C-VT also does not explicitly require isolating virtual terminals from each other on the same subnet. At the same time, it does emphasize securing your Cardholder Data Environment (CDE), which includes the VTs and any systems processing cardholder data.
So, if you’re using the same subnet for multiple elements within your CDE, here's what we recommend you implement to achieve secure deployment:
- Network Segmentation: Although not explicitly mandated by SAQ C-VT, logically separating the VTs and other CDE systems from other network segments using firewalls or VLANs will help limit the lateral movement of potential threats within the network.
- Secure Configuration: To ensure all terminals are securely configured according to the vendor's recommendations and industry best practices, disable unnecessary services, maintain strong passwords, and apply security patches regularly.
- Anti-Malware Protection: Implement robust anti-malware software on all terminals and systems within the CDE to detect and prevent potential malware infections.
- Access Controls: Restrict physical and logical access to the terminals and CDE systems to authorized personnel only and implement multi-factor authentication and strong password policies for additional security.
By implementing these controls, you can mitigate the risks associated with having multiple virtual terminals on the same subnet while still leveraging the convenience of this setup.
The SAQ C-VT and Your PCI DSS ROC
While the SAQ C-VT provides a path to quicker and more feasible compliance, eligible merchants may still want to complete a PCI DSS Report on Compliance (ROC).
If that’s the case, you can leverage the SAQ C-VT as a baseline, but going for the ROC will require a more comprehensive assessment. To bridge that gap, refer to PCI SSC FAQ 1331, which outlines how to map SAQ responses to the corresponding ROC controls.
By utilizing both the SAQ C-VT and the FAQ, you’ll gain a roadmap for expanding your SAQ answers into a detailed ROC, ensuring you address all vital security controls for their VT-based payment processing.
Moving Toward PCI DSS Compliance
Though often regarded as rigorous, PCI DSS compliance represents a shield to protect your customers' data and your business reputation. By wielding the power of SAQ C-VT, eligible merchants can achieve compliance efficiently, safeguard your future, and empower your growth.
To learn more about the intricacies of PCI DSS, make sure you check out our comprehensive library of content regarding the latest v4.0, and these pieces can also help with understanding some specifics:
- What is the PCI DSS Process?
- How Expired Terminals Affect Your PCI Compliance
- How to Achieve PCI DSS Compliance in a Zero Trust Environment
But if you still have further questions—about the SAQ C-VT or your other PCI options—don’t hesitate to reach out to our team of experts, who would be happy to help point you in the right direction.
About David Baca
David Baca is a Senior Associate with Schellman based in Elizabethtown, Kentucky. Prior to joining Schellman, David worked as a Security Consultant at a global technology solutions company specializing in assessment and remediation services for PCI DSS, GDPR, and ISO 27001. David led and supported various other projects including NIST 800-171A assessments, development of composite risk management frameworks, and CMMC readiness. David has over 10 years of experience comprised of serving clients in various industries, including Manufacturing, Retail, Travel, and Healthcare, as well as his duties as a Military Intelligence Officer in the United States Army. David is now focused primarily on PCI DSS audits for organizations across various industries.