Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
The Payment Card Industry's Self-Assessment Questionnaires (PCI DSS SAQ) give you a tangible checklist of what you are/should be doing in order to achieve, monitor and maintain PCI DSS compliance and whether or not you are following the PCI's security best practices. The SAQs ultimate goal is to help merchants validate this compliance to their acquiring banks (and any other companies that you deal with).
Overall, there are eight different questionnaires that a merchant may complete, including (A, A-EP, B, B-IP, C, C-VT, D, and P2PE) and each of them is addressed to different types of business, according to how they handle CardHolder Data. If you don't fill out the correct one, you may miss a vital step on your path to compliance, which may result in fines (from those aforementioned acquiring banks) or breaches as you've failed to address a key vulnerability.
In this article we will help you understand the ins and out of SAQ C-VT and whether Self-Assessment Questionnaire C-VT is the right one for your business, what you can expect from this particular questionnaire and how exactly it is different from the others.
Don't be fooled by the similarity of their names: SAQ C and SAQ C-VT are two very different beasts. While the former applies to businesses that simply conduct their business via mail order/telephone, and/or send card data from point of sale terminals via an Internet connection, businesses that take the C-VT questionnaire process payments using a virtual payment terminal solution.
The virtual payment terminal solution (a web-based point of sale) is provided by a PCI DSS compliant third-party company, and it is only accessible via an Internet connected web browser; a web browser which only allows you to enter data. The difference between businesses that conduct an ecommerce business and organizations that use virtual payment terminals, is that the risk of a breach is much lower as the scope is quite small, as it only includes the work station and the browser.
Also, as this questionnaire most often applies to businesses such as call centres, hotels, catalogue companies and other businesses that take card data over the phone before entering it into the virtual payment terminal solution, it's incredibly important that you (or other authorised personnel) check that these calls are not recorded.
While it’s completely understandable that some calls are recorded for training purposes, if you record a phone call that involves cardholder data then you are storing data electronically, and Self-Assessment Questionnaire C-VT will not apply to you, so keep that in mind before taking the self-assessment.
Here is the full list of SAQ C-VT criteria:
The PCI DSS also notes that this SAQ "includes questions that apply to a specific type of small merchant environment, as defined in the above eligibility criteria" and that if you don't fall under the criteria or you see requirements not applicable to your business, then SAQ C-VT may not be for you.
C-VT, you'll be glad to know, is one of the shortest Self-Assessment Questionnaires as it has just 74 questions for you to answer. Each one of these questions corresponds to a specific PCI DSS requirement and the questions are multiple choice too, as you must pick an option between: “No”, “Yes”, “Yes with CCW (Compensating Controls Worksheet)”, or “N/A”.
Moreover, each question has a list of “expected testing” methods as well, such as reviewing policies and procedures, or reviewing documentation. These are especially useful if you aren’t sure how to answer a question.
Here are some examples:
Achieving, monitoring and maintaining PCI compliance is mandatory for almost every type of organisation, but it's also really complicated and it may even be confusing, as you need to take time and care when ensuring that your company's IT security is in order. Cutting corners and taking shortcuts could result in disaster for you, your business and your clients too.
We recommend that you hire a PCI Qualified Security Assessor (QSA) to help walk you through it.
Information security professional with 12+ years of experience in information security consulting, 2+ years of experience in the role of information security manager, and 2+ years of experience in large scale governmental IT project management. Developed and delivered PCI DSS Implementation and ATM Security training sessions in 15+ different countries. Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council, holding CISM, CISA and CISSP certifications in good standing.