The Payment Card Industry's Self-Assessment Questionnaires (PCI DSS SAQ) give you a tangible checklist of what you are/should be doing in order to achieve, monitor and maintain PCI DSS compliance and whether or not you are following the PCI's security best practices. The SAQs ultimate goal is to help merchants validate this compliance to their acquiring banks (and any other companies that you deal with).

Overall, there are eight different questionnaires that a merchant may complete, including (A, A-EP, B, B-IP, C, C-VT, D, and P2PE) and each of them is addressed to different types of business, according to how they handle CardHolder Data. If you don't fill out the correct one, you may miss a vital step on your path to compliance, which may result in fines (from those aforementioned acquiring banks) or breaches as you've failed to address a key vulnerability.

In this article we will help you understand the ins and out of SAQ C-VT and whether Self-Assessment Questionnaire C-VT is the right one for your business, what you can expect from this particular questionnaire and how exactly it is different from the others.

What type of organizations should take this Questionnaire?

Don't be fooled by the similarity of their names: SAQ C and SAQ C-VT are two very different beasts. While the former applies to businesses that simply conduct their business via mail order/telephone, and/or send card data from point of sale terminals via an Internet connection, businesses that take the C-VT questionnaire process payments using a virtual payment terminal solution.

The virtual payment terminal solution (a web-based point of sale) is provided by a PCI DSS compliant third-party company, and it is only accessible via an Internet connected web browser; a web browser which only allows you to enter data. The difference between businesses that conduct an ecommerce business and organizations that use virtual payment terminals, is that the risk of a breach is much lower as the scope is quite small, as it only includes the work station and the browser.

Also, as this questionnaire most often applies to businesses such as call centres, hotels, catalogue companies and other businesses that take card data over the phone before entering it into the virtual payment terminal solution, it's incredibly important that you (or other authorised personnel) check that these calls are not recorded.

While it’s completely understandable that some calls are recorded for training purposes, if you record a phone call that involves cardholder data then you are storing data electronically, and Self-Assessment Questionnaire C-VT will not apply to you, so keep that in mind before taking the self-assessment.

Here is the full list of SAQ C-VT criteria:

  • Your company’s only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser;
  • Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider;
  • Your company accesses the PCI DSS compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation to isolate the computer from other systems);
  • Your company’s computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward);
  • Your company’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no PoS, PED or any type of card readers attached);
  • Your company does not otherwise receive or transmit cardholder data electronically through any channels (for example, via an internal network or the Internet);
  • Your company retains only paper reports or paper copies of receipts, and these documents are not received electronically;
  • Your company does not store cardholder data in electronic format.

The PCI DSS also notes that this SAQ "includes questions that apply to a specific type of small merchant environment, as defined in the above eligibility criteria" and that if you don't fall under the criteria or you see requirements not applicable to your business, then SAQ C-VT may not be for you.

What Sort of Questions Are Featured in Questionnaire C-VT?

C-VT, you'll be glad to know, is one of the shortest Self-Assessment Questionnaires as it has just 74 questions for you to answer. Each one of these questions corresponds to a specific PCI DSS requirement and the questions are multiple choice too, as you must pick an option between: “No”, “Yes”, “Yes with CCW (Compensating Controls Worksheet)”, or “N/A”.

Moreover,  each question has a list of “expected testing” methods as well, such as reviewing policies and procedures, or reviewing documentation. These are especially useful if you aren’t sure how to answer a question.

Here are some examples:

  • Has all unnecessary functionality—such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers—been removed?
  • Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks?
  • Are periodic evaluations performed to identify and evaluate evolving malware threats in order to confirm whether those systems considered to not be commonly affected by malicious software continue as such?
  • Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)?
  • Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?

How Trusted Advisors Make PCI DSS Compliance Easy

Achieving, monitoring and maintaining PCI compliance is mandatory for almost every type of organisation, but it's also really complicated and it may even be confusing, as you need to take time and care when ensuring that your company's IT security is in order. Cutting corners and taking shortcuts could result in disaster for you, your business and your clients too.

We recommend that you hire a PCI Qualified Security Assessor (QSA) to help walk you through it.

Irmantas Brazaitis

Written by Irmantas Brazaitis

Information security professional with 12+ years of experience in information security consulting, 2+ years of experience in the role of information security manager, and 2+ years of experience in large scale governmental IT project management. Developed and delivered PCI DSS Implementation and ATM Security training sessions in 15+ different countries. Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council, holding CISM, CISA and CISSP certifications in good standing.