PCI-DSS SAQ C-VT v3.2.1 Assessment Template

This download includes the Self-Assessment Questionnaire C-VT and Attestation of Compliance for Merchants with Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage v3.2.1.

SAQ C-VT has been developed to address requirements applicable to merchants who process cardholder data only via isolated virtual payment terminals on a personal computer connected to the Internet.

A virtual payment terminal is web-browser-based access to an acquirer, processor, or third-party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually,

Virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.

SAQ C-VT merchants process cardholder data only via a virtual payment terminal and do not store cardholder data on any computer system. These virtual terminals are connected to the Internet to access a third party that hosts the virtual terminal payment-processing function. This third party may be a processor, acquirer, or other third-party service provider who stores, processes, and/or transmits cardholder data to authorize and/or settle merchants’ virtual terminal payment transactions.

This SAQ option is intended to apply only to merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution. SAQ C-VT merchants may be brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants.

Completing the Self-Assessment Questionnaire:

For each question, there is a choice of responses to indicate your company’s status regarding that requirement. Only one response should be selected for each question.

A description of the meaning for each response is provided below:

Yes: The expected testing has been performed, and all elements of the requirement have been met as stated.

Yes with CCW (Compensating Control Worksheet): The expected testing has been performed, and the requirement has been met with the assistance of a compensating control. All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.

No: Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.

N/A (Not Applicable): The requirement does not apply to the organization’s environment. All responses in this column require a supporting explanation in Appendix C of the SAQ.