With the newest version of the PCI DSS came a new SAQ type - SAQ C-VT. This particular SAQ form is geared toward a special branch of merchant. Even though SAQ C-VT qualifying merchants use the Internet to process credit card data, they do it in such a way that most of the responsibility of security is off-loaded to a third party. In order to qualify for SAQ C-VT, merchants must use a third party virtual terminal to process all credit card transactions.
A virtual terminal is just like it sounds, a terminal for processing credit card transactions without the use of a physical device. The virtual terminal would be a secure website provided by either your gateway or merchant account provider. To use the virtual terminal you would login using a username and password and then manually type in the customer card data for processing. The most common virtual terminals I can think of are the Authorize.net terminal and the First Data terminal.
Who it applies to:
Just about every merchant has access to a virtual terminal these days. Whether you use it exclusively or not will determine your eligibility for completing SAQ C-VT. Being able to complete SAQ C-VT really reduces the amount of work a merchant has to do to become PCI compliant. Because a merchant uses the Internet to access the virtual terminal, if they don't qualify completely for SAQ C-VT, they would have to complete SAQ C, which involves many more PCI DSS requirements.
The first qualifier for SAQ C-VT is that all credit card transactions must be processed through a virtual terminal. You can not do half with a IP terminal and the other half through the virtual terminal. In addition to only using the virtual terminal, the provider of the virtual terminal must also be PCI compliant.
Once you have established that you only process through a PCI compliant virtual terminal, you must then look at your computer setup you use to access the terminal. First, the computer you use to access the virtual terminal must be a stand alone system. It can't be connected to any other computers through a network. The only connection it can have is to the Internet. Second, that computer must not have any software installed that will store card data. Third, the computer must not have any hardware attached that can read credit cards.
On top of the computer requirements a merchant must also meet the following policy and procedure requirements to be eligible for SAQ C-VT:
- Merchant doesn't receive or send card data electronically other than through the virtual terminal (for example, through email, instant messaging, digital fax)
- Only paper reports and receipts are kept
- No cardholder data is ever stored electronically by the merchant
Given the nature of SAQ C-VT, merchants can either be a brick and mortar store, or a mail/phone operation. However, SAQ C-VT will never apply to a e- commerce merchants.
How to become Compliant:
With SAQ C-VT the steps to PCI compliance are much the same as the previous SAQ forms - conduct an anual audit, then fill out the SAQ C-VT form. Because all digital transactions go through a PCI compliant virtual terminal, no vulnerability scanning is needed for SAQ C-VT. However, because you do have an Internet connection there are extra requirements to ensure access controls to the virtual terminal are maintained.
SAQ C-VT contains requirements from 9 of the 12 PCI DSS sections. Those that apply specifically to the virtual terminal deal with restricting access to the virtual terminal and also maintaining the computer you use in a secure manner. Access to the virtual terminal and computer need to be restricted to those that have the need. The software on the computer needs to be kept updated and also protect the system with an anti-virus application.
Being able to complete SAQ C-VT can be a big time-saver for merchants. If you can adjust your method of processing to only utilize a virtual terminal, you will greatly reduce your requirements for PCI compliance. The smaller your security exposure is, the less time you need to dedicate to compliance, and can focus that much more on your core business functions.