SAQ C-VT is a self-assessment questionnaire designed for brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants that process cardholder data via virtual terminals on personal computers connected to the Internet, and that do not store cardholder data on any computer system. This SAQ option is intended to apply only to merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution. SAQ C-VT applies to merchant environments that meet all of the following criteria –
Merchants using virtual terminal solutions should consult with their acquirer (merchant bank) to determine if they are eligible or required to submit an SAQ, and if so, whether SAQ C-VT is appropriate for their environment.
- The only payment processing is done via a virtual terminal accessed by an Internet connected web browser;
- The virtual terminal solution is provided and hosted by a PCI DSS validated third party service provider;
- The PCI DSS compliant virtual terminal solution is accessed via a computer that is isolated in a single location, and is not connected to other locations or systems within the merchant environment (this can be achieved via a firewall or network segmentation to isolate the computer from other systems);
- The merchant’s computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward);
- The merchant’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached);
- The merchant’s does not otherwise receive or transmit cardholder data electronically through any channels (for example, via an internal network or the Internet);
- The merchant retains only paper reports or paper copies of receipts; and
- The merchant does not store cardholder data in electronic format.
Article Number 1229