What changes are applicable to SAQ C-VT?

SAQ C-VT: Merchants who manually enter account data from an isolated computing device into an Internet-based virtual payment terminal connected via IP.

The SAQ C-VT, in line with the other v4.0 SAQs, now also references ‘merchant’ instead of ‘company’ and ‘account data’ instead of ‘cardholder data’.

The version 4.0 SAQ places more emphasis on the requirement for ‘isolation’ of the computing device used to access the virtual payment terminal than in the version 3.2.1 SAQ (bold added):

  • ‘Self-Assessment Questionnaire (SAQ) C-VT includes only those PCI DSS requirements applicable to merchants that process account data only via third-party virtual payment terminal solutions on an isolated computing device connected to the Internet’.
  • ‘Using this solution, the merchant manually enters account data from an isolated computing device via a securely connected web browser.’

And as before, also asks merchants to confirm that:

  • ‘The PCI DSS-compliant virtual payment terminal solution is only accessed via a computing device that is isolated in a single location and is not connected to other locations or systems.

The majority of the v4.0 SAQ C-VT additions are people-related policy, process and security awareness changes; while many technical control Requirements have been removed, including the segmentation penetration testing Requirement (11.3.4) used to confirm the isolation of out-of-scope systems from the CDE.

  • 6 Requirements are new and effective immediately.
  • 4 Requirements are new but future dated.

While 20 consolidated, redundant or no longer applicable version 3.2.1 SAQ Requirements have been removed from SAQ C-VT: 1.3.4, 1.3.5, 2.2.4 a, 3.2.3, 4.1 a-e, 4.2 b, 9.6 a, 9.7, 11.3.4 a-c, 12.3.1, 12.3.3, 12.3.5, 12.4, 12.5.3.

The most significant of the new or additional Requirements are highlighted below:

Effective Immediately

  • Security policies and operational procedures for:
    • Applying secure configurations (2.1.1)
    • Protecting stored account data in hard copy (3.1.1)
    • Identifying users and authenticating access to system components (8.1.1)
    • For restricting physical access to cardholder data (9.1.1)
  • Documented authorization for user ID lifecycle changes (8.2.4)
    • Applicable to the addition, deletion, and modification of user IDs, authentication factors, and other identifier objects

Future-dated

  • Implement automated mechanisms to detect and protect against phishing attacks, include phishing and social engineering in security awareness training (5.4.1, 12.6.3.1)
  • Anti-malware solution for removable electronic media (5.3.3)
  • Minimum of 12-character alphanumeric password length, if passwords/passphrases are used for authentication of users and administrators (8.3.6)
    • Or minimum 8 characters if the system does not support 12 characters.
    • Not applicable to application or system accounts, or user accounts on POS terminals that only access one PAN at a time to facilitate a transaction.

What changes are applicable to SAQ C-VT?

SAQ C-VT: Merchants who manually enter account data from an isolated computing device into an Internet-based virtual payment terminal connected via IP.

The SAQ C-VT, in line with the other v4.0 SAQs, now also references ‘merchant’ instead of ‘company’ and ‘account data’ instead of ‘cardholder data’.

The version 4.0 SAQ places more emphasis on the requirement for ‘isolation’ of the computing device used to access the virtual payment terminal than in the version 3.2.1 SAQ (bold added):

  • ‘Self-Assessment Questionnaire (SAQ) C-VT includes only those PCI DSS requirements applicable to merchants that process account data only via third-party virtual payment terminal solutions on an isolated computing device connected to the Internet’.
  • ‘Using this solution, the merchant manually enters account data from an isolated computing device via a securely connected web browser.’

And as before, also asks merchants to confirm that:

  • ‘The PCI DSS-compliant virtual payment terminal solution is only accessed via a computing device that is isolated in a single location and is not connected to other locations or systems.

The majority of the v4.0 SAQ C-VT additions are people-related policy, process and security awareness changes; while many technical control Requirements have been removed, including the segmentation penetration testing Requirement (11.3.4) used to confirm the isolation of out-of-scope systems from the CDE.

  • 6 Requirements are new and effective immediately.
  • 4 Requirements are new but future dated.

While 20 consolidated, redundant or no longer applicable version 3.2.1 SAQ Requirements have been removed from SAQ C-VT: 1.3.4, 1.3.5, 2.2.4 a, 3.2.3, 4.1 a-e, 4.2 b, 9.6 a, 9.7, 11.3.4 a-c, 12.3.1, 12.3.3, 12.3.5, 12.4, 12.5.3.

The most significant of the new or additional Requirements are highlighted below:

Effective Immediately

  • Security policies and operational procedures for:
    • Applying secure configurations (2.1.1)
    • Protecting stored account data in hard copy (3.1.1)
    • Identifying users and authenticating access to system components (8.1.1)
    • For restricting physical access to cardholder data (9.1.1)
  • Documented authorization for user ID lifecycle changes (8.2.4)
    • Applicable to the addition, deletion, and modification of user IDs, authentication factors, and other identifier objects

Future-dated

  • Implement automated mechanisms to detect and protect against phishing attacks, include phishing and social engineering in security awareness training (5.4.1, 12.6.3.1)
  • Anti-malware solution for removable electronic media (5.3.3)
  • Minimum of 12-character alphanumeric password length, if passwords/passphrases are used for authentication of users and administrators (8.3.6)
    • Or minimum 8 characters if the system does not support 12 characters.
    • Not applicable to application or system accounts, or user accounts on POS terminals that only access one PAN at a time to facilitate a transaction.