• Image-96
  • PCI DSSSAQ

  •  - -
  •  - -
  •  - -
  • Confirm eligibility to take questionnaire PCI DSS C-VT


    Merchant Eligibility Criteria for Self-Assessment Questionnaire C-VT Self-Assessment Questionnaire (SAQ) C-VT includes only those PCI DSS requirements applicable to merchants that process account data only via third-party virtual payment terminal solutions on an isolated computing device connected to the Internet.

    A virtual payment terminal is third-party solution used to submit payment card transactions for authorization to a PCI DSS compliant third-party service provider (TPSP) website. Using this solution, the merchant manually enters account data from an isolated computing device via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card.

    This SAQ option is intended to apply only to merchants that manually enter a single transaction at a time via a keyboard into an Internet-based virtual payment terminal solution. SAQ C-VT merchants may be brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants, and do not store account data on any computer system.

    SAQ C-VT merchants confirm that, for this payment channel:
    • The only payment processing is via a virtual payment terminal accessed by an Internet-connected
      web browser;
    • The virtual payment terminal solution is provided and hosted by a PCI DSS compliant third-party
      service provider;
    • The PCI DSS-compliant virtual payment terminal solution is only accessed via a computing
      device that is isolated in a single location, and is not connected to other locations or systems (this
      can be achieved via a firewall or network segmentation to isolate the merchant system(s)
      accessing the virtual payment terminal from other merchant systems);
    • The computing device does not have software installed that causes account data to be stored (for
      example, there is no software for batch processing or store-and-forward);
      - The computing device does not have any attached hardware devices that are used to capture or
      store account data (for example, there are no card readers attached);
    • The merchant does not otherwise receive, transmit, or store account data electronically through
      any channels (for example, via an internal network or the Internet); and
    • Any account data the merchant might retain is on paper (for example, printed reports or receipts),
      and these documents are not received electronically.
  • Section 1

    Requirement 1: Install and maintain network security controls
  • Network access to and from the cardholder data environment is restricted.

  • Question 1.1:
    Inbound traffic to the CDE is restricted as follows:

    • To only traffic that is necessary.
    • All other traffic is specifically denied.
  • Question 1.2:
    Outbound traffic from the CDE is restricted as follows:

    • To only traffic that is necessary.
    • All other traffic is specifically denied.
  • Question 1.3:
    NSCs are installed between all wireless networks and
    the CDE, regardless of whether the wireless network is a
    CDE, such that:

    • All wireless traffic from wireless networks into the
      CDE is denied by default.
    • Only wireless traffic with an authorized business
      purpose is allowed into the CDE.
  • Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated

  • Question 1.4:
    Security controls are implemented on any computing
    devices, including company- and employee-owned
    devices, that connect to both untrusted networks
    (including the Internet) and the CDE as follows:

    • Specific configuration settings are defined to prevent
      threats being introduced into the entity’s network.
    • Security controls are actively running.
    • Security controls are not alterable by users of the
      computing devices unless specifically documented
      and authorized by management on a case-by-case
      basis for a limited period.
  • Section 2

    Requirement 2: Apply Secure Configurations to All System Components
  • Processes and mechanisms for applying secure configurations to all system components are defined and understood.

  • Question 2.1:
    All security policies and operational procedures that are
    identified in Requirement 2 are:

    • Documented.
    • Kept up to date.
    • In use.
    • Known to all affected parties.
  • System components are configured and managed securely.

  • Question 2.2:
    Vendor default accounts are managed as follows:

    • If the vendor default account(s) will be used, the
      default password is changed per Requirement 8.3.6.
    • If the vendor default account(s) will not be used, the
      account is removed or disabled.
  • Question 2.3:
    Only necessary services, protocols, daemons, and
    functions are enabled, and all unnecessary functionality
    is removed or disabled.

  • Question 2.4:
    If any insecure services, protocols, or daemons arepresent:

    • Business justification is documented.
    • Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.
  • Question 2.5:
    System security parameters are configured to prevent misuse.

  • Question 2.6:
    All non-console administrative access is encrypted using strong cryptography.

  • Question 2.7:
    For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to:

    •  Default wireless encryption keys.
    • Passwords on wireless access points.
    • SNMP defaults.
    • Any other security-related wireless vendor defaults.
  • Question 2.8:
    For wireless environments connected to the CDE or transmitting account data, wireless encryption keys are changed as follows:

    • Whenever personnel with knowledge of the key leave the company or the role for which the knowledge was necessary.
    • Whenever a key is suspected of or known to be compromised.
  • Section 3

    Requirement 3: Protect Stored Account Data
  • Processes and mechanisms for protecting stored account data are defined and understood.

  • Question 3.1:
    All security policies and operational procedures that are identified in Requirement 3 are:

    • Documented.
    • Kept up to date.
    • In use.
    • Known to all affected parties.
  • Sensitive authentication data (SAD) is not stored after authorization

  • Question 3.2:
    SAD is not stored after authorization,even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process.

  • Question 3.3:
    The card verification code is not stored upon completion of the authorization process.

  • Question 3.4:
    PAN is masked when displayed (the BIN and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the BIN and last four digits of the PAN.

  • Section 4

    Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
  • PAN is protected with strong cryptography during transmission

  • Question 4.1:
    Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission.

  • Section 5

    Requirement 5: Protect All Systems and Networks from Malicious Software
  • Malicious software (malware) is prevented, or detected and addressed.

  • Question 5.1:
    An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.

  • Question 5.2:
    The deployed anti-malware solution(s):

    • Detects all known types of malware.
    • Removes, blocks, or contains all known types ofmalware
  • Anti-malware mechanisms and processes are active, maintained, and monitored

  • Question 5.3:
    The anti-malware solution(s) is kept current via automatic updates.

  • Question 5.4:
    The anti-malware solution(s):

    • Performs periodic scans and active or real-time scans,
      OR
    • Performs continuous behavioral analysis of systems orprocesses
  • Question 5.5:
    For removable electronic media, the anti-malwaresolution(s):

    • Performs automatic scans of when the media isinserted, connected, or logically mounted,
      OR
    • Performs continuous behavioral analysis of systems orprocesses when the media is inserted, connected, orlogically mounted.
  • Question 5.6:
    Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1

  • Question 5.7:
    Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period

  • Question 5.8:
    Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.

  • Section 6

    Requirement 6: Develop and Maintain Secure Systems and Software
  • Security vulnerabilities are identified and addressed.

  • Question 6.1:
    Security vulnerabilities are identified and managed asfollows:

    • New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs).
    • Vulnerabilities are assigned a risk ranking based onindustry best practices and consideration of potential impact.
    • Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to theenvironment.
  • Question 6.2:
    All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:

    • Patches/updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
  • Section 7

    Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
  • Access to system components and data is appropriately defined and assigned.

  • Question 7.1:
    Access is assigned to users, including privileged users, based on:

    • Job classification and function.
    • Least privileges necessary to perform job responsibilities
  • Section 8

    Requirement 8: Identify Users and Authenticate Access to System Components
  • Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.

  • Question 8.1:
    All security policies and operational procedures that are
    identified in Requirement 8 are:

    • Documented.
    • Kept up to date.
    • In use.
    • Known to all affected parties.
  • User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.

  • Question 8.2:
    All users are assigned a unique ID before access to system components or cardholder data is allowed.

  • Question 8.3:
    Group, shared, or generic IDs, or other shared authentication credentials are only used when necessary on an exception basis, and are managed asfollows:

    • ID use is prevented unless needed for anexceptional circumstance.
    • Use is limited to the time needed for the exceptional circumstance.
    • Business justification for use is documented.
    • Use is explicitly approved by management.
    • Individual user identity is confirmed before access toan account is granted.
    • Every action taken is attributable to an individual user.
  • Question 8.4:
    Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as follows:

    • Authorized with the appropriate approval.
    • Implemented with only the privileges specified onthe documented approval
  • Question 8.5:
    Access for terminated users is immediately revoked.

  • Strong authentication for users and administrators is established and managed.

  • Question 8.6:
    All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:

    • Something you know, such as a password or passphrase.
    • Something you have, such as a token device or smart card.
    • Something you are, such as a biometric element.
  • Question 8.7:
    If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity

    • A minimum length of 12 characters (or IF the systemdoes not support 12 characters, a minimum lengthof eight characters).
    • Contain both numeric and alphabetic characters.
  • Multi-factor authentication (MFA) is implemented to secure access into the CDE.

  • Question 8.8:
    MFA is implemented for all non-console access into the CDE for personnel with administrative access

  • Section 9

    Requirement 9: Restrict Physical Access to Cardholder Data
  • Processes and mechanisms for restricting physical access to cardholder data are defined and understood.

  • Question 9.1:
    All security policies and operational proceduresthat are identified in Requirement 9 are:

    • Documented.
    • Kept up to date.
    • In use.
    • Known to all affected parties.
  • Physical access controls manage entry into facilities and systems containing cardholder data.

  • Question 9.2:
    Appropriate facility entry controls are in place to restrict physical access to systems in the CDE.

  • Media with cardholder data is securely stored, accessed, distributed, and destroyed.

  • Question 9.3:
    All media with cardholder data is physically secured.

  • Question 9.4:
    Offline media backups with cardholder data are stored in a secure location.

  • Question 9.5:
    All media with cardholder data is classified in accordance with the sensitivity of the data.

  • Question 9.6:
    Media with cardholder data sent outside the facility is secured as follows:

    • Media is sent by secured courier or other delivery method that can be accurately tracked
  • Question 9.7:
    Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals).

  • Question 9.8:
    Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:

    • Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.
    • Materials are stored in secure storage containers prior to destruction.
  • Section 12

    Requirement 12: Support Information Security with Organizational Policies and Programs
  • A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.

  • Question 12.1:
    An overall information security policy is:

    • Established.
    • Published.
    • Maintained.
    • Disseminated to all relevant personnel, as well as to relevant vendors and business partners.
  • Question 12.2:
    The information security policy is:

    • Reviewed at least once every 12 months.
    • Updated as needed to reflect changes to business objectives or risks to the environment.
  • Security awareness education is an ongoing activity.

  • Question 12.3:
    A formal security awareness program is implemented to make all personnel aware of the entity’s information security policy and procedures, and their role in protecting the cardholder data.

  • Question 12.4:
    Security awareness training includes awareness of threats and vulnerabilities that could impact the security ofthe cardholder data and/or sensitive authentication data, including but not limited to:

    • Phishing and related attacks.
    • Social engineering
  • Risk to information assets associated with third-party service provider (TPSP) relationships is managed.

  • Question 12.5:
    A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided.

  • Question 12.6:
    Written agreements with TPSPs are maintained asfollows:

    • Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.
    • Written agreements include acknowledgments fromTPSPs that TPSPs are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that the TPSP could impact the security of the entity’s cardholder data and/or sensitive authentication data.
  • Question 12.7:
    An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.

  • Question 12.8:
    A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.

  • Question 12.9:
    Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity.

  • Question 12.10:
    An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident

  • Summary of Assessment

    Indicate below all responses that were selected for each PCI DSS requirement.
  • A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.

  • Requirement 1:

  • Requirement 2:

  • Requirement 3:

  • Requirement 4:

  • Requirement 5:

  • Requirement 6:

  • Requirement 7:

  • Requirement 8:

  • Requirement 9:

  • Requirement 12:

  • Validation and Attestation Details

    PCI DSS Validation
  • Merchant Acknowledgement

  • Merchant Attestation

  • Should be Empty: