PCI DSS v4.0.1 Self-Assessment Questionnaire (SAQ C-VT) — Cardholder Data Security Controls for Virtual Terminal Merchants

Why it Matters

PCI DSS v4.0.1 SAQ C-VT establishes essential security requirementsto protect cardholder data processed through virtual terminals inmerchant environments.

Key benefits include:

• Strengthen data protection measures

Reduce risk ofunauthorized access and compromise by enforcing strict controls forhandling cardholder data through virtual terminals.

• Enhance compliance support

Aid organizationsin demonstrating adherence to payment card industry requirements,simplifying the process of regulatory and third-party validation.

• Increase audit readiness

Promotesystematic recordkeeping and documentation that enables smoother andfaster responses to audit or compliance review processes.

• Improve risk management practices

Enableorganizations to identify vulnerabilities in their paymentenvironments and implement controls to proactively mitigate threats.

• Promote operational resilience

Supportcontinuity of business operations by helping detect, prevent, andrespond to payment security incidents more effectively.

How it Works

The PCI DSS v4.0.1 Self-Assessment Questionnaire (SAQ C-VT)structures its requirements around a defined set of security controlsthat safeguard cardholder data processed through virtual terminals.The framework categorizes requirements into control objectivescovering areas such as data protection, access management,vulnerability management, and ongoing monitoring. Each requirementmaps to broader PCI DSS control families, ensuring all aspects ofpayment card security and regulatory compliance are systematicallyaddressed.

In practice, organizations assess their virtual terminal environmentsagainst the SAQ C-VT requirements, implementing necessary safeguardssuch as secure user authentication, encrypted data transmissions, andperiodic vulnerability scans. They conduct self-assessments, evaluaterisk exposure, and maintain documentation to demonstrate compliance.Regular monitoring and review of controls support ongoing governanceefforts and help organizations identify areas for improvement insecurity practices.

When operationalizing PCI DSS SAQ C-VT within SmartSuite,organizations leverage control libraries to align security controlswith framework requirements, maintain a risk register for trackingidentified risks, and utilize compliance tracking features to monitoradherence. Policy governance, evidence collection, remediationworkflows, and reporting dashboards support a continuous compliancecycle, audit readiness, and effective risk management for cardholderdata environments.

Key Elements

• Scope and Applicability Requirements

Specifiesboundaries for PCI DSS compliance, identifying in-scope systems,personnel, and data handling processes.

• Authentication and Access Control Measures

Describesrequirements for verifying user identities and controlling logicalaccess to cardholder data environments.

• Cardholder Data Protection Practices

Outlines methodsto safeguard stored and transmitted payment card information withinvirtual terminal environments.

• Network and System Security Controls

Establishestechnical and procedural mechanisms to secure network infrastructureand connected systems.

• Monitoring and Testing Procedures

Definesexpectations for regularly tracking security events and periodicallyvalidating control effectiveness.

• Policy and Process Documentation

Organizesrequired documentation of security policies, operational procedures,and evidence for assessment purposes.

Framework Scope

PCI DSS v4.0.1 Self-Assessment Questionnaire (SAQ C-VT) is used bymerchants processing cardholder data solely via virtual terminalswith no electronic cardholder data storage. This framework governspayment environments and internet-connected systems, typically duringcompliance reviews or when supporting assurance programs focused ondata protection, security controls, and regulatory standards.

Framework Objectives

PCI DSS v4.0.1 SAQ C-VT defines essential security controls andgovernance practices to protect cardholder data for virtual terminalmerchants.

Safeguard cardholder data through robust data protection andcybersecurity controls

Strengthen risk management and governance over payment processingenvironments

Ensure compliance with regulatory and industry data securityrequirements

Enhance operational resilience by reducing the likelihood of databreaches

Promote audit readiness through systematic documentation and controlvalidation

Support ongoing improvement in cybersecurity posture and oversightPCI DSS v4.0.1 SAQ C-VT aligns with overarching PCI DSS requirementsand relates to frameworks like ISO 27001 and NIST SP 800-53 regardingpayment card data protection. Merchants using virtual terminals,without electronic cardholder data storage, typically implement thisSAQ to validate regulatory compliance and assure secure handling ofcardholder information.

Framework in Context

PCI DSS v4.0.1 SAQC-VT aligns with overarching PCI DSS requirements and relates toframeworks like ISO 27001 and NIST SP 800-53 regarding payment carddata protection. Merchants using virtual terminals, withoutelectronic cardholder data storage, typically implement this SAQ tovalidate regulatory compliance and assure secure handling ofcardholder information.

Common Framework Mappings

PCI DSS SAQ C-VT is often mapped to other leading cybersecurityframeworks to streamline compliance efforts, demonstrate robustcardholder data protection, and support broader security andregulatory obligations across industries.

Mapped frameworks include:

CIS Critical Security Controls

COBIT

CSA Cloud Controls Matrix

HIPAA

ISO/IEC 27001

ISO/IEC 27002

NIST Cybersecurity Framework

NIST SP 800-53

SOC 2

SWIFT Customer Security Programme