PCI DSS v4.0.1 Self-Assessment Questionnaire (SAQ C-VT) — Cardholder Data Security Controls for Virtual Terminal Merchants

Overview

PCI DSS v4.0.1Self-Assessment Questionnaire (SAQ C-VT) is a compliance tool withinthe Payment Card Industry Data Security Standard (PCI DSS) frameworkthat assists organizations in validating security controls forvirtual terminal merchants that manually enter cardholder data. Thisquestionnaire helps businesses confirm their adherence to industryrequirements for protecting payment card information and managingpayment card risks.

Published by thePCI Security Standards Council (PCI SSC), SAQ C-VT is intended fororganizations that process cardholder data solely via virtual paymentterminals on devices isolated from other payment processingenvironments. It focuses on cybersecurity controls related to dataprotection, secure network configuration, and the mitigation ofpayment card fraud in accordance with PCI DSS requirements.

Organizationstypically complete and submit the SAQ C-VT as part of their PCIcompliance program, documenting security practices, performing riskassessments, and establishing internal controls. The self-assessmentsupports regulatory compliance efforts, audit readiness, and helpsmaintain customer trust within the payment ecosystem.

Why it Matters

PCI DSS v4.0.1SAQ C-VT establishes essential security requirements to protectcardholder data processed through virtual terminals in merchantenvironments.

Key benefitsinclude:

•  Strengthen data protection measures

Reduce risk ofunauthorized access and compromise by enforcing strict controls forhandling cardholder data through virtual terminals.

•  Enhance compliance support

Aidorganizations in demonstrating adherence to payment card industryrequirements, simplifying the process of regulatory and third-partyvalidation.

•  Increase audit readiness

Promotesystematic recordkeeping and documentation that enables smoother andfaster responses to audit or compliance review processes.

•  Improve risk management practices

Enableorganizations to identify vulnerabilities in their paymentenvironments and implement controls to proactively mitigate threats.

•  Promote operational resilience

Supportcontinuity of business operations by helping detect, prevent, andrespond to payment security incidents more effectively.

How it Works

The PCI DSSv4.0.1 Self-Assessment Questionnaire (SAQ C-VT) structures itsrequirements around a defined set of security controls that safeguardcardholder data processed through virtual terminals. The frameworkcategorizes requirements into control objectives covering areas suchas data protection, access management, vulnerability management, andongoing monitoring. Each requirement maps to broader PCI DSS controlfamilies, ensuring all aspects of payment card security andregulatory compliance are systematically addressed.

In practice,organizations assess their virtual terminal environments against theSAQ C-VT requirements, implementing necessary safeguards such assecure user authentication, encrypted data transmissions, andperiodic vulnerability scans. They conduct self-assessments, evaluaterisk exposure, and maintain documentation to demonstrate compliance.Regular monitoring and review of controls support ongoing governanceefforts and help organizations identify areas for improvement insecurity practices.

Whenoperationalizing PCI DSS SAQ C-VT within SmartSuite, organizationsleverage control libraries to align security controls with frameworkrequirements, maintain a risk register for tracking identified risks,and utilize compliance tracking features to monitor adherence. Policygovernance, evidence collection, remediation workflows, and reportingdashboards support a continuous compliance cycle, audit readiness,and effective risk management for cardholder data environments.

Key Elements

•  Scope and Applicability Requirements

Specifiesboundaries for PCI DSS compliance, identifying in-scope systems,personnel, and data handling processes.

•  Authentication and Access Control Measures

Describesrequirements for verifying user identities and controlling logicalaccess to cardholder data environments.

•  Cardholder Data Protection Practices

Outlines methodsto safeguard stored and transmitted payment card information withinvirtual terminal environments.

•  Network and System Security Controls

Establishestechnical and procedural mechanisms to secure network infrastructureand connected systems.

•  Monitoring and Testing Procedures

Definesexpectations for regularly tracking security events and periodicallyvalidating control effectiveness.

•  Policy and Process Documentation

Organizesrequired documentation of security policies, operational procedures,and evidence for assessment purposes.

Framework Scope

PCI DSS v4.0.1Self-Assessment Questionnaire (SAQ C-VT) is used by merchantsprocessing cardholder data solely via virtual terminals with noelectronic cardholder data storage. This framework governs paymentenvironments and internet-connected systems, typically duringcompliance reviews or when supporting assurance programs focused ondata protection, security controls, and regulatory standards.

Framework Objectives

PCI DSS v4.0.1SAQ C-VT defines essential security controls and governance practicesto protect cardholder data for virtual terminal merchants.

•  Safeguard cardholder data through robust data protection andcybersecurity controls

•  Strengthen risk management and governance over paymentprocessing environments

•  Ensure compliance with regulatory and industry data securityrequirements

•  Enhance operational resilience by reducing the likelihood ofdata breaches

•  Promote audit readiness through systematic documentation andcontrol validation

•  Support ongoing improvement in cybersecurity posture andoversight PCI DSS v4.0.1 SAQ C-VT aligns with overarching PCI DSSrequirements and relates to frameworks like ISO 27001 and NIST SP800-53 regarding payment card data protection. Merchants usingvirtual terminals, without electronic cardholder data storage,typically implement this SAQ to validate regulatory compliance andassure secure handling of cardholder information.

Common Framework Mappings

PCI DSS SAQ C-VTis often mapped to other leading cybersecurity frameworks tostreamline compliance efforts, demonstrate robust cardholder dataprotection, and support broader security and regulatory obligationsacross industries.

Mappedframeworks include:

CIS CriticalSecurity Controls

COBIT

CSA CloudControls Matrix

HIPAA

ISO/IEC 27001

ISO/IEC 27002

NISTCybersecurity Framework

NIST SP 800-53

SOC 2

SWIFT CustomerSecurity Programme