Who is eligible for SAQ C-VT?

SAQ C-VT is designed for merchants who process cardholder data only via a virtual terminal accessed through a web browser on an isolated device. The virtual terminal must be provided by a PCI DSS validated third-party payment processor, and the merchant must manually enter one transaction at a time (no batch processing). The device used for virtual terminal access must be isolated from other systems in the merchant environment, dedicated to payment processing, and not connected to other devices that could compromise cardholder data. This SAQ is typical for call centres and phone/mail order merchants.

What is a virtual terminal and how does it differ from a payment application?

A virtual terminal is a web-based interface provided by a payment processor or acquiring bank that allows merchants to manually key in card payment details through a standard web browser. Unlike a payment application (which is locally installed software that processes or stores cardholder data), a virtual terminal runs entirely on the payment processor's servers. The merchant simply accesses it via HTTPS in a browser. Because the virtual terminal is hosted by the processor, the merchant's device does not store, process, or transmit cardholder data beyond the browser session.

What does "device isolation" mean for SAQ C-VT?

Device isolation means the computer or workstation used to access the virtual terminal must be dedicated to that purpose and not used for general activities such as email, web browsing, or file sharing. The device should be segmented from the rest of the merchant network so that a compromise of other systems cannot affect the virtual terminal device. In practice, this means the device should have no unnecessary software installed, should not be used to access other websites, and should be on a separate network segment or VLAN from general-purpose workstations.

Can I use SAQ C-VT if I process e-commerce transactions?

No. SAQ C-VT is specifically for merchants who manually key in card data via a virtual terminal for card-not-present transactions, typically from phone or mail orders. If you accept payments through an e-commerce website, you do not qualify for SAQ C-VT regardless of how those online transactions are processed. E-commerce merchants should evaluate SAQ A, SAQ A-EP, or SAQ D depending on their payment architecture. SAQ C-VT is also not appropriate if your virtual terminal processes batch transactions or connects to any other payment channels.

Do I need quarterly vulnerability scans for SAQ C-VT?

SAQ C-VT does not require external ASV vulnerability scans or internal vulnerability scans in most cases, as the virtual terminal device should have minimal exposure if properly isolated. However, the merchant must still ensure the device used for virtual terminal access is securely configured, patched, and protected with anti-malware software. The reduced scanning requirement is one of the benefits of SAQ C-VT over SAQ C, but it depends on the device being truly isolated and dedicated as required by the SAQ eligibility criteria.

← All SAQ Types

SAQ C-VT — Virtual Terminal Only

PCI DSS SAQ C-VT Compliance Guide

For merchants who manually enter single transactions via a web-based virtual terminal on an isolated, dedicated device.

Covers approximately 79 requirements focused on secure configurations, access control, physical security, and policies. Learn how GRCTrack simplifies your SAQ C-VT compliance.

Start Your SAQ C-VT Assessment Talk to a PCI Expert

What Is SAQ C-VT?

SAQ C-VT is a PCI DSS Self-Assessment Questionnaire designed for merchants who process card-not-present transactions by manually entering cardholder data one transaction at a time into a web-based virtual terminal. The virtual terminal is provided and hosted by a PCI DSS validated third-party payment processor, and the merchant accesses it through a standard web browser.

This SAQ type is most commonly used by call centres taking card payments over the phone, mail order businesses processing postal orders, and similar merchants who key card details directly into a payment gateway's virtual terminal interface. The merchant never stores cardholder data electronically, and the virtual terminal device must be isolated from all other systems in the merchant environment.

With approximately 79 requirements, SAQ C-VT sits between the lighter SAQ A (~22 requirements) and the heavier SAQ C (~160 requirements). The reduced scope compared to SAQ C reflects the simpler threat model: the merchant is not running a payment application locally, and the virtual terminal device is isolated and dedicated. However, this reduced scope depends entirely on maintaining strict device isolation and using the virtual terminal only for single, manually-keyed transactions.

Who Qualifies for SAQ C-VT?

Merchants who process card-not-present transactions by manually entering card data into a web-based virtual terminal one at a time

The virtual terminal is provided and hosted by a PCI DSS validated third-party payment processor accessed via a web browser

The device used for virtual terminal access is isolated from other systems in the merchant environment and dedicated to payment processing

The merchant does not store cardholder data in any electronic format and has no electronic cardholder data storage anywhere

The merchant does not process e-commerce transactions and does not use a locally installed payment application

The virtual terminal solution does not connect to any other systems or channels that handle cardholder data within the merchant environment

Key SAQ C-VT Requirements

Req 2: Secure Configurations

Apply secure configurations to the virtual terminal device and any network components. Change all vendor-supplied defaults, remove unnecessary software and services, and ensure only essential functionality is enabled on the dedicated device.

Req 7: Restrict Access

Restrict access to the virtual terminal device and payment data to only those personnel whose job requires it. Implement role-based access control and ensure only authorized staff can process transactions through the virtual terminal.

Req 8: User Authentication

Assign unique IDs to each person who accesses the virtual terminal. Enforce strong password policies, implement multi-factor authentication for remote access, and ensure shared or group accounts are not used for virtual terminal access.

Req 9: Physical Security

Restrict physical access to the virtual terminal device. Ensure the workstation is in a secure area, implement visitor controls, and protect any paper records containing cardholder data from unauthorized access. Maintain a clean desk policy.

Device Isolation

The virtual terminal device must be isolated and dedicated to payment processing. It must not be used for email, web browsing, file sharing, or other general activities. Network segmentation should prevent other systems from accessing the device.

Req 12: Security Policies

Establish and maintain security policies and procedures covering virtual terminal usage, acceptable use of the dedicated device, incident response procedures, and security awareness training for all personnel who handle cardholder data.

Common SAQ C-VT Mistakes

Using the Virtual Terminal on a Shared Workstation

The most common SAQ C-VT compliance failure is using a general-purpose workstation for virtual terminal access. If the device is also used for email, web browsing, or other business applications, it is not isolated and the merchant does not qualify for SAQ C-VT. The virtual terminal device must be dedicated solely to payment processing, with no other applications or browser tabs open during use.

Storing Card Numbers in Paper Notes or Spreadsheets

Call centre staff and phone order operators sometimes write down card numbers on paper, enter them into spreadsheets, or save them in CRM systems before keying them into the virtual terminal. Any storage of cardholder data outside the virtual terminal — whether paper-based or electronic — violates PCI DSS requirements and may disqualify the merchant from SAQ C-VT. Train staff to enter card details directly into the virtual terminal during the call.

Not Securing the Device Used for Virtual Terminal Access

Even though the virtual terminal is hosted by a third party, the device used to access it must be properly secured. This includes keeping the operating system and browser patched, running anti-malware software, disabling unnecessary services, configuring a host-based firewall, and ensuring the device is on a segmented network. An unsecured device could be compromised and card data intercepted via keyloggers or screen capture malware.

Failing to Maintain Device Isolation Over Time

Even if a device is initially configured as isolated and dedicated, configuration drift can erode that isolation. Staff may install additional software, connect USB devices, or change network configurations. Regular audits of the virtual terminal device are essential to verify it remains isolated, dedicated, and compliant with SAQ C-VT requirements. Document the baseline configuration and check against it periodically.

How GRCTrack Helps with SAQ C-VT Compliance

SAQ type selection wizard that evaluates your payment architecture and confirms SAQ C-VT eligibility based on your virtual terminal setup

Pre-built SAQ C-VT control library with all ~79 requirements mapped and organized with step-by-step compliance guidance

Device isolation verification checklists to document and validate that your virtual terminal device meets isolation requirements

Third-party service provider management to verify and track your virtual terminal provider's PCI DSS compliance status

Evidence collection templates designed for SAQ C-VT including device configuration baselines, access control documentation, and physical security records

AI-powered compliance guidance built by certified QSAs to answer SAQ C-VT-specific questions about device isolation and virtual terminal security

SAQ C-VT Compliance — Frequently Asked Questions

Related PCI DSS Resources

All SAQ Types PCI DSS 4.0.1 Guide PCI DSS FAQ SAQ C Guide SAQ A Guide SAQ D Guide

Ready to Complete Your SAQ C-VT Assessment?

GRCTrack guides you through every SAQ C-VT requirement with step-by-step compliance workflows.

Start Your SAQ C-VT Assessment Compare SAQ Types