PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI-DSS-v3-2-1-SAQ-C-VT-r2.pdf PCI-DSS-v4-0-SAQ-C-VT-r1.pdf
25% similar
37 → 45 Pages
8971 → 11754 Words
189 Content Changes

Content Changes

189 content changes. 58 administrative changes (dates, page numbers) hidden.

Added p. 2
December 2022 4.0 1 Removed “In Place with Remediation” as a reporting option from Requirement Responses table, Attestation of Compliance (AOC) Part 2g, SAQ Section 2 Response column, and AOC Section 3. Also removed former Appendix C.

Added “In Place with CCW” to AOC Section 3.

Added guidance for responding to future-dated requirements.

Added minor clarifications and addressed typographical errors.
Added p. 4
A virtual payment terminal is third-party solution used to submit payment card transactions for authorization to a PCI DSS compliant third-party service provider (TPSP) website. Using this solution, the merchant manually enters account data from an isolated computing device via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card.

This SAQ is not applicable to service providers.

 The only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser;  The virtual payment terminal solution is provided and hosted by a PCI DSS compliant third-party service provider;  The PCI DSS-compliant virtual payment terminal solution is only accessed via a computing device that is isolated in a single location, and is not connected to other locations or systems;  The computing device does not have software installed that causes account data to be stored (for example, …
Added p. 5
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). Cardholder data and sensitive authentication data are considered account data and are defined as follows:

Account Data Cardholder Data includes: Sensitive Authentication Data includes:

• Primary Account Number (PAN)

• Full track data (magnetic-stripe data or equivalent on a chip)

• Card verification code

• PINs/PIN blocks Refer to PCI DSS Section 2, PCI DSS Applicability Information, for further details.

1. Confirm by review of the eligibility criteria in this SAQ and the Self-Assessment Questionnaire Instructions and Guidelines document on the PCI SSC website that this is the correct SAQ for the merchant’s environment.

2. Confirm that the merchant environment is properly scoped.

 Section 1: Assessment Information (Parts 1 & 2 of the Attestation of Compliance (AOC)

• Contact Information and Executive Summary).

Expected Testing The instructions provided …
Added p. 6
The testing methods are intended to allow the merchant to demonstrate how it has met a requirement. The specific items to be examined or observed and personnel to be interviewed should be appropriate for both the requirement being assessed and the merchant’s particular implementation.

Full details of testing procedures for each requirement can be found in PCI DSS.

Requirement Responses For each requirement item, there is a choice of responses to indicate the merchant’s status regarding that requirement. Only one response should be selected for each requirement item.

Not Tested This response is not applicable to, and not included as an option for, this SAQ.

This SAQ was created for a specific type of environment based on how the merchant stores, processes, and/or transmits account data and defines the specific PCI DSS requirements that apply for this environment. Consequently, all requirements in this SAQ must be tested.

This response is also used if a requirement …
Added p. 7
For each response where Not Applicable is selected in this SAQ, complete Appendix C: Explanation of Requirements Noted as Not Applicable.
Added p. 7
Note: A legal restriction is one where meeting the PCI DSS requirement would violate a local or regional law or regulation.

Contractual obligations or legal advice are not legal restrictions.

Use of the Customized Approach SAQs cannot be used to document use of the Customized Approach to meet PCI DSS requirements. For this reason, the Customized Approach Objectives are not included in SAQs. Entities wishing to validate using the Customized Approach may be able to use the PCI DSS Report on Compliance (ROC) Template to document the results of their assessment.

The use of the customized approach may be regulated by organizations that manage compliance programs, such as payment brands and acquirers. Questions about use of a customized approach should always be referred to those organizations. This includes whether an entity that is eligible for an SAQ may instead complete a ROC to use a customized approach, and whether an entity is required …
Added p. 8
(PCI Data Security Standard Requirements and Testing Procedures)  Guidance on Scoping  Guidance on the intent of all PCI DSS Requirements  Details of testing procedures  Guidance on Compensating Controls  Appendix G: Glossary of Terms, Abbreviations, and Acronyms SAQ Instructions and Guidelines  Information about all SAQs and their eligibility criteria  How to determine which SAQ is right for your organization Frequently Asked Questions (FAQs)  Guidance and information about SAQs.

Online PCI DSS Glossary  PCI DSS Terms, Abbreviations, and Acronyms Information Supplements and Guidelines  Guidance on a variety of PCI DSS topics including:

− Understanding PCI DSS Scoping and Network Segmentation − Third-Party Security Assurance − Multi-Factor Authentication Guidance − Best Practices for Maintaining PCI DSS Compliance Getting Started with PCI  Resources for smaller merchants including:

− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment …
Added p. 10
Indicate all payment channels used by the business that are included in this assessment.

Mail order/telephone order (MOTO) E-Commerce Card-present Are any payment channels not included in this assessment? If yes, indicate which channel(s) is not included in the assessment and provide a brief explanation about why the channel was excluded.

Part 2b. Description of Role with Payment Cards For each payment channel included in this assessment as selected in Part 2a above, describe how the business stores, processes and/or transmits account data.

Channel How Business Stores, Processes, and/or Transmits Account Data Part 2c. Description of Payment Card Environment Provide a high-level description of the environment covered by this assessment. For example:

• Connections into and out of the cardholder data environment (CDE).

• Critical system components within the CDE, such as POI devices, databases, web servers, etc., and any other necessary payment components, as applicable.

• System components that could impact the security of account …
Added p. 11
Facility Type Total number of locations (How many locations of this type are in scope) Location(s) of facility (city, country) Example: Data centers 3 Boston, MA, USA Part 2e. PCI SSC Validated Products and Solutions Does the merchant use any item identified on any PCI SSC Lists of Validated Products and Solutions♦? Provide the following information regarding each item the merchant uses from PCI SSC’s Lists of Validated Products and Solutions.

Name of PCI SSC- validated Product or Version of Product or

PCI SSC Standard to which product or solution was validated

PCI SSC listing reference number Expiry date of listing (YYYY-MM-DD) YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment …
Added p. 13
PCI DSS Requirement * Requirement Responses More than one response may be selected for a given requirement.

Indicate all responses that apply.

In Place In Place with CCW Not Applicable Not in Place

* PCI DSS Requirements indicated above refer to the requirements in Section 2 of this SAQ.
Added p. 14
The only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser.

The virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider.

The PCI DSS-compliant virtual payment terminal solution is only accessed via a computing device that is isolated in a single location and is not connected to other locations or systems.

The computing device does not have software installed that causes account data to be stored (for example, there is no software for batch processing or store-and-forward).

The computing device does not have any attached hardware devices that are used to capture or store account data (for example, there are no card readers attached).

The merchant does not otherwise receive, transmit, or store account data electronically through any channels (for example, via an internal network or the Internet).

Any account data the merchant might retain is on paper (for example, printed reports or receipts), …
Added p. 15
• To only traffic that is necessary,

• All other traffic is specifically denied.

• All other traffic is specifically denied.

• Examine NSC configuration standards.

• Examine NSC configuration standards.
Added p. 15
• To only traffic that is necessary.
Added p. 15
• All wireless traffic from wireless networks into the CDE is denied by default.

• Only wireless traffic with an authorized business purpose is allowed into the CDE.

• Examine network diagrams.
Added p. 16
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
Added p. 16
 Specific configuration settings are defined to prevent threats being introduced into the entity’s network.  Security controls are actively running.  Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period.

• Examine device configuration settings.

Applicability Notes These security controls may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If these security controls need to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period during which these security controls are not active. This requirement applies to employee-owned and company-owned computing devices. Systems that cannot be managed by corporate policy introduce weaknesses and provide opportunities that malicious individuals may exploit.

Requirement 2: Apply Secure Configurations to All System Components

PCI DSS Requirement Expected …
Added p. 17
• Examine documentation.
Added p. 17
• If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.

• If the vendor default account(s) will not be used, the account is removed or disabled.
Added p. 17
• Observe a system administrator logging on using vendor default accounts.

• Examine configuration files.

Applicability Notes This applies to ALL vendor default accounts and passwords, including, but not limited to, those used by operating systems, software that provides security services, application and system accounts, point-of- sale (POS) terminals, payment applications, and Simple Network Management Protocol (SNMP) defaults. This requirement also applies where a system component is not installed within an entity’s environment, for example, software and applications that are part of the CDE and are accessed via a cloud subscription service.
Added p. 18
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 2.2.5 If any insecure services, protocols, or daemons are present:

• Business justification is documented.

• Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.

• Examine configuration standards.
Added p. 18
• Examine vendor documentation.

Applicability Notes This includes administrative access via browser-based interfaces and application programming interfaces (APIs).

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 2.3 Wireless environments are configured and managed securely.
Added p. 19
• Default wireless encryption keys.

• Passwords on wireless access points.

• Any other security-related wireless vendor defaults.

Applicability Notes This includes, but is not limited to, default wireless encryption keys, passwords on wireless access points, SNMP defaults, and any other security-related wireless vendor defaults.

• Whenever personnel with knowledge of the key leave the company or the role for which the knowledge was necessary.

• Whenever a key is suspected of or known to be compromised.

Note: For SAQ C-VT, Requirement 3 applies only to merchants with paper records that include account data (for example, receipts or printed reports).

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
Added p. 20
Selection of any of the In Place responses for Requirement 3.1.1 means that, if the merchant has paper storage of account data, the merchant has policies and procedures in place that govern merchant activities for Requirement 3. This helps to ensure personnel are aware of and following security policies and documented operational procedures for managing the secure storage of any paper records with account data.

If merchant does not store paper records with account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.3 Sensitive authentication data (SAD) is not stored after authorization.

• Observe the secure data deletion processes.

Applicability Notes Part of this Applicability Note is intentionally removed for this SAQ as does not apply to merchant assessments. Sensitive authentication …
Added p. 21
Selection of any of the In Place responses for Requirement 3.3.1.2 means that if the merchant writes down the card verification code while a transaction is being conducted, the merchant either securely destroys the paper (for example, with a shredder) immediately after the transaction is complete, or obscures the code (for example, by “blacking it out” with a marker) before the paper is stored.

If the merchant never requests the three-digit or four-digit number printed on the front or back of a payment card (“card verification code”), the merchant marks the Not Applicable column and completes Appendix C: Explanation of Requirements Noted as Not Applicable.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.4 Access to displays of full PAN and ability to copy PAN is restricted.
Added p. 22
• Examine documented policies and procedures.

• Examine the documented list of roles that need access to more than the BIN and last four digits of the PAN (includes full PAN).

• Examine displays of PAN (for example, on screen, on paper receipts).

Applicability Notes This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment brand requirements for point-of-sale (POS) receipts.

This requirement relates to protection of PAN where it is displayed on screens, paper receipts, printouts, etc., and is not to be confused with Requirement 3.5.1 for protection of PAN when stored, processed, or transmitted.

PCI DSS Requirement Expected Testing (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 4.2 PAN is protected with strong cryptography during transmission.
Added p. 24
Requirement 5: Protect All Systems and Networks from Malicious Software

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 5.2 Malicious software (malware) is prevented, or detected and addressed.
Added p. 24
• Detects all known types of malware.

• Removes, blocks, or contains all known types of malware.
Added p. 24
• Examine anti-malware solution(s) configurations, including any master installation.

• Examine anti-malware solution(s) configurations, including any master installation.
Added p. 24
• Performs periodic scans and active or real-time scans, OR

• Performs continuous behavioral analysis of systems or processes.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 5.3.3 For removable electronic media, the anti-malware solution(s):

• Performs automatic scans of when the media is inserted, connected, or logically mounted, OR

• Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.

• Examine system components with removable electronic media.

• Examine logs and scan results.

Applicability Notes This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Added p. 25
Applicability Notes Anti-malware solutions may be temporarily disabled only if there is a legitimate technical need, as authorized by management on a case-by-case basis. If anti-malware protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period during which anti-malware protection is not active.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 5.4 Anti-phishing mechanisms protect users against phishing attacks.
Added p. 26
• Observe implemented processes.

• Examine mechanisms.

Applicability Notes This requirement applies to the automated mechanism. It is not intended that the systems and services providing such automated mechanisms (such as e-mail servers) are brought into scope for PCI DSS.

The focus of this requirement is on protecting personnel with access to system components in-scope for PCI DSS.

Meeting this requirement for technical and automated controls to detect and protect personnel against phishing is not the same as Requirement 12.6.3.1 for security awareness training. Meeting this requirement does not also meet the requirement for providing personnel with security awareness training, and vice versa.

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Requirement 6: Develop and Maintain Secure Systems and Software

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not …
Added p. 27
• New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs).

• Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.

• Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.

• Bullet intentionally left blank for this SAQ. .

Applicability Notes This requirement is not achieved by, nor is it the same as, vulnerability scans performed for Requirements 11.3.1 and 11.3.2. This requirement is for a process to actively monitor industry sources for vulnerability information and for the entity to determine the risk ranking to be associated with each vulnerability.
Added p. 27
• Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
Added p. 28
Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 7.2 Access to system components and data is appropriately defined and assigned.
Added p. 28
• Job classification and function.

• Least privileges necessary to perform job responsibilities.

• Examine user access settings, including for privileged users.

• Interview responsible management personnel.

• Interview personnel responsible for assigning access.

Requirement 8: Identify Users and Authenticate Access to System Components

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.

Selection of any of the In Place responses for Requirement 8.1.1 means that the merchant has policies and procedures in place that govern merchant activities for Requirement 8.
Added p. 29
Applicability Notes This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).

Applicability Notes This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.2.2 Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:

• Account use is prevented unless needed for an exceptional circumstance.

• Use is limited to the time needed for the exceptional circumstance.

• Business justification for …
Added p. 30
• Authorized with the appropriate approval.

• Implemented with only the privileges specified on the documented approval.

• Examine documented authorizations across various phases of the account lifecycle (additions, modifications, and deletions).

Applicability Notes This requirement applies to all user accounts, including employees, contractors, consultants, temporary workers, and third-party vendors.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.2.5 Access for terminated users is immediately revoked.

• Examine information sources for terminated users.
Added p. 31
• Something you know, such as a password or passphrase.

• Something you have, such as a token device or smart card.

• Something you are, such as a biometric element.

• Examine documentation describing the authentication factor(s) used.

• For each type of authentication factor used with each type of system component, observe the authentication process.

Applicability Notes This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).

This requirement does not supersede multi-factor authentication (MFA) requirements but applies to those in-scope systems not otherwise subject to MFA requirements.

A digital certificate is a valid option for “something you have” if it is unique for a particular user.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not …
Added p. 32
Applicability Notes The requirement for MFA for non-console administrative access applies to all personnel with elevated or increased privileges accessing the CDE via a non-console connection•that is, via logical access occurring over a network interface rather than via a direct, physical connection.

MFA is considered a best practice for non-console administrative access to in-scope system components that are not part of the CDE.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.

Selection of any of the In Place responses for Requirement 9.1.1 means that the merchant has policies and procedures in place that govern merchant activities for Requirement 9, including how any paper media with cardholder data is secured, and how POI devices are protected.
Added p. 33
Note: For SAQ C-VT, Requirements at 9.4 only apply to merchants with paper records (for example, receipts or printed reports) with account data, including primary account numbers (PANs).
Added p. 34
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.4.3 Media with cardholder data sent outside the facility is secured as follows:

• Examine offsite tracking logs for all media.

Applicability Notes Individuals approving media movements should have the appropriate level of management authority to grant this approval. However, it is not specifically required that such individuals have “manager” as part of their title.

• Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.

• Materials are stored in secure storage containers prior to destruction.

• Examine the periodic media destruction policy.

Applicability Notes These requirements for media destruction when that media is no longer needed for business or legal reasons are separate and distinct from PCI DSS Requirement 3.2.1, which is for securely deleting cardholder data when no longer needed per the entity’s cardholder data retention …
Added p. 35
• Disseminated to all relevant personnel, as well as to relevant vendors and business partners.
Added p. 35
• Updated as needed to reflect changes to business objectives or risks to the environment

• Examine the information security policy.

Selection of any of the In Place responses for Requirements 12.1.1 and 12.1.2 means that the merchant has a security policy that is reasonable for the size and complexity of the merchant’s operations, and that the policy is reviewed at least once every 12 months and updated if needed.

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.6 Security awareness education is an ongoing activity.

• Examine the security awareness program.

Selection of any of the In Place responses for Requirement 12.6.1 means that the merchant has a security awareness program in place, consistent …
Added p. 36
• Phishing and related attacks.

• Social engineering.

Applicability Notes See Requirement 5.4.1 in PCI DSS for guidance on the difference between technical and automated controls to detect and protect users from phishing attacks, and this requirement for providing users security awareness training about phishing and social engineering. These are two separate and distinct requirements, and one is not met by implementing controls required by the other one.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
Added p. 37
Applicability Notes The use of a PCI DSS compliant TPSP does not make an entity PCI DSS compliant, nor does it remove the entity’s responsibility for its own PCI DSS compliance.
Added p. 37
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.

Applicability Notes The exact wording of an acknowledgment will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgment does not have to include the exact wording provided in this requirement.

Evidence that a TPSP is meeting PCI DSS requirements (for example, a PCI DSS Attestation of Compliance (AOC) or a declaration on a company’s website) is not the same as a written agreement specified in this requirement.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.8.3 An established …
Added p. 38
• Examine documentation from previously reported incidents.

Selection of any of the In Place responses for Requirement 12.10.1 means that the merchant has documented an incident response and escalation plan to be used for emergencies, consistent with the size and complexity of the merchant’s operations. For example, such a plan could be a simple document posted in the back office that lists who to call in the event of various situations with an annual review to confirm it is still accurate, but could extend all the way to a full incident response plan including backup “hotsite” facilities and thorough annual testing. This plan should be readily available to all personnel as a resource in an emergency.

Note: This can be, but is not required to be, the stated Customized Approach Objective listed for this requirement in PCI DSS.

Requirement 3.5.1 Account data is never stored electronically
Added p. 43
Target Date for Compliance: YYYY-MM-DD A merchant submitting this form with a Non-Compliant status may be required to complete the Action Plan in Part 4 of this document. Confirm with the entity to which this AOC will be submitted before completing Part 4.

Compliant but with Legal exception: One or more requirements in the PCI DSS SAQ are marked as Not in Place due to a legal restriction that prevents the requirement from being met and all other requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT BUT WITH LEGAL EXCEPTION rating; thereby (Merchant Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ except those noted as Not in Place due to a legal restriction.

This option requires additional review from the entity to which this AOC will be submitted. If selected, complete …
Added p. 44
PCI DSS controls will be maintained at all times, as applicable to the merchant’s environment.

QSA performed testing procedures.

QSA provided other assistance.

If selected, describe all role(s) performed:

If selected, describe all role(s) performed:

Signature of Lead QSA  Date: YYYY-MM-DD Lead QSA Name:

ISA(s) performed testing procedures.

ISA(s) provided other assistance.
Added p. 45
If asked to complete this section, select the appropriate response for “Compliant to PCI DSS Requirements” for each requirement below. For any “No” responses, include the date the merchant expects to be compliant with the requirement and a brief description of the actions being taken to meet the requirement.

PCI DSS Requirement * Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain network security controls 2 Apply secure configurations to all system components 3 Protect stored account data Protect cardholder data with strong cryptography during transmission over open, public networks 5 Protect all systems and networks from malicious software 6 Develop and maintain secure systems and software Restrict access to system components and cardholder data by business need to know 8 Identify users and authenticate access to system components 9 Restrict physical access to …
Removed p. 2
This document aligns with PCI DSS v3.2.1 r1.
Removed p. 4
A virtual payment terminal is web-browser-based access to an acquirer, processor, or third-party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.

SAQ C-VT merchants process cardholder data only via a virtual payment terminal and do not store cardholder data on any computer system. These virtual terminals are connected to the Internet to access a third party that hosts the virtual terminal payment-processing function. This third party may be a processor, acquirer, or other third-party service provider who stores, processes, and/or transmits cardholder data to authorize and/or settle merchants’ virtual terminal payment transactions.

• Your company’s only payment processing is …
Modified p. 4
This SAQ option is intended to apply only to merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution. SAQ C-VT merchants may be brick-and- mortar (card-present) or mail/telephone-order (card-not-present) merchants.
This SAQ option is intended to apply only to merchants that manually enter a single transaction at a time via a keyboard into an Internet-based virtual payment terminal solution. SAQ C-VT merchants may be brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants, and do not store account data on any computer system.
Removed p. 5
1. Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.

2. Confirm that your environment is properly scoped and meets the eligibility criteria for the SAQ you are using (as defined in Part 2g of the Attestation of Compliance).

• Section 1 (Parts 1 & 2 of the AOC)

• Section 3 (Parts 3 & 4 of the AOC)

• Assessment Information and Executive Summary

Understanding the Self-Assessment Questionnaire The questions contained in the “PCI DSS Question” column in this self-assessment questionnaire are based on the requirements in the PCI DSS.

Additional resources that provide guidance on PCI DSS requirements and how to complete the self- assessment questionnaire have been provided to assist with the assessment process. An overview of some of these resources is provided below:

(PCI Data Security Standard Requirements and Security Assessment Procedures)

• Guidance on Scoping

• Guidance on the intent of all …
Modified p. 5
3. Assess your environment for compliance with applicable PCI DSS requirements.
3. Assess the environment for compliance with PCI DSS requirements.
Modified p. 5
• PCI DSS Self-Assessment Questionnaire (SAQ C-VT)
 Section 2: Self-Assessment Questionnaire C-VT.
Modified p. 5
Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)
 Section 3: Validation and Attestation Details (Parts 3 & 4 of the AOC

• PCI DSS Validation and Action Plan for Non-Compliant Requirements (if Part 4 is applicable)).
Modified p. 5
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation

•such as ASV scan reports

•to your acquirer, payment brand, or other requester.
5. Submit the SAQ and AOC, along with any other requested documentation

•such as ASV scan reports

•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
Removed p. 6
Completing the Self-Assessment Questionnaire For each question, there is a choice of responses to indicate your company’s status regarding that requirement. Only one response should be selected for each question.

Guidance for Non-Applicability of Certain, Specific Requirements While many organizations completing SAQ C-VT will need to validate compliance with every PCI DSS requirement in this SAQ, some organizations with very specific business models may find that some requirements do not apply. For example, a company that does not use wireless technology in any capacity would not be expected to validate compliance with the sections of PCI DSS that are specific to managing wireless technology (for example, Requirements 1.2.3, 2.1.1, and 4.1.1).

If any requirements are deemed not applicable to your environment, select the “N/A” option for that specific requirement, and complete the “Explanation of Non-Applicability” worksheet in Appendix C for each “N/A” entry.
Modified p. 6
A description of the meaning for each response is provided in the table below:
A description of the meaning for each response and when to use each response is provided in the table below:
Modified p. 6
Yes The expected testing has been performed, and all elements of the requirement have been met as stated.
In Place The expected testing has been performed, and all elements of the requirement have been met as stated.
Modified p. 6
Yes with CCW (Compensating Control Worksheet) The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.
In Place with CCW (Compensating Controls Worksheet) The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.
Modified p. 6
All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.
All responses in this column require completion of a Compensating Controls Worksheet (CCW) in Appendix B of this SAQ.
Modified p. 6
Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.
Information on the use of compensating controls and guidance on how to complete the worksheet is provided in PCI DSS in Appendices B and C.
Modified p. 6
No Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.
Not in Place Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before the merchant can confirm they are in place. Responses in this column may require the completion of Part 4, if requested by the entity to which this SAQ will be submitted.
Modified p. 6
(Not Applicable) The requirement does not apply to the organization’s environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.) All responses in this column require a supporting explanation in Appendix C of the SAQ.
Not Applicable The requirement does not apply to the merchant’s environment. (See “Guidance for Not Applicable Requirements” below for examples.) All responses in this column require a supporting explanation in Appendix C of this SAQ.
Modified p. 6 → 7
Legal Exception If your organization is subject to a legal restriction that prevents the organization from meeting a PCI DSS requirement, check the “No” column for that requirement and complete the relevant attestation in Part 3.
Legal Exception If your organization is subject to a legal restriction that prevents the organization from meeting a PCI DSS requirement, select Not in Place for that requirement and complete the relevant attestation in Section 3, Part 3 of this SAQ.
Removed p. 7
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA (doing business as):

Business Address: City:

Business Address: City:

State/Province: Country: Zip:

State/Province: Country: Zip:

Lead QSA Contact Name: Title:

Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):

What types of payment channels does your business serve?

Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Modified p. 7 → 9
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment against the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures. Complete all sections. The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the entity(ies) to which the Attestation of Compliance (AOC) will be submitted for reporting and submission procedures.
Modified p. 7 → 9
Part 1b. Qualified Security Assessor Company Information (if applicable) Company Name:
Qualified Security Assessor Company name:
Modified p. 7 → 10
Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels.
Note: If the organization has a payment channel that is not covered by this SAQ, consult with the entity(ies) to which this AOC will be submitted about validation for the other channels.
Removed p. 8
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Applications Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:

Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.

For example:

• Connections into and out of the cardholder data environment (CDE).

• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Modified p. 8 → 10
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation.)
Indicate whether the environment includes segmentation to reduce the scope of the assessment. (Refer to “Segmentation” section of PCI DSS for guidance on segmentation.)
Removed p. 9
Description of services provided by QIR:

Does your company share cardholder data with any third-party service providers (for example, Qualified Integrator & Resellers (QIR), gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.)? Name of service provider: Description of services provided:

Part 2g. Eligibility to Complete SAQ C-VT Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:

Merchant’s only payment processing is via a virtual payment terminal accessed by an Internet- connected web browser; Merchant’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third- party service provider; Merchant accesses the PCI DSS-compliant virtual terminal solution via a computer that is isolated in a single location and is not connected to other locations or systems within the merchant environment; Merchant’s computer does not have software installed that causes cardholder data to be stored (for …
Removed p. 10
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:

Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage.
Removed p. 10
Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?

• Review firewall and router configuration standards.
Modified p. 10 → 15
Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document.
Note: The following requirements mirror the requirements in the PCI DSS Requirements and Testing Procedures document.
Modified p. 10 → 15
Self-assessment completion date: Build and Maintain a Secure Network and Systems
Self-assessment completion date: YYYY-MM-DD Build and Maintain a Secure Network and Systems
Modified p. 10 → 15
Requirement 1: Install and maintain a firewall configuration to protect data
Requirement 1: Install and maintain network security controls
Modified p. 10 → 15
• Examine firewall and router configurations.
• Examine NSC configurations.
Modified p. 10 → 15
• Examine firewall and router configurations.
• Examine NSC configurations.
Modified p. 10 → 16
• Examine firewall and router configurations.
• Examine policies and configuration standards.
Removed p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
Removed p. 11
• Examine mobile and/or employee- owned devices.

• Examine mobile and/or employee- owned devices.

(b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices?

• Review policies and configuration standards.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).

• Review policies and procedures.

Are unnecessary default accounts removed or disabled before installing a system on the network?

• Review policies and procedures.

(a) Are encryption keys changed from default at …
Modified p. 12 → 17
Observe system configurations and account settings.
Examine system configuration standards.
Modified p. 12 → 21
• Examine system configurations and account settings.
• Examine system configurations.
Modified p. 12 → 24
Review vendor documentation.
Examine vendor documentation.
Removed p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1.1 (cont.) (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks?

• Review policies and procedures.

(e) Are other security-related wireless vendor defaults changed, if applicable?

• Review policies and procedures.
Removed p. 13
(b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?

• Review configuration standards

• Compare enabled services, etc. to documented justifications.
Removed p. 13
Are common system security parameters settings included in the system configuration standards?

• Review system configuration standards.

(c) Are security parameter settings set appropriately on system components?

• Examine system components.

• Compare settings to system configuration standards.
Modified p. 13 → 19
• Examine configuration settings.
• Examine wireless configuration settings.
Modified p. 13 → 24
• Examine system configurations.
• Examine system components.
Modified p. 13 → 25
• Examine system configurations.
• Examine anti-malware configurations.
Modified p. 13 → 29
• Examine security parameter settings.
• Examine audit logs and other evidence.
Modified p. 13 → 30
• Examine configuration settings.
• Examine system settings.
Removed p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.2.5 (a) Has all unnecessary functionality•such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers•been removed?

• Examine security parameters on system components.

Are enabled functions documented and do they support secure configuration?

• Review documentation.
Removed p. 14
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?

• Examine system components.

(b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands?

• Examine system components.

(c) Is administrator access to web-based management interfaces encrypted with strong cryptography?

• Examine system components.

(d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?

• Examine system components.
Modified p. 14 → 19
Review vendor documentation.
Examine key-management documentation.
Modified p. 14 → 24
• Examine security parameters on system components.
• Examine system components.
Modified p. 14 → 24
• Examine security parameters on system components.
• Examine system components and logs.
Modified p. 14 → 25
• Examine system configurations.
• Examine anti-malware solution(s) configurations.
Modified p. 14 → 27
• Examine services and files.
• Examine policies and procedures.
Modified p. 14 → 30
(c) Is only documented functionality present on system components?

• Review documentation.
• Examine user account lists on system components and applicable documentation.
Modified p. 14 → 30
Observe an administrator log on.
Interview system administrators.
Removed p. 15
(d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):

- Incoming transaction data

- Incoming transaction data

- Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization?

• Examine data sources including:
Modified p. 15 → 20
Requirement 3: Protect stored cardholder data
Requirement 3: Protect Stored Account Data
Modified p. 15 → 21
• Examine deletion processes.
• Examine data sources.
Modified p. 15 → 25
• Examine system configurations.
• Examine anti-malware solution(s) configurations.
Removed p. 16
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for point-of-sale (POS) receipts.

• Observe displays of PAN.
Modified p. 16 → 24
• Examine system configurations.
• Examine the periodic evaluations.
Modified p. 16 → 31
• Review roles that need access to displays of full PAN.
• Review current user access lists.
Removed p. 17
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).

• Review all locations where CHD is transmitted or received.

(b) Are only trusted keys and/or certificates accepted?

• Observe inbound and outbound transmissions.

(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?

• Examine system configurations.

(d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?

• Review vendor documentation.

(e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For …
Removed p. 17
• Review wireless networks.
Modified p. 17 → 21
Review documented standards.
Examine documented policies and procedures.
Modified p. 17 → 23
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
Modified p. 17 → 24
• Examine keys and certificates.
• Examine logs and scan results.
Modified p. 17 → 27
• Examine system configurations.
• Examine system components and related software.
Removed p. 18
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.2 Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies?

• Review policies and procedures.

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software?

• Examine system configurations.
Removed p. 19
(a) Are all anti-virus software and definitions kept current?

• Examine policies and procedures.

• Examine anti-virus configurations, including the master installation.

(b) Are automatic updates and periodic scans enabled and being performed?

• Examine anti-virus configurations, including the master installation.

(c) Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7?

• Examine anti-virus configurations.

• Review log retention processes.
Modified p. 19 → 32
• Examine system configurations.
• Examine network and/or system configurations.
Modified p. 19 → 36
• Examine system components.
• Examine security awareness training content.
Modified p. 19 → 37
• Examine system components.
• Examine list of TPSPs.
Removed p. 20
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 5.3 Are all anti-virus mechanisms:

• Unable to be disabled or altered by users? Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.
Modified p. 20 → 33
• Examine anti-virus configurations.
• Examine documentation.
Modified p. 20 → 33
• Examine system components.
• Examine documentation.
Removed p. 21
Requirement 6: Develop and maintain secure systems and applications

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.1 Is there a process to identify security vulnerabilities, including the following:

• Using reputable outside sources for vulnerability information?

• Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score and/or the classification by the vendor, and/or type of systems affected.

Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization’s environment and risk assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a “high risk” to the environment. In addition to the risk ranking, vulnerabilities may be considered “critical” if they pose …
Modified p. 22 → 38
• Examine system components.
• Examine documentation.
Removed p. 23
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:
Removed p. 23
• To least privileges necessary to perform job responsibilities?

• Assigned only to roles that specifically require that privileged access?

• Examine written access control policy.

• Review privileged user IDs.
Modified p. 23 → 33
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 9: Restrict Physical Access to Cardholder Data
Modified p. 23 → 35
• Interview management.
• Interview personnel.
Modified p. 23 → 38
• Interview management.
• Interview personnel.
Removed p. 24
Requirement 8: Identify and authenticate access to system components

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.1.1 Are all users assigned a unique ID before allowing them to access system components or cardholder data?

• Review password procedures.
Removed p. 24
• Review current access lists.

In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?

• Something you know, such as a password or passphrase
Modified p. 24 → 33
• Observe returned physical authentication devices.
• Observe physical entry controls.
Modified p. 24 → 34
• Observe authentication processes.
• Observe storage containers.
Modified p. 24 → 35
• Examine system configuration settings to verify password parameters.
• Examine the information security policy.
Modified p. 24 → 38
• Examine terminated users accounts.
• Examine the incident response plan.
Modified p. 24 → 38
Review password procedures.
Examine policies and procedures.
Removed p. 25
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.3 Is all individual non-console administrative access and all remote access to the CDE secured using multi-factor authentication, as follows:

Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
Removed p. 25
• Generic user IDs and accounts are disabled or removed;

• Shared user IDs for system administration activities and other critical functions do not exist; and

• Shared and generic user IDs are not used to administer any system components?

• Review policies and procedures.
Modified p. 25 → 32
• Observe administrator logging into CDE.
• Observe administrator personnel logging into the CDE.
Modified p. 25 → 38
• Examine user ID lists.
• Examine documentation.
Removed p. 26
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?

• Observe physical access controls.
Removed p. 26
Do controls include the following:
Removed p. 26
(c) Is media destruction performed as follows:
Modified p. 26 → 33
• Examine media distribution tracking logs and documentation.
• Examine media logs or other documentation.
Modified p. 26 → 33
• Examine media distribution tracking logs and documentation.
• Examine logs or other documentation.
Modified p. 26 → 38
Review policies and procedures for physically securing media.
Examine policies and procedures.
Modified p. 26 → 38
• Interview security personnel.
• Interview responsible personnel.
Removed p. 27
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.8.1 (a) Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?

• Review periodic media destruction policies and procedures.

Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?

• Review periodic media destruction policies and procedures.
Modified p. 27 → 34
• Examine security of storage containers.
• Examine offsite media tracking logs.
Removed p. 28
Requirement 11: Regularly test security systems and processes

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A If segmentation is used to isolate the CDE from other networks:

(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of- scope systems from systems in the CDE?

• Examine segmentation controls.

• Review penetration-testing methodology.

(b) Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods

- Covers all segmentation controls/methods in use

- Verifies that segmentation methods are operational and effective, and isolate all out-of- scope systems from systems in the CDE.

• Examine results from the most recent penetration test.

(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA …
Removed p. 29
Requirement 12: Maintain a policy that addresses information security for all personnel

Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment.

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?

• Review the information security policy.
Removed p. 29
Note: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e-mail usage and Internet usage.
Removed p. 29
• Interview a sample of responsible personnel.
Modified p. 29 → 33
• Interview responsible personnel.
• Interview responsible personnel at the storge location(s).
Removed p. 30
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.5.3 Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations?

• Review information security policy and procedures.
Modified p. 30 → 35
Review list of service providers.
Reviewed at least once every 12 months.
Modified p. 30 → 37
Observe written agreements.
Examine written agreements with TPSPs.
Modified p. 31 → 33
Review incident response plan procedures.
Examine documented procedures.
Removed p. 32
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (at the merchant or payment- acceptance location) using SSL and/or early TLS: Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS? Note: This requirement is intended to apply to the entity with the POS POI terminal, such as a merchant. This requirement is not intended for service providers who serve as the termination or connection point to those POS POI terminals. Requirements A2.2 and A2.3 apply to POS POI service providers.

• Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS.
Modified p. 32 → 39
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections This Appendix is not used for SAQ C-VT merchant assessments.
Modified p. 32 → 39
Appendix A3: Designated Entities Supplemental Validation (DESV) This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Entities required to validate to this Appendix should use the DESV Supplemental Reporting Template and Supplemental Attestation of Compliance for reporting, and consult with the applicable payment brand and/or acquirer for submission procedures.
Appendix A3: Designated Entities Supplemental Validation (DESV) This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Entities required to validate to this Appendix should use the DESV Supplemental Reporting Template and Supplemental Attestation of Compliance for reporting and consult with the applicable payment brand and/or acquirer for submission procedures.
Modified p. 33 → 40
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.
Note: Only entities that have a legitimate and documented technological or business constraint can consider the use of compensating controls to achieve compliance.
Modified p. 33 → 40
Refer to Appendices B, C, and D of PCI DSS for information about compensating controls and guidance on how to complete this worksheet.
Refer to Appendices B and C in PCI DSS for information about compensating controls and guidance on how to complete this worksheet.
Modified p. 33 → 40
1. Constraints List constraints precluding compliance with the original requirement.
1. Constraints Document the legitimate technical or business constraints precluding compliance with the original requirement.
Modified p. 33 → 40
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
3. Objective Define the objective of the original control.
Modified p. 33 → 40
3. Identified Risk Identify any additional risk posed by the lack of the original control.
4. Identified Risk Identify any additional risk posed by the lack of the original control.
Modified p. 33 → 40
4. Definition of Compensating Controls Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
2. Definition of Compensating Controls Define the compensating controls: explain how they address the objectives of the original control and the increased risk, if any.
Modified p. 33 → 40
6. Maintenance Define process and controls in place to maintain compensating controls.
6. Maintenance Define process(es) and controls in place to maintain compensating controls.
Modified p. 34 → 41
Requirement Reason Requirement is Not Applicable 3.4 Cardholder data is never stored electronically
Requirement Reason Requirement is Not Applicable
Removed p. 35
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4.

Compliant but with Legal exception: One or more requirements are marked “No” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.

If checked, complete the following:

I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization.

I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.

If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply.
Modified p. 35 → 43
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ C-VT (Section 2), dated (SAQ completion date).
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ C-VT (Section 2), dated (Self-assessment completion date YYYY-MM-DD).
Modified p. 35 → 43
Based on the results documented in the SAQ C-VT noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (check one):
Based on the results documented in the SAQ C-VT noted above, each signatory identified in any of Parts 3b−3d, as applicable, assert(s) the following compliance status for the merchant identified in Part 2 of this document.
Modified p. 35 → 43
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Compliant: All sections of the PCI DSS SAQ are complete and all requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ.
Modified p. 35 → 43
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or one or more requirements are marked as Not in Place, resulting in an overall NON-COMPLIANT rating; thereby (Merchant Company Name) has not demonstrated compliance with the PCI DSS requirements included in this SAQ.
Modified p. 35 → 43
Affected Requirement Details of how legal constraint prevents requirement being met Part 3a. Acknowledgement of Status Signatory(s) confirms:
Affected Requirement Details of how legal constraint prevents requirement from being met
Modified p. 35 → 44
(Check all that apply)
(Select all that apply)
Modified p. 35 → 44
PCI DSS Self-Assessment Questionnaire C-VT, Version (version of SAQ), was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire C-VT, Version 4.0 was completed according to the instructions therein.
Modified p. 35 → 44
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects.
All information within the above-referenced SAQ and in this attestation fairly represents the results of the merchant’s assessment in all material respects.
Removed p. 36
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name).
Modified p. 36 → 44
Part 3b. Merchant Attestation Signature of Merchant Executive Officer  Date:
Part 3b. Merchant Attestation Signature of Merchant Executive Officer  Date: YYYY-MM-DD Merchant Executive Officer Name: Title:
Modified p. 36 → 44
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement If a QSA was involved or assisted with this assessment, indicate the role performed:
Modified p. 36 → 44
Signature of Duly Authorized Officer of QSA Company  Date:
Signature of Duly Authorized Officer of QSA Company  Date: YYYY-MM-DD Duly Authorized Officer Name: QSA Company:
Modified p. 36 → 44
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Part 3d. PCI SSC Internal Security Assessor (ISA) Involvement If an ISA(s) was involved or assisted with this assessment, indicate the role performed:
Removed p. 37
Check with your acquirer or the payment brand(s) before completing Part 4.

PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data.

Do not use vendor-supplied defaults for system passwords and other security parameters.
Removed p. 37
Protect all systems against malware and regularly update anti-virus software or programs.
Removed p. 37
Appendix A2 Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections.

* PCI DSS Requirements indicated here refer to the questions in Section 2 of the SAQ.