Guide · PCI DSS v4.0 · SAQ C-VT

SAQ C-VT: who qualifies, what it covers, and how to confirm it

SAQ C-VT is written for merchants that key card payments in by hand, one transaction at a time, into a virtual terminal hosted by a validated third party, from a computer kept isolated for the job, with no electronic storage of cardholder data. Here’s who fits, what “isolated” actually implies, and the traps that move merchants into SAQ C or SAQ D.

Plain-English · SAQ C-VT eligibility · Free 2-minute check

Plenty of businesses take cards without a terminal or a checkout page: a customer calls, someone types the card into the processor’s web page, done. SAQ C-VT exists for exactly that pattern. Its two load-bearing ideas are one transaction at a time and isolated, and both mean more than they first appear to.

Who SAQ C-VT fits

SAQ C-VT is one of the eight PCI DSS Self-Assessment Questionnaires published by the PCI Security Standards Council (PCI SSC). Completing one ends in a signed Attestation of Compliance (AOC) that goes to your acquiring bank or the card brands. C-VT is the version for keyed-entry merchants, and it tends to sound like this:

The common thread: a person types each card into a web page hosted by a validated provider. Your business runs no payment software of its own, attaches no card readers, and stores nothing about the card. If that’s not quite your picture, the guide to all 8 SAQ types maps every acceptance pattern to its questionnaire.

The exact eligibility criteria

Per the PCI SSC’s SAQ Instructions and Guidelines for PCI DSS v4.0, SAQ C-VT is for merchants whose card processing is manual, single-transaction entry into an isolated, third-party-hosted virtual terminal, with no electronic storage of cardholder data. Unpacked:

The SAQ C-VT document opens with an eligibility checklist you attest to item by item, including how the virtual-terminal computer is set up and connected. Your signature on the AOC says the checklist is true, so answer it against how things actually are.

What “isolated” implies

Isolated is the word that separates a clean SAQ C-VT story from a shaky one. The idea: the virtual-terminal computer is not connected to the other systems and locations in your environment, and card entry happens on that machine alone. It’s the difference between a workstation that exists to key payments and the front-desk PC that also runs email, the shared drive, and whatever got installed last month.

In practice, merchants meet it with a dedicated machine, kept off the general network or separated from it, with no software that captures card data and no card readers attached. If your honest description is “we use whichever computer is free,” that isn’t isolation, and it’s exactly the kind of setup to put in front of your acquiring bank or a QSA before attesting. Isolation is also what keeps this SAQ short: the questionnaire can stay narrow because only one tightly contained machine ever touches card data.

Find your SAQ free, in about 2 minutes.

Answer a few questions about how you accept cards and the free check computes your likely SAQ type on screen. No email to see it, no card, nothing to install. It’s indicative, not a QSA assessment, but it gives you a defensible starting point before you talk to your bank.

What disqualifies you: the adjacent-SAQ traps

C-VT is a narrow questionnaire because the environment it describes is narrow. Five things to check before you attest:

Software does the processing: that’s SAQ C

The boundary between C-VT and SAQ C is who does the work. In C-VT, a person types each transaction into a page the provider hosts. In SAQ C, a payment-application system connected to the internet processes cards in your environment. If transactions flow without a person keying each one, or your systems run payment software, C-VT no longer describes you.

A card reader enters the picture

C-VT assumes typed entry. Swiping or dipping cards on standalone hardware points to SAQ B, SAQ B-IP, or SAQ P2PE depending on the connection and the solution, and attaching a reader to the virtual-terminal computer changes the data flow the questionnaire assumes. If hardware is involved anywhere, re-check which SAQ fits before defaulting to C-VT.

The computer isn’t actually isolated

An everyday workstation on the general network, doing general work, is the most common way C-VT eligibility quietly fails. It doesn’t automatically mean SAQ D, but it does mean the environment you’re attesting to isn’t the one the questionnaire describes. Fix the isolation, or put the real setup in front of your bank or a QSA and let the SAQ follow the facts.

Call recordings and saved card numbers: the SAQ D override

Phone-order businesses hit the storage override more than anyone, because the card number gets spoken out loud. If your phone system records calls, a recording of a customer reading their card number is electronic storage of cardholder data, and electronic storage generally moves you to SAQ D, along with databases, spreadsheets, and app logs. If card numbers arrive by email, chat, or text, card data is moving through systems the reduced SAQs assume it never enters: raise that with your bank before assuming C-VT.

You take cards other ways too

A checkout page on your website points to SAQ A or SAQ A-EP; standalone terminals point to B, B-IP, or P2PE. More than one channel can mean your validation spans more than one SAQ, and your acquiring bank tells you how to submit the whole picture.

What you answer, at a high level

Every SAQ draws from the same standard: the 12 PCI DSS requirements, organized under six goals (secure networks and systems, protect account data, vulnerability management, access control, monitoring and testing, and an information security policy). You’re validating against PCI DSS v4.0: v3.2.1 retired on March 31, 2024, and v4.0’s future-dated requirements became mandatory on March 31, 2025.

For C-VT, expect the material to center on that one computer and the people who use it:

We don’t quote question counts, because the exact set varies by SAQ version. The honest summary: the fewer card-data functions you run yourself, the shorter your SAQ, and C-VT stays short precisely because one isolated computer and one hosted page are the whole story.

How to confirm SAQ C-VT is yours

Eligibility is defined by the PCI SSC, but the confirmation isn’t yours to make alone. Your acquiring bank or the card brands assign your validation level from your annual card volume and confirm which questionnaire they’ll accept. Most small and mid-size merchants validate with an SAQ; the highest-volume merchants go through a QSA-led Report on Compliance instead.

If your setup has an ambiguous edge, a workstation you’re not sure counts as isolated, a phone system you suspect records calls, a Qualified Security Assessor can rule on it formally. And if you want a defensible starting point before either conversation, our free check asks how you accept cards and computes your likely SAQ on screen in about two minutes, no email needed to see the result. It’s indicative, not a QSA assessment, and it’s built to make the bank conversation shorter.

Confirm your SAQ, then close the gaps.

The free check names your likely SAQ on screen in about two minutes. When you’re ready to act on it, the $1,495 PCI DSS v4.0 Readiness & Gap Analysis confirms your SAQ with full rationale, marks every one of the 12 PCI DSS v4.0 requirements covered, partial, or gap, and hands you a prioritized 30/60/90 remediation roadmap. Intake-based, PDF in your inbox within hours, backed by a 7-day pre-delivery money-back guarantee. The $1,495 also credits toward a first month of an Aegis AI subscription at ai4ciso.ai.

Frequently asked questions

What is SAQ C-VT?

SAQ C-VT is a PCI DSS Self-Assessment Questionnaire for merchants whose card processing is manual, single-transaction entry into a virtual terminal hosted by a validated third party, accessed from an isolated computer, with no electronic storage of cardholder data. Completing it ends in a signed Attestation of Compliance submitted to your acquiring bank or the card brands.

What does “isolated” mean for the virtual terminal computer?

The computer used for the virtual terminal is set apart for the job: it isn’t connected to the other systems and locations in your environment, and card entry happens on that machine alone. In practice merchants meet this with a dedicated or separated machine, no card-capturing software installed, and no card readers attached. The SAQ’s eligibility checklist walks through it; confirm your setup with your acquiring bank or a QSA.

What is the difference between SAQ C-VT and SAQ C?

Who does the processing. In SAQ C-VT, a person types each transaction, one at a time, into a web page hosted by a validated third party. In SAQ C, a payment-application system connected to the internet processes cards in your environment. Software in the path points to SAQ C.

Can I use my everyday office computer for the virtual terminal?

That is the eligibility question. A machine woven into your general network and used for everyday work is hard to call isolated, and isolation is what SAQ C-VT assumes. Put your actual setup in front of your acquiring bank or a QSA before attesting.

Do call recordings affect SAQ C-VT eligibility?

Yes. A recording that captures a customer reading a card number is electronic storage of cardholder data, and electronic storage generally means SAQ D applies instead of any reduced SAQ.

Who confirms which SAQ I complete?

Eligibility is defined by the PCI Security Standards Council, and your acquiring bank or card brand confirms which questionnaire to submit and your validation level. Our free check shows your likely SAQ on screen in about two minutes; it’s indicative, not a QSA assessment.

Related guides

This guide is general information, not a QSA assessment, a completed SAQ, an Attestation of Compliance, or legal advice. SAQ eligibility is defined by the PCI SSC and confirmed by your acquiring bank or a Qualified Security Assessor. Our free check is indicative, not a QSA assessment.