BLOG HOME > PCI > Performing an SAQ C-VT version 4.0 Self-Assessment

Performing an SAQ C-VT version 4.0 Self-Assessment

Overview

The Self-Assessment Questionnaire (SAQ) C-VT has had a few PCI DSS requirements removed and several PCI DSS requirements added in the transition to version 4.0. Some of these requirements were existing PCI DSS requirements that have now been added to the SAQ C-VT and some are new to version 4.0 of the PCI DSS.
If requirements are new to the PCI DSS, merchants will have until March 3, 2025, to ensure these requirements are in place.

For existing PCI DSS requirements that have been added to the SAQ C-VT version 4.0, no such grace period is given. Merchants will need to be in compliance with these added requirements to perform a compliant SAQ C-VT version 4.0 assessment.

This post will highlight changes made to the SAQ C-VT version 4.0 and provide guidance on how to comply with newly added requirements.

Qualifying Criteria

Only minor changes were made to the qualifying criteria for the SAQ C-VT. This questionnaire focuses on payment channels where a merchant is using a web browser on a dedicated workstation to manually type payment information into a PCI DSS-compliant third party virtual payment terminal solution.

Network segmentation/isolation is required for the computing device used to connect to the virtual terminal. The device should not be connected to any other system in the environment and cannot use any attached hardware used to capture or store cardholder data.

Newly Added Existing Requirements

When the PCI SSC updates the Self-Assessment Questionnaires, they will sometimes choose to include existing PCI DSS requirements that had not been part of a particular SAQ in the past. Several examples of newly-added existing requirements have been included in version 4.0 of the SAQ C-VT. 

One thing to keep in mind with these new additions is that these are not future-dated requirements. These requirements will need to be validated when performing an assessment using version 4.0 of the SAQ C-VT.  

The following existing PCI DSS requirements were added to the SAQ C-VT in version 4.0:


Requirements 2.1.1, 3.1.1, 8.1.1, & 9.1.1 

All security policies and operational procedures that are identified in Requirement __are:

  • Documented.

  • Kept up to date.

  • In use.

  • Known to all affected parties.

Well-documented security policies and procedures can help merchants maintain a PCI DSS compliant environment if employees working in the environment are aware of policies and procedures that apply to their job responsibilities. PCI DSS Requirements 2.1.1, 3.1.1, 8.1.1, and 9.1.1 focus on ensuring policies related to these sections are up to date and are distributed to affected parties. For example, for Requirement 1, an up-to-date firewall configuration standard should be available and employees who are responsible for managing aspects of network security should be aware of these policies. Likewise, for Requirement 2, there should be system hardening standards that are followed by a merchant’s system administrators. 



8.2.4 Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as follows:

Authorized with the appropriate approval.

Implemented with only the privileges specified on the documented approval.

SAQ C-VT merchants should have a documented account creation and modification request process that documents the privileges the account will be assigned and requires management approval prior to account creation or privilege assignment. Your account request forms, whether physical or electronic, should indicate the role the user will be filling and the permissions required for that user account to have to fulfill their job responsibilities. New accounts or changes to privileges assigned to existing accounts need to be authorized by appropriate personnel. A process needs to be in place to document this authorization. 



New Future-Dated Requirements

In addition to the above-mentioned existing PCI DSS requirements, a few requirements new to PCI DSS version 4.0 have been added to the SAQ C-VT. Merchants performing a self-assessment using a version 4.0 SAQ are not required to validate these future-dated requirements until March 31, 2025.

Depending upon the size and complexity of the merchant’s environment, it may take considerable effort to implement some of these new requirements. It is recommended that SAQ C-VT merchants begin now to plan for the implementation of the following new requirements:

5.3.3 For removable electronic media, the anti-malware solution(s):

  • Performs automatic scans of when the media is inserted, connected, or logically mounted,

OR

  • Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.

Requirement 5.3.3 can be considered an evolving requirement for malware prevention. Malware protection in place in the environment should be configured to either automatically scan removable electronic media (USB drives, external hard drives, SSD memory cards, etc.) when mounted or the malware solution should be continuously performing behavioral analysis to provide automatic malware protection for these connected media types.



5.4.1 Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.

Phishing attacks are becoming more prevalent and more sophisticated in recent years. While employee training is critical to preventing successful phishing attacks from negatively affecting the security of a merchant’s environment, technical controls should be added to provide more layers of protection against these attacks. For requirement 5.4.1, it is recommended that merchants implement a combination of approaches to prevent spoofing attacks. Anti-fishing tactics include anti-spoofing technologies (domain-based message authentication, domain keys identified mail, and sender policy framework) and phishing email blocking or link scrubbing technologies. 



8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity:

  • A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).

  • Contain both numeric and alphabetic characters.

Requirement 8.3.6 is an evolving PCI DSS requirement. In version 3.2.1, passwords were required to be at least 7 characters in length consisting of a mix of numeric and alphabetic characters. Beginning on March 31, 2025, the password length requirement is increased to 12 characters in most instances while the password complexity requirement remains unchanged. 



12.6.3.1 Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the CDE, including but not limited to:

  • Phishing and related attacks.

  • Social engineering.

As discussed in requirement 5.4.1 above, companies should be taking a defense-in-depth approach to prevent phishing and other social engineering-related attacks. To be compliant with requirement 12.6.3.1, a merchant’s security awareness training program needs to include education on how to detect, react to, and report phishing and social engineering attempts. It is also recommended that members of the merchant’s incident response team are made aware of how to properly respond to notifications of these types of attacks against the organization. 


Conclusion

Version 3.2.1 of the PCI DSS will be retired on March 31, 2024. After that date, merchants performing self-assessments will be required to use version 4.0 of the Self-Assessment Questionnaires.

Some PCI DSS security requirements that were once part of the SAQ C-VT, data transmission encryption (PCI DSS version 3.2.1 Requirement 4.1), end-user messaging controls (PCI DSS version 3.2.1 Requirement 4.2), and segmentation penetration testing (PCI DSS version 3.2.1 Requirement 11.2.4), have been removed and replaced with requirements the PCI Security Standards Council determined would better protect cardholder data for this type of payment channel.

While merchants can continue to use version 3.2.1 of the SAQ C-VT until it is retired, it is recommended that they begin now to become compliant with all of the requirements listed in version 4.0. Doing this will help to prepare them for a future assessment when version 4.0 will be the only viable solution and it will help them to more adequately address the risks faced by merchants today.

Michael Simpson, CISSP, CISA, QSA
By: Michael Simpson
Principal Security Analyst
CISSP, CISA, QSA


Join Thousands of Security Professionals and Subscribe

Subscribe