Good luck.

In your case, use the SAQ C-VT to address your virtual terminal process. Use SAQ B for covering your terminals. Combine those into the SAQ D and fill in any other requirements in SAQ D that are relevant such as those in requirement 12 and 9, but please look at all the requirements to ensure you are not missing something. The remainder of SAQ D for your organization will be marked ‘Not Applicable’.

My contact at the bank is on holidays, and the replacement person has sent through the SAQ C-VT after I questioned it. I’ve only had a chance to have a glance through it, but two things that stand are the statements “Merchant’s only payment processing is via a virtual terminal accessed by an Internet-Connected web browser” and “This option would never apply to e-commerce merchants”.

As I said earlier, we also have a bricks and mortar store, and a website, so are also processing payments via terminals and via the internet. The internet payments are handled by a 3rd party (it’s not via a redirect, but newer technology that I don’t understand, our contact at the bank recommended it and said that using it would eliminate our need to be so PCI compliant).

Anyway, what I’m wondering is, what happens for people running stores that handle payment processing in more than 1 way. Each of the SAQs seems to focus on one payment type only (eg A for web payments, B for terminal payments etc) – what happens when there is a cross over, such as in our situation?

The issue with the terminal printing the full primary account number (PAN) is most likely a configuration issue. We encounter this all of the time. Why the vendors do not properly configure these terminals for their customers, I do not know.

If you were still doing your telephone orders over your card terminal and not the virtual terminal, I would agree with using SAQ B. However, as you have found out, SAQ B really doesn’t cover the virtual terminal environment.

In my opinion, SAQ C-VT is probably the better choice for your virtual terminal situation.

However, remember, your bank has the official word in this matter and if your bank insists on SAQ B, then fill it out and send it to them as they are the official word in this matter.

I am struggling through filling out a SAQ, and I’m not convinced that I have the correct one. We are a small business, with two physical locations, and a website. We handle credit card details in the follow ways:
- in store, using stand alone eftpos terminals not connected to the internet, or to any pos systems etc.
- on our website, which doesn’t store the details, a 3rd party processes the payments for us
- over the phone, we enter the card details into a virtual terminal using a stand alone computer connected to the internet.

I’ve informed our bank of the above, and they have told me that SAQ B is the correct form to fill out. However I’m not convinced that it allows for the phone orders. I’m stuck on the first question of Part 2c, the eligibility to complete SAQ B. It mentions in part:

OR Merchant uses only standalone, dial-out terminals… (it goes on). <– Whilst it is true that our dial out terminals are stand alone, this doesn't allow for our use of the virtual terminal for phone orders??

What's your take on this – I am going to email the bank yet again to ask…

For those that have given up on phone orders (I'm about to!) – has anyone considered MOTO transactions? Before we had the virtual terminal, we used to use our stand alone terminal to process phone payments. The reason we moved to a virtual terminal is because the receipt printed by the terminal used to list the full card number and expiry date – we felt this wasn't particularly secure (I don't know if this is still the case). I wonder if moving back to using this function may make the process of PCI compliance easier?

We have a number of Level 1 merchants that do not store cardholder data, but they do process and transmit it and they all are required to conduct a PCI assessment and create a Report On Compliance (ROC).

On the Level 2 front, if you are a Level 2 merchant and accept MasterCard cards, you are required to conduct a full assessment and file your Attestation Of Compliance (AOC) and ROC with MasterCard. That rule went into affect July 1, 2012. See this post for clarification.