Virtual Terminal SAQ Guide

This guide is for merchants and integrators using CityPay Virtual Terminal for browser-based manual entry into a CityPay-hosted admin or payment interface.

Virtual Terminal is usually SAQ C-VT where staff manually enter cardholder data into a CityPay-hosted browser-based virtual terminal, and merchant systems do not electronically store card data. This may include MOTO and back-office card-not-present operational use cases.

Part 2a - Merchant business payment channels

Tick the channels that apply:

Mail Order/Telephone Order

If the virtual terminal is used for another card-not-present operational channel, describe it clearly and confirm the correct channel with your acquirer or QSA.

Part 2b - Description of role with payment cards

The merchant accepts card-not-present transactions where authorised staff manually enter cardholder data into CityPay Virtual Terminal, a browser-based payment interface hosted by CityPay Limited. Merchant systems do not electronically store cardholder data for this channel. Payment processing, authorisation and handling of account data are outsourced to CityPay Limited.

Part 2c - Description of payment card environment

The assessed environment consists of the workstations, browsers, network access, user accounts and administrative processes used by merchant staff to access CityPay Virtual Terminal. Cardholder data is entered directly into the CityPay-hosted interface. Merchant systems do not electronically store PAN or sensitive authentication data for this channel.

Part 2f - Third-party service providers

Also list any IT support, network, device management or outsourced operations providers that can affect workstations or access to the virtual terminal.

Eligibility notes

Only rely on SAQ C-VT where the relevant eligibility statements are true. In particular, confirm that:

• each payment is entered manually into the CityPay-hosted virtual terminal
• merchant systems do not electronically store account data
• virtual terminal workstations are not connected to systems that store, process or transmit account data outside the hosted service
• access to the virtual terminal is controlled and limited to authorised staff
• CityPay's PCI DSS compliance has been confirmed for the Virtual Terminal service

Secure configuration and workstation control

Evidence should cover secure configuration of workstations and browsers used for Virtual Terminal access, supported operating systems, patching, malware protection where applicable, and restricted administrative privileges.

Requirement 3 - Stored account data

The merchant should not electronically store PAN or sensitive authentication data for this channel.

Appendix C wording, if true:

The merchant does not electronically store account data or sensitive authentication data for CityPay Virtual Terminal transactions.

User access

Evidence should include unique user IDs, no shared accounts, access limited to authorised staff, leaver access removal, MFA where used, and periodic access review.

Physical and paper records

If staff write down card details before entry, paper handling may introduce additional requirements. Avoid paper capture where possible. Where paper records containing account data exist, document storage, access, retention and destruction controls.

TPSP management and incident response

Maintain a TPSP list including CityPay Limited, written agreement or terms with CityPay, evidence of CityPay PCI DSS compliance for Virtual Terminal, annual TPSP review, and an incident response plan that includes CityPay, acquirer and payment-brand escalation.

Retain:

• CityPay AOC or PCI DSS compliance confirmation
• Virtual Terminal user and access list
• workstation and browser patching evidence
• leaver access review
• staff procedures for card-not-present entry
• paper handling procedures if paper account data is used
• TPSP list and annual review
• incident response plan
• Appendix C explanations for Not Applicable requirements