VM Hosting requirement for a Virtual Terminal application in SAQ-C-VT
We are a merchant that do exclusively MOTO transactions over the phone. To capture credit card information, our sales agent (on their PCs) uses a browser to access an internally developed ASP.NET application which serves as a Virtual Terminal application. We qualify as SAQ-C-VT.
The VT Application uses a JavaScript library to tokenize the sensitive PAN and Security code on the agent's browser. The application itself never sees the raw credit card data but receives a token from the agent's browser to then submit it to the payment gateway. Therefore, the VT application and the server that serves the application is outside the Card Data Environment (CDE) although we need to take precaution so that the VT application which serves the Javascript library is not compromised.
Currently the server hosting the VT Application is a physical server that doesn't do anything else other than serving the VT application, and the network is segmented on its own. We have made sure that there is NO connected systems to this server other than the sales agent's PCs. We have development and administrative procedures in place to ensure the integrity of the VT application hosted by this server.
We are considering to virtualize this physical server into a VM. The network configuration will not change. However, the VM server hosts other VMs in a separate network segment. The VM Server is VMWare ESXi.
My question: Does the virtualization of the VT Application described above affect any answers to SAQ-C-VT considering there are other VMs hosted by VMWare? If so, how do we minimize the scope?
