What is a Virtual Terminal?

How Virtual Terminals Work

A virtual terminal replaces the traditional countertop card machine with a secure web-based interface. The merchant logs into the virtual terminal through their browser, enters the customer's payment details -- card number, expiry date, security code, and transaction amount -- and submits the payment for processing.

The virtual terminal communicates with the payment gateway, which forwards the transaction to the card issuer for authorisation. Once approved, the merchant receives confirmation and can issue a receipt to the customer. The entire process happens in seconds.

Step-by-Step Transaction Flow

1. The agent or merchant logs into the virtual terminal via a web browser using secure credentials.
2. The customer provides their card details -- verbally during a phone call, in writing via a mail order, or through a secure digital form.
3. The agent enters the card number, expiry date, CVV/CVC, and transaction amount into the on-screen payment form.
4. The virtual terminal encrypts the data and transmits it to the payment gateway over a secure connection (TLS 1.2 or higher).
5. The payment gateway routes the authorisation request to the acquiring bank and then to the card-issuing bank.
6. The issuing bank verifies the card details, checks available funds, runs fraud checks, and returns an approval or decline.
7. The virtual terminal displays the outcome and the agent confirms the result to the customer.

Types of Virtual Terminal

Not all virtual terminals work the same way. The right choice depends on how your business takes payments, the volume of transactions you handle, and your compliance requirements.

Web-Based Virtual Terminals

The most common type. These run entirely in a standard web browser with no software to install. The payment provider hosts the application in the cloud, manages security patching, and handles PCI compliance of the platform itself. Web-based virtual terminals are ideal for small teams, remote workers, and businesses that need to accept payments quickly without investing in hardware.

Phone-Based (DTMF) Virtual Terminals

Designed specifically for telephone payments, these virtual terminals capture card details directly from the customer's telephone keypad rather than requiring the agent to type them in. A DTMF suppression system masks or removes the keypad tones from the call audio before they reach the agent. The card data is routed directly to the payment gateway without passing through the agent's workstation, browser, or local network. This approach removes the entire agent environment from PCI DSS scope.

Integrated Virtual Terminals

Some virtual terminals integrate directly with CRM, ERP, helpdesk, or accounting software. The payment form appears inside the application the agent already uses, eliminating the need to switch between screens. Integration can pre-populate customer details and automatically record the payment against the correct account or invoice.

IVR-Based Virtual Terminals

Interactive Voice Response systems can function as fully automated virtual terminals. Customers call a dedicated number and enter their card details via the keypad without speaking to an agent. IVR payments are well-suited to straightforward transactions such as bill payments, account top-ups, and subscription renewals.

Common Use Cases

• Call centres and contact centres: Agents take card details from customers during inbound or outbound phone calls. This is the largest use case for virtual terminals in the UK.
• Mail order and telephone order (MOTO): Card details received by post, email, or fax are keyed into the virtual terminal manually by back-office staff.
• Professional services: Accountants, solicitors, consultants, and other professionals process invoice payments by phone without needing a card machine.
• Local councils and government bodies: Residents pay council tax, parking fines, or service charges securely over the phone.
• Healthcare providers: Private clinics, hospitals, and dental practices take payment for consultations and treatments remotely.
• Charities and membership organisations: Donations, membership renewals, and event payments are processed by phone or post.
• Field services and mobile workers: Engineers, delivery drivers, and mobile staff use a laptop or tablet to process payments on site when no card machine is available.
• Remote and hybrid teams: Staff working from home can process payments securely without needing office-based equipment or physical terminals.

Virtual Terminals and PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) is the global security standard that applies to every organisation that stores, processes, or transmits cardholder data. Virtual terminals sit squarely within this scope because they handle card details during every transaction.

The Compliance Challenge

When an agent types card details into a traditional virtual terminal, those details pass through several systems: the agent's keyboard, the workstation operating system, the web browser, the local network, and potentially a VPN or proxy server before reaching the payment gateway. Every one of these systems falls within the scope of PCI DSS assessment.

The agent also sees the full card number on screen and may hear it spoken by the customer, creating additional exposure points. Call recordings that capture card details add yet another system to the PCI scope. For this reason, organisations using traditional virtual terminals often face SAQ C or the more demanding SAQ D self-assessment questionnaire, which can include over 300 individual security controls.

SAQ Types for Virtual Terminal Users

• SAQ A: The simplest level. Applies when all card data processing is fully outsourced to a PCI-validated third party and no card data enters the merchant environment. DTMF-based virtual terminals typically qualify for this level.
• SAQ C-VT: For merchants who process payments solely through a web-based virtual terminal provided by a PCI-validated service provider, with no electronic card data storage.
• SAQ C: For merchants with payment applications connected to the internet but no electronic card data storage.
• SAQ D: The most comprehensive level, required when card data is stored, processed, or transmitted in ways not covered by the simpler SAQ types.

Securing Virtual Terminal Payments

There are several proven approaches to improving the security of virtual terminal transactions and reducing PCI DSS scope:

DTMF Masking and Suppression

For telephone payments, DTMF masking removes card details from the call audio entirely. The customer enters their card number on their phone keypad, the tones are masked before reaching the agent, and the digits are routed directly to the payment processor. This eliminates the need for agents to type card details into a virtual terminal at all, removing the workstation, browser, and telephony infrastructure from PCI scope.

Network Segmentation

Isolating the virtual terminal environment from the rest of the corporate network limits the number of systems that fall within PCI DSS scope. Dedicated VLANs, firewalls, and access controls ensure that only authorised devices can reach the payment interface.

Tokenisation

Replacing card numbers with non-reversible tokens immediately after the initial transaction means that stored references cannot be used to make fraudulent payments. Tokens are safe to store in CRM and billing systems without creating additional PCI scope.

End-to-End Encryption

Card data should be encrypted from the moment of capture through to the payment processor. Modern virtual terminals use TLS 1.2 or higher for all data in transit, and sensitive data at rest is encrypted using strong cryptographic standards.

Role-Based Access Controls

Limiting what each user can see and do inside the virtual terminal reduces the risk of data exposure. Agents should only have access to the functions they need -- for example, processing payments and issuing refunds -- while administrative functions such as reporting and configuration are restricted to managers.

Cloud vs Installed Virtual Terminals

Most modern virtual terminals are cloud-based, meaning they run entirely in the browser with no software to install locally. This simplifies deployment, ensures security updates are applied automatically by the provider, and eliminates the need to manage local installations across multiple workstations.

Some legacy solutions require installed software on each agent's machine, which adds complexity to both maintenance and PCI DSS compliance. Each installation must be individually patched, monitored, and included in the PCI assessment scope. For most organisations, cloud-based virtual terminals are the more practical and secure choice.

Virtual Terminal vs Payment Gateway

A payment gateway is the behind-the-scenes technology that routes card transactions between the merchant, the acquiring bank, and the card-issuing bank. A virtual terminal is the front-end interface that the merchant or agent interacts with. Every virtual terminal relies on a payment gateway to process transactions, but a payment gateway can also power online checkout pages, mobile apps, recurring billing, and automated payment flows.

Benefits of Using a Virtual Terminal

• No hardware required: All you need is a computer and an internet connection. There are no card machines to buy, lease, or maintain.
• Accept payments from anywhere: Remote agents, home workers, and field staff can all process transactions securely from any location.
• Quick to deploy: Cloud-based virtual terminals can be operational in minutes with no installation or configuration.
• Lower costs: Businesses avoid equipment costs, maintenance contracts, and the expense of replacing broken or outdated card machines.
• Flexible payment channels: A single virtual terminal supports phone payments, mail-order payments, and ad-hoc billing.
• Real-time reporting: Dashboards provide transaction history, settlement status, refund tracking, and agent activity logs.
• Scalable: Adding a new agent is as simple as creating a login. There is no practical limit on the number of concurrent users.