Concerning enterprises without credit card data storage, I did a search of the PCI DSS website and the PCI standard itself, and found the first answer to your question about virtual terminal protocol in the Frequently Asked Questions section of the PCI DSS website:
Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation.
And also, in Requirement 12.8, please be aware that:
12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:
12.8.1 Maintain a list of service providers.
12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
12.8.4 Maintain a program to monitor service providers' PCI DSS compliance status.
The most important suggestion offered here, however, is to verify any requirements you must follow with your acquirer (i.e., bank). Be sure to collect any answers from your acquirer in writing for future audits or reviews.
This was first published in April 2010