How can I confirm/verify my PCI DSS compliance to QB without using a 3rd party such as SecurityMetrics. I should only need SAQ-A and Attestation of Compliance.

I’m in the same position. I should be able to self-certify, but I can’t figure out how to do it. 

Hello there, erica34, ElectricSpaghettiNeon. It's nice to see you guys  in the Community forum. I'd be glad to help share information with the PCI DSS Compliance in QuickBooks Online.

The Payment Card Industry Data Security Standard (PCI DSS) is a list of practices merchants must follow to accept payment cards. This includes how to securely handle, process, and store sensitive payment card data. 

As a merchant accepting cards for payment, you need to have payment security throughout your local environment. This includes all applications and systems on your local network. 

The way you process credit cards determines what requirements you need to follow. Find more details in the Self-Assessment Questionnaires (SAQ). For more details about the SAQ types and how to that certify, you may open this link: Learn about QuickBooks PCI Service. It also contains the tools, services, and FAQs about PCI DSS compliance.

You may also contact our QuickBooks Payment Support Team. They can provide further details about the PCI compliance service and how it works. 

Let me also share these resources that tackle about the PCI DSS Compliance Services and frequently asked questions about Security Metrics:

• Learn about the PCI DSS Compliance Services
• Security Metrics’ PCS DSS Compliance FAQ
• Intuit Security Metrics Guide to PCI DSS Compliance

I'm always around to help if you have other PCI Compliance concerns. You can drop a comment below, and I'll gladly answer them for you. Stay safe.

Hello!  My understanding is that if I am NOT ACCEPTING CREDIT CARDS through QBO / Intuit Payments, then I do not need to do PCI compliance with QBO / Intuit Payments.  Is that correct?

Hi there, VJones.

Thanks for joining this conversation. Allow me to chime in and answer your question about the Payment Card Industry Data Security Standard (PCI DSS) in QuickBooks Online (QBO).

Yes, you're correct. As long as you're not using QuickBooks Payments for accepting credit card payments, you don't need to do the PCI DSS compliance. You can always check the articles shared by my colleague JoesemM above to know more about the PCI DSS Compliance Services and frequently asked questions about Security Metrics.

I also recommend visiting our website for more tips and other resources you can use in the future: Self-help articles.

Please post again or leave a comment below if you have more questions about this or anything else. I'm more than happy to answer them. Take care.

Our business only accepts credit card payments via invoices sent directly from Quickbooks. We have very few invoices each year that are paid via credit card, most are done via bank draft.  We do not process, keep or store any credit card payments, or take any credit card information ourselves. It is all done by the customers directly to their invoice.  Do we need to be concerned about PCI compliance? If so, how do we find the SAQ that is mentioned to be able to confirm our status? Thank you for any help you can give. 

@BethB2911   QB employees will tell you that you MUST be compliant, when in fact, you do not.  

If you are NOT taking credit card payments in any way, you are not the one that needs to be compliant.  QB is.  They are trying to make EVERYONE pay for their own compliance.  

Don't fall victim to them. 

Does Intuit accept fully filled out SAQs directly from customers, or is PCI as a service required? 

Hello, @GeorgeTheCat. I'll ensure to answer your query about where you can submit your Self-Assessment Questionnaire (SAQ) form and the Payment Card Industry (PCI) service in QuickBooks Online (QBO).

Yes, George. Intuit accepts filled-out SAQs directly from customers. On the other hand, the PCI service is also required for all businesses that process and transmit payment card information, even if you've only processed one transaction per year, to ensure the security and safety of the customer's sensitive information. With these processes, it helps Intuit and its QuickBooks Payments subscribers to secure their account details and meet the DSS compliance requirements.

Additionally, Intuit has partnered with Security Metrics, a leading PCI service provider, to help you meet requirements. You'll want to contact Security Metric's support for further details.

Furthermore, let me also share these resources that tackle the PCI DSS Compliance Services and frequently asked questions about Security Metrics:

• Learn about the PCI DSS Compliance Services
• Security Metrics PCS DSS Compliance FAQ
• Learn about QuickBooks PCI Service
• SecurityMetrics

Feel free to return if you have other inquiries or clarification about PCI compliance. We look forward to a successful working relationship in the future. Take care always!

@GebelAlainaM 

Thank you for your response. I am looking to confirm whether or not "PCI as a service" from SecurityMetrics is *required* by Intuit. I understand the requirement to be PCI compliant, but question the method. 

If Intuit accepts PCI attestation directly from Intuit customers, it would not make sense that they also require a PCI certification from SecurityMetrics. It is this which I am seeking clarification on. Are Quickbooks customers who use Quickbooks to take payments *required* to use SecurityMetrics and thus have no choice but to pay them? Or can they be submitted directly by the Intuit customer? 

In short, I am looking for solid confirmation as to whether or not Intuit is now forcing their customers to pay SecurityMetrics for PCI compliance. 

Thank you, 

George

Thanks for getting back, @GeorgeTheCat. I'll add additional information to clear things up about this PCI compliance concern.

Yes, PCI compliance is required of all merchants who handle, process, transmit, or store credit card data. To speed up the PCI compliance validation process, Intuit has teamed with SecurityMetrics. Merchants who validate compliance for Intuit are charged an annual fee by SecurityMetrics.

For more answers to your frequently asked questions about PCI Service, you can check out this article: Learn about QuickBooks PCI Service.

You can always reply or reach out to us again if you have more questions or concerns about PCI compliance. We're always here to guide and assist you whenever you need help.

Thank you for your reply @Carneil_C . Can I submit a self-attestation to Intuit for my PCI Compliance? If so, how do submit it without using SecurityMetrics? 

Thank you, 

George

You're welcome, @GeorgeTheCat. It's our pleasure to help. 

To guide you with submitting a self-attestation to Intuit for PCI compliance, I suggest reaching out to our Customer Support team. They're the ones who can guide you through the step-by-step process. 

You can check their chat link or phone number by going to this article: Contact Payments or Point of Sale Support. Then, scroll down to the QuickBooks Payments section. 

Here's more information about the QuickBooks Payment Card Industry Data Security Standard (PCI DSS) compliance.

Then, check out these IRS requirements for merchant processing when reporting payment card and third-party network transactions: Tax Compliance for Credit Card Accounts. 

Let me know if you have further questions about the PCI compliance. I'm always here to assist. Have a wonderful day!

Just for everyone's info......

OP: I don't take cards.  I only use Intuit Payments.  Nothing else.  Do I have to do this PCI compliance? If so, how? 

Intuit Customer Support: Hi, read these articles about the importance of being compliant.

OP (and the rest of us):  That. Is. Not. An. Answer.

Maybe I am missing it.. but was the question ever answered on how to complete your OWN compliance.  The last thing I want to do or have time to do is sit on the phone with Intuit card payments customer service!

It seems painfully obvious to me.

We ask how to be complaint (especially if we don't do the things that require compliance e.g. receive, transmit, and store consumer financial information).  Heck, many of us outsource payments to Intuit!  

Instead:

An Intuit person responds with either:

A) Compliance is important.  Here is more information.

OR

B) You should become compliant.

So I just printed this thread and saved it, too.  I suggest you all do the same.

You see, if you ever get in trouble for not being compliant for a process that  you don't actually do, then show all of the official non-responses / refusal to answer posts from Intuit.  Trust me, if they explicitly stated that we all have to hire them or another company to be compliant -> their Legal Department would have a fit. 

But conduct is communication.  They refuse to answer us.   Instead they imply you're going to get in trouble or you're doing something wrong.   Never an answer.

I expect a post saying I'm wrong and that we all need to show compliance, which again, doesn't answer any of our questions.  All I know is go ask other platforms or other companies who use external processors and never see a shred of customer information.  They'll give you a pretty straight answer on what is what.

@SisterJudith 

Another option, switch to a 3rd payment processor to integrate with QB.

I just got a call from "QB official Partner" SecurityMetrics, for PCI Compliance and I will tell you it feels very scammy. When I told him that I would not pay for compliance he said "OK, I will note your file that you are refusing to be compliant". I called QB and was told that if I am not housing the credit card information or saving the data that it is QB that is responsible to being compliant. I have to tell you this is all confusing, and honestly, I felt a little threatened by the guy that called me.      

ME TOO!  The Security Metrics guy is bordering on "threatening" and "stalking".  He WON'T let it go.  He continues to harass me thru email and phone calls.  I'm really offended by this!

When someone says "you have to pay for our service or else..." that's a threat!

I called QB on the phone only to be on hold for 1 hour and 14 mins while the clueless cust service rep tried to get someone to answer her questions so she could answer mine.  I asked her several times to transfer me to that department.  She couldn't.  I asked her to have one of their reps (compliance dept) call me back.  She said they "wouldn't"!  

I tried to get her to let me speak to a MANAGER or SUPERVISOR.  She said no one was available.  Finally (after 1 hour and 14 mins) she gave me this number to call...[removed].  I haven't tried it yet but I'm willing to bet whoever answers WON'T be able to tell me if I'm compliant!!

We offer no payments outside of Intuit Payment Processing.  No physical card swipes. Nothing.  Client must pay through Intuit's web link on invoice.

Look, you pay Intuit to do your payments exclusively, and they won't certify that they are PCI compliant, that's kind of a problem.

People in my situation should merely sign / declare they take no payment information (ever) and outsource the entire payment workflow to Intuit.  DONE. 

Intuit's refusal to answer this clearly can only be explained by:

• Their legal department has reasons we don't know about
• Their staff are not trained and don't know what they are talking about beyond the required script.
• Intuit receives a commission for every customer they refer to the external compliance company.
• There is a Federal rule we don't know about.

Regardless, Intuit should be forthcoming instead of the run around.

I'm in the same boat as the above.. frustrated at Security Metric's threats, real and implied.  That's not the way to do business unless you are a scammer..   My company is a non-profit, and we process donations entirely through QuickBooks Online.  We never touch a credit card, or its associated data.  Our donors respond to an invoice, use whatever payment method they like, and the money goes straight to our bank.  No credit card data storage or transmission by my company, ever.  I'm happy to fill out whatever Intuit form (SAQ) there is to attest to same, but I'm not going to go through Security Metric's paywall to do that.  Get better, Intuit.  QBO is excellent and I would hate to stop using it, but I certainly can do that if you insist on insulting your customers.

I got a real answer via Intuit support chat.

We can self-assess or use PCI compliance offered by a 3rd party/insurance. We do NOT need to submit proof of compliance to Intuit. 

I called SecurityMetrics earlier today and they did not know if we could do anything other than go through them, so they were not terribly helpful. He was very polite and nice though.

"they did not know" is how they speak and operate, all I got was open ended answers like "I think so" or "to the best of my knowledge" ending answers, they are covering themselves legally in case you get proof they were lying or were wrong about you needing them. 

When Intuit Customer Support Chat says we can self-assess:

a) Does that mean we have to submit an SAQ-A?

b) If so, where?

The SAQ-A form ( see https://docs-prv.pcisecuritystandards.org/SAQ%20(Assessment)/SAQ/PCI-DSS-v4-0-SAQ-A-r2.pdf ) is an approximately 23 page monster (plus directions) that lets you self-assess under certain situations mostly described in this thread.

Please note that -- as far as I can tell -- submitting credit card transactions through the MerchantCenter payment gateway (Intuit website for credit card processing) should qualify for SAQ-A as long as you don't store credit card information or store credit card information only in paper form. 

Do we really have to do a 23 page form built with an giant corporation and corporate IT department in mind?

The last time I did this for another company there was a very annoying 3+ page form that basically just asked if I stored any credit card information in electronic form.  This SAQ-A thing goes through a ton of assumed scans and layers of computer security.

Sure -- If I really have to check 23 pages of "Not Applicable" I will do so.  At least that option exists.  Where do I send it?