Is the Security Metrics compliance requirement asking for payment a scam or not?

Engaging in SecurityMetrics for compliance support is not a scam, rather, it serves as a valuable resource to streamline your PCI compliance process, @quality testing. 

Intuit has partnered with SecurityMetrics, a leader in PCI compliance, to help QuickBooks users simplify and meet PCI requirements. 

While SecurityMetrics does charge an annual fee for their services, this fee is standard for assisting merchants in meeting PCI compliance requirements.

It's important to note that Intuit’s partnership with SecurityMetrics ensures that you’re working with a reputable provider, but you're not limited to SecurityMetrics alone for compliance solutions.

You can refer to these resources that answer frequently asked questions about the partnership between Intuit and SecurityMetrics for the PCI compliance process:

• Learn about QuickBooks PCI Compliance
• Learn about the PCI DSS Compliance Services

Don't hesitate to click the Reply button below if you have further questions or concerns about PCI compliance. We're always looking forward to assisting you. Take care. 

As the QuickBooks Team says, it's not a scam.

That said, they are being really dodgy about the necessity of this.

See my post above on what forms I think we need to file to be in compliance.

I said:  "Now just awaiting an answer from [email address removed] about if I can submit an SAQ C-VT or SAQ-A and where to submit it."

That was in late September -- they never answered me.

I wrote:

~~~~

Dear Intuit PCI Compliance Team:

I am aware that I can submit an SAQ form to Intuit.

a) Where is the proper place for me to submit this form?

I process credit cards through your MerchantCenter portal website ( https://merchantcenter.intuit.com ) and any stored credit card information is stored in paper form offline.

To me, this looks like I can use the SAQ C-VT form.  There is an outside chance I might need the SAQ-A although I don't believe so.

b) Do you want me using the SAQ C-VT, SAQ-A, or some other PCI self-certification method?

~~~

If I can ever get an answer to the above email (I am resending it today), I will "happily" file the proper compliance paperwork with whatever is the correct place within Intuit.

-- Zagone

This now 1-2 year-old game gets really old.  Last I checked, there are multiple threads on this topic.

As the original poster in 2023 stated:

"I manage very few credit card transactions and they are all handled exclusively through QB Payments with no website e-commerce. QB is trying to tell me that I'm not PCI compliant and they want me pay SecurityMetrics to verify my compliance, but the PCI website says I can self-assess using SAQ-A and an AOC. I don't know how to submit this to QB without using the 3rd party."

I would add the SAQ-C-VT form as a possibility for many very small businesses.

At this point, I have multiple email addresses and contact points for Intuit including for the compliance team for this issue.  I'm not going to pay a security contractor for something I don't need and for which I can self-certify (like I do with another credit card processing company I'm forced to use for other purposes).

For that matter, I won't be allowing a security contractor through my firewall to scan my laptop for the credit card information that they won't find on it as I don't need another potential security breach for my client medical data even if said contractor might sign a HIPAA BAA subcontractor form to keep the medical data safe.  Just too many hacks these days.

As long as I can't get a straight answer on where to send the self-certification, I won't be filling out one of these onerous forms to send into the void of non-response.

So I will continue to get threatening emails from Intuit for being in non-compliance, directed to a security compliance firm I don't need, then ghosted when I try to find out how to self-certify and where to send it.  I hope Intuit does not close my account over this, but then I do have another credit card processing company I don't like that I can continue with anyway.

-- Zagone

Hi QuickBook Team:

Can you answer these questions:

1) Do you want me using the SAQ C-VT, SAQ-A, or some other PCI self-certification method?

2) Where do I send the form?

I use your online terminal at merchantcenter.intuit.com, and store any credit card numbers offline in paper form.

Your online webpage guides do not answer these questions.

Thanks

QuickBooks Team:

Can you answer these questions?

I use the online terminal at merchantcenter.intuit.com and store any credit card numbers in paper format offline.

Your online guides do not address this:

1) Do you want me using the SAQ C-VT, SAQ-A, or some other PCI self-certification method?

2) Where do I submit said forms?

Thanks

Thanks for following up on this thread, Zagone.

I'm happy to point you in the right direction for self-certification in QuickBooks Merchant Services.

In this instance I recommend reaching out to a member of the QuickBooks Payments Team for the best info. Agents have specialized tools to take a more in depth look at your account and offer the best advice regarding your questions about the forms and where to submit them. Here's how to get in touch with the team:

1. Sign in to your QuickBooks Online company.
2. Go to (?) Help.
3. Select Contact Us, then select a topic to connect with the right expert.
4. Choose your preferred way to connect.

The following article provides additional info about contacting Payments Support.

Please feel free to reach back out in the comments below if you have any other questions. I'll be here to help in any way that I can.

Morgan and Team:

Thank you for your response.  I understand you are trying to be genuinely helpful.

So here is what happens when I follow that advice:

I eventually find my way to this webpage:

https://quickbooks.intuit.com/learn-support/en-us/help-article/mobile-apps/contact-payments-point-sa...

On this webpage, the correct option for me is:

QuickBooks Payments

M-F 6 AM to 6 PM PT

• Contact support via chat using the Merchant Service Center.

TRY #1: When I try to pick this chat option, a new browser window opens up and I am taken to an endless loop of asking me to sign in again and again and again...

TRY #2: Okay, so the next option given is to call Intuit Support at 800-446-8848.  Option #6 is the one for online and merchant services.  When I pick option #6, I am handed to a virtual assistant.  When I make the mistake of telling the virtual assistant that "she" can email me information, I am emailed this link:

https://quickbooks.intuit.com/learn-support/en-us/help-search?q=how%2Bdo%2Bi%2Bself%2Bcertify%2Bwith...

This link consists of the usual help pages your team has already provided (which don't help), as well as links to this community support center!! 

Not helpful.

TRY #3:  When I call the virtual assistant back again, "she" is intelligent enough to see I have called before on this issue and to pass me along to a human operator.

The poor human operator (after collecting LOTS of identifying info on me) puts me on hold several times to search her database for what to do with me.

The only option available is for me to call Security Metrics!  No information is available to her as to what self-certification form I can fill out or where to send it.

I believe Security Metrics is $195 (from other posts). 

I have not yet decided if I am going to bother calling Security Metrics to ask them how I can NOT hire them and still complete this process.

I think I'm done with this for now.  What a waste of my time and goodwill.

Here is what I found, and I suspect it will be helpful for many of you.

[Disclaimer: I'm not a legal professional, and the following is my opinion for informational purposes only.  Please research to determine if this solution will work for you.]

1. A Key Thing To Know

Even though we contend we never have custody of payment information, we have to go through the due diligence to make sure there are no areas that we might miss that could make us non-compliant.  Seriously.

2. Depending on your situation, you may be able to complete a SELF-ASSESMENT.  

3. I recommend reading PCI Security Standards Council's publication - Payment Card Industry (PCI)

Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

There is a 'test' to determine whether you're eligible to do a self-assessment (Found on page 3 of their pdf).

Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:

• Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions);
• All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party
• service providers;
• Merchant has no direct control of the manner in which cardholder data is captured, processed,
• transmitted, or stored;
• Merchant does not electronically store, process, or transmit any cardholder data on merchant systems
• or premises, but relies entirely on a third party(s) to handle all these functions;
• Merchant has confirmed that all third-party (s) handling acceptance, storage, processing, and/or
• transmission of cardholder data are PCI DSS compliant; and
• Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically.

Additionally, for e-commerce channels:

• The entirety of all payment pages delivered to the consumer’s browser originates directly from a third-
• party PCI DSS validated service provider(s).

Here is what I found, and I suspect it will be helpful for many of you.

[Disclaimer: I'm not a legal professional, and the following is my opinion for informational purposes only.  Please research to determine if this solution will work for you.]

1. A Key Thing To Know

Even though we contend we never have custody of payment information, we have to go through the due diligence to make sure there are no areas that we might miss that could make us non-compliant.  Seriously.

2. Depending on your situation, you may be able to complete a SELF-ASSESMENT.  

3. I recommend reading PCI Security Standards Council's publication - Payment Card Industry (PCI)

Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

There is a 'test' to determine whether you're eligible to do a self-assessment (Found on page 3 of their pdf).

Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:

• Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions);
• All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party
• service providers;
• Merchant has no direct control of the manner in which cardholder data is captured, processed,
• transmitted, or stored;
• Merchant does not electronically store, process, or transmit any cardholder data on merchant systems
• or premises, but relies entirely on a third party(s) to handle all these functions;
• Merchant has confirmed that all third-party (s) handling acceptance, storage, processing, and/or
• transmission of cardholder data are PCI DSS compliant; and
• Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically.

Additionally, for e-commerce channels:

• The entirety of all payment pages delivered to the consumer’s browser originates directly from a third-
• party PCI DSS validated service provider(s).

Here is what I found, and I suspect it will be helpful for many of you.

[Disclaimer: I'm not a legal professional, and the following is my opinion for informational purposes only.  Please research to determine if this solution will work for you.]

1. A Key Thing To Know

Even though we contend we never have custody of payment information, we have to go through the due diligence to make sure there are no areas that we might miss that could make us non-compliant.  Seriously.

2. Depending on your situation, you may be able to complete a SELF-ASSESMENT.  

3. I recommend reading PCI Security Standards Council's publication - Payment Card Industry (PCI)

Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

There is a 'test' to determine whether you're eligible to do a self-assessment (Found on page 3 of their pdf).

Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:

• Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions);
• All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party
• service providers;
• Merchant has no direct control of the manner in which cardholder data is captured, processed,
• transmitted, or stored;
• Merchant does not electronically store, process, or transmit any cardholder data on merchant systems
• or premises, but relies entirely on a third party(s) to handle all these functions;
• Merchant has confirmed that all third-party (s) handling acceptance, storage, processing, and/or
• transmission of cardholder data are PCI DSS compliant; and
• Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically.

Additionally, for e-commerce channels:

• The entirety of all payment pages delivered to the consumer’s browser originates directly from a third-
• party PCI DSS validated service provider(s).

Here is what I found, and I suspect it will be helpful for many of you.

[Disclaimer: I'm not a legal professional and the following is my opinion for informational purposes only.  Please research to determine if this solution will work for you.]

1. A Key Thing To Know

Even though we contend we never have custody of payment information, we have to go through he due diligence to make sure there are no areas that we might miss that could make us non-compliant.  Seriously.

2. Depending on your situation, you may be able to complete a SELF-ASSESMENT.  

3. I recommend reading PCI Security Standards Council's publication - 

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

There is a 'test' to see if you're eligible to do a self-assesment.  (Found on page 3 of their pdf).

Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:

• Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions);
• All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party
• service providers;
• Merchant has no direct control of the manner in which cardholder data is captured, processed,
• transmitted, or stored;
• Merchant does not electronically store, process, or transmit any cardholder data on merchant systems
• or premises, but relies entirely on a third party(s) to handle all these functions;
• Merchant has confirmed that all third party(s) handling acceptance, storage, processing, and/or
• transmission of cardholder data are PCI DSS compliant; and
• Merchant retains only paper reports or receipts with cardholder data, and these documents are not
• received electronically.

Additionally, for e-commerce channels:

• The entirety of all payment pages delivered to the consumer’s browser originates directly from a third-
• party PCI DSS validated service provider(s).

4. A key section is 

SisterJudith -- Thank you.  This is useful.

So once we have determined we can self-certify, then the question becomes where do we submit that form?

1) I have the PCI Compliance Team email address at Intuit.  Since they never respond to anything I send them, I'm not going to bother with the form unless I know they will do something with it.

2) An alternative is to call Security Metrics.  I can envision how that conversation would go:  "Hi Security Metrics, I'm not hiring you or paying you a single dime.  Please give me information about where within Intuit you submit your compliance reports.  Oh -- and can you also confirm I have figured out the right form during my readings on the subject?"

So SisterJudith's information is useful, and I'm sitting this one out until something changes.

-- Zagone

I know I am a little late to the game but figured I would post my findings. I had a call with a guy at Security Metrics today and he said they handle all the compliance for Intuit. He indicated I could submit my completed documents to SAQ(at)secrutiymetrics.com They will then validate your information and report it back to Intuit.

1. Determine Your Merchant Level and SAQ Type:
   • Most small businesses using QuickBooks Online Payments, where customers enter payment information directly via QuickBooks’ secure payment links (e-invoicing) and no card data is stored or handled, are classified as Level 4 merchants (processing fewer than 20,000 e-commerce transactions or 1 million total transactions annually).
   • For these businesses, the appropriate SAQ is typically SAQ A, which is the simplest questionnaire, covering merchants who outsource all cardholder data functions to a PCI-compliant third party like QuickBooks Payments.
   • Confirm your SAQ type by reviewing the PCI Security Standards Council’s guidelines or consulting with QuickBooks Payments support, as the SAQ depends on how you handle card data (e.g., no storage, no manual entry).
2. Download the SAQ A and AOC:
   • Visit the PCI Security Standards Council website (www.pcisecuritystandards.org) (www.pcisecuritystandards.org) to download the SAQ A (v4.0) and the corresponding Attestation of Compliance (AOC). These are free and publicly available.
   • SAQ A consists of approximately 24 yes/no questions, many of which may be marked “N/A” if you solely use QuickBooks Payments for processing and do not store, process, or transmit cardholder data yourself.
3. Complete the Self-Assessment Questionnaire (SAQ A):
   • Review your credit card handling practices to ensure compliance with PCI DSS requirements. For QBO users, this typically involves:
     • Confirming you do not store credit card numbers (e.g., on paper, email, or internal systems). QuickBooks Payments handles all card data securely with encryption and tokenization.
     • Ensuring your systems (computers, networks) are secure with updated antivirus software, strong passwords, and restricted access to sensitive data.
     • Verifying that customers enter payment details directly through QuickBooks’ secure payment links, and you do not manually process or view card information.
   • Answer the SAQ questions honestly, marking “N/A” for requirements that do not apply (e.g., storing cardholder data).
   • If you’re unsure about any requirements, refer to the PCI SSC’s SAQ Instructions and Guidelines (available on their website) or contact QuickBooks Payments support for clarification.
4. Sign the Attestation of Compliance (AOC):
   • After completing the SAQ, fill out and sign the AOC to certify that your business meets the applicable PCI DSS requirements. This document confirms your compliance status.
   • Ensure all relevant sections of the AOC are completed, including details about your business and the SAQ type used.
5. Submit the SAQ and AOC to Intuit:
   • Intuit accepts self-completed SAQs and AOCs directly from customers, though the exact submission process is not always clearly outlined in their documentation.
   • Contact QuickBooks Payments Support to confirm how to submit your SAQ and AOC. You can reach them via:
     • Phone: Check the QuickBooks Payments support page for the current number (available under “Contact Payments or Point of Sale Support”).
     • Chat: Access the chat link from the same support page or within your QBO account under “Help” or “Settings” > “Payments.”
   • Ask for specific instructions on where to send the completed SAQ A and AOC (e.g., via email, a portal upload, or another method). Some users report difficulty finding a direct submission method, so persistence with support may be necessary.
   • Do not rely on third-party services like SecurityMetrics unless you prefer their assistance, as they charge fees (e.g., $85–$375 annually) for services you can perform yourself for free.
6. Review and Maintain Compliance:
   • PCI compliance is an ongoing process, requiring annual reassessment and submission of an SAQ and AOC.
   • Regularly review your payment processes to ensure you continue to meet SAQ A requirements, such as:
     • Avoiding manual storage or entry of cardholder data.
     • Keeping your systems secure (e.g., updated software, secure networks).
   • Train staff on secure payment handling practices to minimize risks, even if you don’t directly handle card data.
7. Address Common Concerns:
   • Emails from SecurityMetrics or Intuit: You may receive emails from Intuit or their partner, SecurityMetrics, urging you to sign up for their PCI compliance services. These services are optional for Level 4 merchants who can self-certify using SAQ A. If you only use QuickBooks Payments and don’t handle card data, you can disregard these emails and self-certify instead.
   • No Card Data Handling: If you only send invoices through QBO and customers pay via secure links, your PCI compliance burden is minimal because QuickBooks Payments is already PCI compliant, handling all card data securely. However, you must still complete the SAQ to confirm your environment (e.g., devices, network) is secure.
   • Disabling Credit Card Payments: If you don’t need to accept credit cards (e.g., you only take checks or ACH), you can disable QuickBooks Payments to avoid PCI compliance requirements entirely. Contact QuickBooks Support to deactivate the Payments feature.

• QuickBooks Payments is PCI Compliant: Intuit’s payment processing system uses encryption and tokenization, meeting PCI DSS standards. However, as a merchant with an active QuickBooks Payments account, you are responsible for ensuring your overall environment complies, even if you don’t directly handle card data.
• Avoid Unnecessary Fees: SecurityMetrics and similar vendors may charge for compliance services, but for most small businesses using QBO Payments, self-certifying with SAQ A is sufficient and free.
• Potential Risks of Non-Compliance: Failure to comply could result in fines, penalties, or suspension of payment processing capabilities if a data breach occurs, even if QuickBooks handles the transactions. Completing the SAQ A mitigates this risk.
• Contact Support for Clarity: If you’re unsure about your requirements or submission process, QuickBooks Payments Support can guide you. Be persistent, as some users report vague or inconsistent responses.

• PCI Security Standards Council: Download SAQ A and AOC from www.pcisecuritystandards.org/documents.[](https://www.allcents.co/pci-compliance/2025/04/02/)
• QuickBooks PCI Service FAQs: Visit Intuit’s PCI compliance page for more details (available via QuickBooks Help or the Payments section).
• Contact QuickBooks Support: Use the phone or chat options listed under “Contact Payments or Point of Sale Support” in QuickBooks Help.

This information is all great but HOW do I self certify in QuickBooks online?

Anyone ever get a response as to where to send this?