Is the Security Metrics compliance requirement asking for payment a scam or not?

Engaging in SecurityMetrics for compliance support is not a scam, rather, it serves as a valuable resource to streamline your PCI compliance process, @quality testing. 

Intuit has partnered with SecurityMetrics, a leader in PCI compliance, to help QuickBooks users simplify and meet PCI requirements. 

While SecurityMetrics does charge an annual fee for their services, this fee is standard for assisting merchants in meeting PCI compliance requirements.

It's important to note that Intuit’s partnership with SecurityMetrics ensures that you’re working with a reputable provider, but you're not limited to SecurityMetrics alone for compliance solutions.

You can refer to these resources that answer frequently asked questions about the partnership between Intuit and SecurityMetrics for the PCI compliance process:

• Learn about QuickBooks PCI Compliance
• Learn about the PCI DSS Compliance Services

Don't hesitate to click the Reply button below if you have further questions or concerns about PCI compliance. We're always looking forward to assisting you. Take care. 

As the QuickBooks Team says, it's not a scam.

That said, they are being really dodgy about the necessity of this.

See my post above on what forms I think we need to file to be in compliance.

I said:  "Now just awaiting an answer from [email address removed] about if I can submit an SAQ C-VT or SAQ-A and where to submit it."

That was in late September -- they never answered me.

I wrote:

~~~~

Dear Intuit PCI Compliance Team:

I am aware that I can submit an SAQ form to Intuit.

a) Where is the proper place for me to submit this form?

I process credit cards through your MerchantCenter portal website ( https://merchantcenter.intuit.com ) and any stored credit card information is stored in paper form offline.

To me, this looks like I can use the SAQ C-VT form.  There is an outside chance I might need the SAQ-A although I don't believe so.

b) Do you want me using the SAQ C-VT, SAQ-A, or some other PCI self-certification method?

~~~

If I can ever get an answer to the above email (I am resending it today), I will "happily" file the proper compliance paperwork with whatever is the correct place within Intuit.

-- Zagone

This now 1-2 year-old game gets really old.  Last I checked, there are multiple threads on this topic.

As the original poster in 2023 stated:

"I manage very few credit card transactions and they are all handled exclusively through QB Payments with no website e-commerce. QB is trying to tell me that I'm not PCI compliant and they want me pay SecurityMetrics to verify my compliance, but the PCI website says I can self-assess using SAQ-A and an AOC. I don't know how to submit this to QB without using the 3rd party."

I would add the SAQ-C-VT form as a possibility for many very small businesses.

At this point, I have multiple email addresses and contact points for Intuit including for the compliance team for this issue.  I'm not going to pay a security contractor for something I don't need and for which I can self-certify (like I do with another credit card processing company I'm forced to use for other purposes).

For that matter, I won't be allowing a security contractor through my firewall to scan my laptop for the credit card information that they won't find on it as I don't need another potential security breach for my client medical data even if said contractor might sign a HIPAA BAA subcontractor form to keep the medical data safe.  Just too many hacks these days.

As long as I can't get a straight answer on where to send the self-certification, I won't be filling out one of these onerous forms to send into the void of non-response.

So I will continue to get threatening emails from Intuit for being in non-compliance, directed to a security compliance firm I don't need, then ghosted when I try to find out how to self-certify and where to send it.  I hope Intuit does not close my account over this, but then I do have another credit card processing company I don't like that I can continue with anyway.

-- Zagone

Hi QuickBook Team:

Can you answer these questions:

1) Do you want me using the SAQ C-VT, SAQ-A, or some other PCI self-certification method?

2) Where do I send the form?

I use your online terminal at merchantcenter.intuit.com, and store any credit card numbers offline in paper form.

Your online webpage guides do not answer these questions.

Thanks

QuickBooks Team:

Can you answer these questions?

I use the online terminal at merchantcenter.intuit.com and store any credit card numbers in paper format offline.

Your online guides do not address this:

1) Do you want me using the SAQ C-VT, SAQ-A, or some other PCI self-certification method?

2) Where do I submit said forms?

Thanks

Thanks for following up on this thread, Zagone.

I'm happy to point you in the right direction for self-certification in QuickBooks Merchant Services.

In this instance I recommend reaching out to a member of the QuickBooks Payments Team for the best info. Agents have specialized tools to take a more in depth look at your account and offer the best advice regarding your questions about the forms and where to submit them. Here's how to get in touch with the team:

1. Sign in to your QuickBooks Online company.
2. Go to (?) Help.
3. Select Contact Us, then select a topic to connect with the right expert.
4. Choose your preferred way to connect.

The following article provides additional info about contacting Payments Support.

Please feel free to reach back out in the comments below if you have any other questions. I'll be here to help in any way that I can.

Morgan and Team:

Thank you for your response.  I understand you are trying to be genuinely helpful.

So here is what happens when I follow that advice:

I eventually find my way to this webpage:

https://quickbooks.intuit.com/learn-support/en-us/help-article/mobile-apps/contact-payments-point-sa...

On this webpage, the correct option for me is:

QuickBooks Payments

M-F 6 AM to 6 PM PT

• Contact support via chat using the Merchant Service Center.

TRY #1: When I try to pick this chat option, a new browser window opens up and I am taken to an endless loop of asking me to sign in again and again and again...

TRY #2: Okay, so the next option given is to call Intuit Support at 800-446-8848.  Option #6 is the one for online and merchant services.  When I pick option #6, I am handed to a virtual assistant.  When I make the mistake of telling the virtual assistant that "she" can email me information, I am emailed this link:

https://quickbooks.intuit.com/learn-support/en-us/help-search?q=how%2Bdo%2Bi%2Bself%2Bcertify%2Bwith...

This link consists of the usual help pages your team has already provided (which don't help), as well as links to this community support center!! 

Not helpful.

TRY #3:  When I call the virtual assistant back again, "she" is intelligent enough to see I have called before on this issue and to pass me along to a human operator.

The poor human operator (after collecting LOTS of identifying info on me) puts me on hold several times to search her database for what to do with me.

The only option available is for me to call Security Metrics!  No information is available to her as to what self-certification form I can fill out or where to send it.

I believe Security Metrics is $195 (from other posts). 

I have not yet decided if I am going to bother calling Security Metrics to ask them how I can NOT hire them and still complete this process.

I think I'm done with this for now.  What a waste of my time and goodwill.

Here is what I found, and I suspect it will be helpful for many of you.

[Disclaimer: I'm not a legal professional, and the following is my opinion for informational purposes only.  Please research to determine if this solution will work for you.]

1. A Key Thing To Know

Even though we contend we never have custody of payment information, we have to go through the due diligence to make sure there are no areas that we might miss that could make us non-compliant.  Seriously.

2. Depending on your situation, you may be able to complete a SELF-ASSESMENT.  

3. I recommend reading PCI Security Standards Council's publication - Payment Card Industry (PCI)

Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

There is a 'test' to determine whether you're eligible to do a self-assessment (Found on page 3 of their pdf).

Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:

• Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions);
• All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party
• service providers;
• Merchant has no direct control of the manner in which cardholder data is captured, processed,
• transmitted, or stored;
• Merchant does not electronically store, process, or transmit any cardholder data on merchant systems
• or premises, but relies entirely on a third party(s) to handle all these functions;
• Merchant has confirmed that all third-party (s) handling acceptance, storage, processing, and/or
• transmission of cardholder data are PCI DSS compliant; and
• Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically.

Additionally, for e-commerce channels:

• The entirety of all payment pages delivered to the consumer’s browser originates directly from a third-
• party PCI DSS validated service provider(s).

Here is what I found, and I suspect it will be helpful for many of you.

[Disclaimer: I'm not a legal professional, and the following is my opinion for informational purposes only.  Please research to determine if this solution will work for you.]

1. A Key Thing To Know

Even though we contend we never have custody of payment information, we have to go through the due diligence to make sure there are no areas that we might miss that could make us non-compliant.  Seriously.

2. Depending on your situation, you may be able to complete a SELF-ASSESMENT.  

3. I recommend reading PCI Security Standards Council's publication - Payment Card Industry (PCI)

Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

There is a 'test' to determine whether you're eligible to do a self-assessment (Found on page 3 of their pdf).

Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:

• Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions);
• All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party
• service providers;
• Merchant has no direct control of the manner in which cardholder data is captured, processed,
• transmitted, or stored;
• Merchant does not electronically store, process, or transmit any cardholder data on merchant systems
• or premises, but relies entirely on a third party(s) to handle all these functions;
• Merchant has confirmed that all third-party (s) handling acceptance, storage, processing, and/or
• transmission of cardholder data are PCI DSS compliant; and
• Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically.

Additionally, for e-commerce channels:

• The entirety of all payment pages delivered to the consumer’s browser originates directly from a third-
• party PCI DSS validated service provider(s).

Here is what I found, and I suspect it will be helpful for many of you.

[Disclaimer: I'm not a legal professional, and the following is my opinion for informational purposes only.  Please research to determine if this solution will work for you.]

1. A Key Thing To Know

Even though we contend we never have custody of payment information, we have to go through the due diligence to make sure there are no areas that we might miss that could make us non-compliant.  Seriously.

2. Depending on your situation, you may be able to complete a SELF-ASSESMENT.  

3. I recommend reading PCI Security Standards Council's publication - Payment Card Industry (PCI)

Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

There is a 'test' to determine whether you're eligible to do a self-assessment (Found on page 3 of their pdf).

Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:

• Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions);
• All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party
• service providers;
• Merchant has no direct control of the manner in which cardholder data is captured, processed,
• transmitted, or stored;
• Merchant does not electronically store, process, or transmit any cardholder data on merchant systems
• or premises, but relies entirely on a third party(s) to handle all these functions;
• Merchant has confirmed that all third-party (s) handling acceptance, storage, processing, and/or
• transmission of cardholder data are PCI DSS compliant; and
• Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically.

Additionally, for e-commerce channels:

• The entirety of all payment pages delivered to the consumer’s browser originates directly from a third-
• party PCI DSS validated service provider(s).

Here is what I found, and I suspect it will be helpful for many of you.

[Disclaimer: I'm not a legal professional and the following is my opinion for informational purposes only.  Please research to determine if this solution will work for you.]

1. A Key Thing To Know

Even though we contend we never have custody of payment information, we have to go through he due diligence to make sure there are no areas that we might miss that could make us non-compliant.  Seriously.

2. Depending on your situation, you may be able to complete a SELF-ASSESMENT.  

3. I recommend reading PCI Security Standards Council's publication - 

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

There is a 'test' to see if you're eligible to do a self-assesment.  (Found on page 3 of their pdf).

Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:

• Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions);
• All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party
• service providers;
• Merchant has no direct control of the manner in which cardholder data is captured, processed,
• transmitted, or stored;
• Merchant does not electronically store, process, or transmit any cardholder data on merchant systems
• or premises, but relies entirely on a third party(s) to handle all these functions;
• Merchant has confirmed that all third party(s) handling acceptance, storage, processing, and/or
• transmission of cardholder data are PCI DSS compliant; and
• Merchant retains only paper reports or receipts with cardholder data, and these documents are not
• received electronically.

Additionally, for e-commerce channels:

• The entirety of all payment pages delivered to the consumer’s browser originates directly from a third-
• party PCI DSS validated service provider(s).

4. A key section is 

SisterJudith -- Thank you.  This is useful.

So once we have determined we can self-certify, then the question becomes where do we submit that form?

1) I have the PCI Compliance Team email address at Intuit.  Since they never respond to anything I send them, I'm not going to bother with the form unless I know they will do something with it.

2) An alternative is to call Security Metrics.  I can envision how that conversation would go:  "Hi Security Metrics, I'm not hiring you or paying you a single dime.  Please give me information about where within Intuit you submit your compliance reports.  Oh -- and can you also confirm I have figured out the right form during my readings on the subject?"

So SisterJudith's information is useful, and I'm sitting this one out until something changes.

-- Zagone