How Do I know if I m PCI Compliant?

Hello there, ROC Vox. I'm here to share some information about QuickBooks Payment Card Industry Data Security Standard (PCI DSS) compliance. Let me elaborate on them for you.

PCI compliance helps protect your business and customers from theft and fraud. It ensures the security of customer payment details when accessed through your merchant account. Even though you don't store their data, there is still a risk of unauthorized access through your devices and internet connection, which can introduce security vulnerabilities.

Importantly, please note that all merchants that accept credit or debit cards are required to be PCI compliant. The PCI DSS is a list of practices merchants must follow to accept payment cards. This includes how to securely handle, process, and store sensitive payment card data.

All merchants are also required to complete a Self-Assessment Questionnaire (SAQ). The required SAQ depends on how you store, handle, and process card data. For more details about these requirements, I recommend reading through these resources:

• Learn about QuickBooks PCI Compliance
• Learn about the PCI DSS Compliance Services

Please don't hesitate to get back to me by leaving a comment below if you have further questions about PCI compliance. I'll be sure to get back to you. Have a good day!

I used to accept payments via Square and never had to do anything different. This is still not clear to me - is this something I will have to buy extra? I will go back to square if so. I moved to QB online from Desktop to avoid using two systems for invoicing. Or I can just use PayPal. I don't want to have to upgrade to something else. The links you included are still very confusing to me. It's not clear. 

I understand that paying an additional fee for something that you don't expect isn't the right thing to do. Let me add some details about this, ROC.

Intuit and our products are on the PCI Security Standards Council website as compliant. While QuickBooks applications are secure, other applications on your local computer/network can compromise the security of your environment. The use of QuickBooks Payments services doesn’t mean you’re already PCI compliant. Only the pieces of the transaction processing chain are compliant.

The PCI DSS is a list of practices merchants must follow to accept payment cards. This includes how to securely handle, process, and store sensitive payment card data. Therefore, Intuit has partnered with SecurityMetrics to streamline the PCI compliance validation process. SecurityMetrics charges an annual fee to merchants. If you choose to use SecurityMetrics, you need to create an account with them. After you complete SecurityMetrics’ FastPass, you can purchase the PCI package that best suits your needs. From there, complete SAQ, then set up your scans. To get started with PCI service and protection, you'll want to sign up for an account.  Follow the steps outlined below:

1. Sign in to your SecurityMetrics account.
   1. Select Sign Up, then fill out all the fields in the Create Account page.
      
   2. Select Create Account, then follow the Intuit FastPass to determine your PCI compliance requirements.
   3. Select Next then select a security package that best fits your business.

You can also visit our website or the PCI Security Standards website for more information. For more details, learn from the most frequently asked questions about PCI: Frequently Asked Questions About QuickBooks PCI Compliance.

Reach out to us if you need anything else about PCI. Please know we're always right here to help you. Have a nice day!

ROC - 

Here's the funny thing that QB will NEVER tell you since they're partnered with SecurityMetrics...  Filling out the SAQ-a (which is what most of us small business owners will need) is completely free...  You can confirm this by calling the PCI Standards group (https://www.pcisecuritystandards.org/contact_us/) and picking '1' once the messaging starts.  Once you're satisfied that we don't need the jokers over at SM, go to https://www.pcisecuritystandards.org/search/#?cludoquery=saq&cludopage=1&cludoinputtype=standard

and pick the form you need.  Once you've filled that out,, just keep it on hand in case something goes horribly awry.  (I'm on a chat now with one of the reps from QB Payments' and that's what she confirmed - just keep it on hand).

Take note of the part posted by a QB Employee, that states 

"Importantly, please note that all merchants that accept credit or debit cards are required to be PCI compliant.".  

You're not a merchant.  QB is. 

I ended up doing the $88 per year thing and so therefore I can cancel that for next year and just maintain my questionnaire? All of this is so far over my head it's annoying. 

My concern with this is I tried to set this up and when through the steps and when it asks to send you an email to verify you are who you say you are, it never sends the email. I have also received emails from some automated system from security metrics to ask that we become PCI compliant but when you respond to the emails, it goes to a no-reply email and it won't send. These events make me feel like the PCI stuff with security metrics is a load of BS. 

If it is not a load of crap then security metrics needs to get their stuff together. I find it hard to believe that someone who wants us to be compliant with something can't update their stuff to make it look a litter more legit. 

Quick books just seems as though they want more money every year. Why weren't we also notified of this when setting up the QB account. I feel like this is something that should be mentioned and discussed for you to maintain yearly. 

And as it's been stated by others, QB is the one processing the CC information that the customers put in on their end. We are not entering in these customers cards or information. I do not store their information at all. 

I'm here to address your concern with PCI compliance and Security Metrics, @LinkMech. Also, ensure you'll receive the email to verify your information.
 

Emails from the Security Metric's system can go to the no-reply email because the system is set up to send automated notifications without expecting replies. This is to prevent unauthorized access or phishing attempts and ensure data security and compliance with email communication protocols.

As for your concern about not receiving the verification email, please check your spam/junk folders and ensure that you entered the correct email address. If you still don't see it, please contact Security Metrics Support for assistance. 

Here's how:

1. Open this link: https://www.securitymetrics.com/contact/contact-support.
2. Select Contact, then Contact Support.
3. Fill out the form so they can contact you or you can reach them through the phone numbers or the email provided in the page.

Moreover, If you have a merchant account that you can log in from a browser, you need to be PCI compliant even if you don't process your customer's credit card information. Your customer's credit card credentials are stored in your merchant account. 

Also, you can visit the FAQs about QuickBooks Compliance page to get detailed information about the requirements, guidelines, and clarifications on compliance services. 
 

If you need more support with PCI Compliance, feel free to reach out. We're here for you every step of the way. Have a good one.

This is super helpful.  QBO is not.  

How and where does one submit a completed SAQ?  Every single communication from/with Intuit sidesteps this information, instead directing you to "just sign up with our vendor!"  So sick of QBO.  

@Clarification: @MikeMcGvo comments were very helpful... again, QBO is not.  

I don't accept credit cards.  I don't ask for, accept or retain credit card numbers.  I do not have a POS device, or a way to process a credit card online.  I have none of the information that would need to be kept.  I DO allow clients to pay via credit card online ONLY IF they request it.  That process is soley performed by Intuit/Merchant Servcies, and they do not share any of that data with me (no creditr card numbers / exp dates or special secret numbers).  The only person who access to my Intuit account is mylsef and my book keeper.  both of which have secondary authentication (Texts to my phone when trying to access and the same for my book keeper) to access my Intuit account.  I have read the documents provided by Inuit, and it would appear that I don't, unfortunately I cannot get a Intuit rep to actually give a response that isn't You have to use a paysite to determine.