cancel
Showing results for 
Search instead for 
Did you mean: 
karen.duncan434@
Level 1

Self Assessment questionnaire PCI compliance

Where do I find self assessment questionnaire for PCI compliance.   I have called merchant services and they know nothing yet I continue to receive emails to pay for a service
30 Comments 30
JamaicaA
QuickBooks Team

Self Assessment questionnaire PCI compliance

It's nice to see a new face here, @Karen.d. 

 

Thank you for your interest in finding a self-assessment questionnaire for PCI compliance. I'll share more details to help you manage your local security environment.

 

PCI DSS Standards are required for all merchants that accept credit or debit cards. If you do these via the QuickBooks site, be PCI compliant. 

 

First, create an account with SecurityMetrics to streamline the PCI compliance validation process. After finishing it, you can purchase the PCI package and complete an SAQ.

 

  1. Select Sign Up, then fill out all the fields on the Create Account page.
    SecurityMetrics_CreateAccount_US_Ext_12032021.png
  2. Select Create Account, then follow Intuit FastPass to determine your PCI compliance requirements.
  3. Select Next then select a security package that best fits your business.

 

To know more about PCI DDS compliance, please see this article: Learn about the PCI DSS Compliance Services.

 

See this guide for the FAQs along with tools and services included in the QuickBooks PCI Service: Learn about QuickBooks PCI Service.

 

If you have other concerns about your QuickBooks account, please don't hesitate to let me know in the comments below. I'll gladly help. Take care.

Fiat Lux - ASIA
Level 15

Self Assessment questionnaire PCI compliance

karen.duncan434@ 

I know someone went thru it entirely themselves to see how their paid version and you-do-it version compares to our free version and our we-do-it-for-you version. Here’s the breakdown about Intuit’s new mandatory PCI Compliance process, buckle in b/c it’s a lot of info for your benefit:

Security Metrics PCI Test Review:
The initial self-assessment questionnaire is moderately the same as other payment processor do but would be difficult for someone unfamiliar with the type of tech heavy questions, as Security Metrics doesn’t help guide you through this process unless you buy the $195/year package.

FiatLuxASIA_0-1689473154478.png

 

Once the self-assessment questionnaire is complete, you’ll be led to the paywall where you must purchase one of packages above. Unless you opt for the $195/year Intuit Managed package you’ll be completing everything by yourself with little to no guidance.

You’ll answer another 40 or so questions on top of the 50+ you answered in the self-assessment. If these are answered incorrectly, you’ll either instantly be flagged as non-compliant or your upcoming scan will fail and that too will mark you as non-compliant, which leads to more monthly fees hitting your account.

For the scan you’ll need to know your IP address and input it then pick a date within the next quarter to run this scan. If you were to want to scan another time for a separate IP address your business may have, it will cost $129 per extra quarterly scan. Which brings you to $516 per year + whichever package you bought earlier while setting up the account.

Security Metrics does have a good feature of telling you what you need to do to become compliant, but they don’t tell you how to do it (Unless you purchase Intuit Managed PCI Pro $195). There’s a lot to keep track of and answer all while having many important questions not being able to be re-answered if you answered it incorrectly.

If you don’t feel like doing it yourself at the $85 initial cost, or being guided through it at $195, they have a separate yearly package that will do almost everything for you to attain compliance for a steep price of $670. Another option, you should consider having a 3rd party merchant service provider to integrate with QB. Everything listed above one provider does for no extra cost and is built into their $30 fixed fee for newly boarded merchants for the entire duration of their time with them.

 

mattp42-bellsout
Level 2

Self Assessment questionnaire PCI compliance

Can I complete the self assessment questionnaire from the PCI standards website, and send it to Quickbooks without paying for this service? I am SAQ-A.

DebSheenD
QuickBooks Team

Self Assessment questionnaire PCI compliance

Hello there, @mattp42-bellsout. Let me share some insights regarding compliance with QuickBooks Payment Card Industry Data Security Standard (PCI DSS).

 

PCI compliance is vital for protecting your business and customers from theft and fraud. Major payment card providers like Visa, MasterCard, American Express, and Discover require annual PCI compliance for businesses that handle card data. Whether you accept, store, or transmit payment card data, PCI compliance is mandatory.

 

In regards to your question, I recommend contacting SecurityMetrics to verify if you need to subscribe or not. The steps below will walk you through the complete steps.

 

  1. Go to this link: SecurityMetrics.
  2. Select Sign Up. Fill out all the fields on the Create Account page.
  3. Click Create Account. Then, follow Intuit FastPass to determine your PCI compliance requirements.
  4. Hit Next. Then, select a security package that best fits your business.

 

Check out this article for more information about the requirements, how to deal with it, and how to be compliant: Learn about QuickBooks PCI Service

 

Here's more information about accepting electronic customer payments for online invoices and in-person sales: Take and process payments in QuickBooks Online with QuickBooks Payments

 

Let me know if you need further information about the PCI compliance. I'm always here to answer them for you. Keep safe, and have a wonderful day!

mattp42-bellsout
Level 2

Self Assessment questionnaire PCI compliance

After doing my own research, if you use QBO to send invoices, and they handle all credit card information and you have no access to access client payment information, then you absolutely DO NOT need this PCI certification. In this case, Quickbooks is the one that needs the PCI certification, not your business. Do not sign up for Security Metrics thing if this is your situation. It will be a complete waste of money.

 

I am posting here in case anyone else is in the same situation.

Martissa Spencer
Level 1

Self Assessment questionnaire PCI compliance

You did not answer @mattp42-bellsout 's question.  Where do I verify my PCI compliance?  I don't need a third party service.  I have the SAQ A.  Where do I turn it in to QB?

MirriamM
Moderator

Self Assessment questionnaire PCI compliance

Hi there, Martissa.

 

Welcome to the thread. I'm here to answer your query.

 

If you already have PCI Compliance services with a company other than SecurityMetrics, you'll receive an email to ignore prior emails about signing up to be PCI Compliant.

 

You may also consider contacting our Merchant Team for more detail on what to do on how to verify your PCI Compliance when you have the SAQ A.

 

To reach them, click the Chat with us link or get the phone number in this article: Contact Payments or Point of Sale Support. Then, go to the QuickBooks Payments section.

 

Please don't hesitate to comment below if you have other concerns. I'll be right here to provide additional assistance. Keep safe!

Martissa Spencer
Level 1

Self Assessment questionnaire PCI compliance

This did not answer the question on how to verify my PCI Compliance if I don't want to use a third party vendor.  I wish you would answer my questions. 

1) Where is the SAQ A questionnaire?  meaning where do I get one.

2) How do I turn in my SAQ A questionnaire to QB once I have completed it?

3) Will turning in that questionnaire to QB mean that I am verifying my PCI Compliance?

 

Martissa Spencer

bellabella
Level 2

Self Assessment questionnaire PCI compliance

I also use a Quickbooks Mobile card reader at  events. I assume that I also do not need separate certification since the customer inserts the card in the card reader and sends the card data through the GoPayment app. I never touch or see the card. 

Misty_Moss
Level 1

Self Assessment questionnaire PCI compliance

What IP address are they specifically wanting, when setting up PCI. It asks me to "Enter the target(s) (IP address or Domain) you need scanned here." 

What are they asking for and where do I find it?

Adrian_A
Moderator

Self Assessment questionnaire PCI compliance

Hello Misty,

 

You'll have to enter the IP address of the device you'll be setting up for the merchant services. 

 

To locate the IP address, you can follow these steps:

 

  1. Press the Windows button on your keyboard.
  2. Enter and select Settings.
  3. Click Network & Internet.
  4. On the Find a setting field, type in Properties.
  5. Click View your network properties.

 

Moreover, you can check this article to learn more about PCI compliance: Learn more about QuickBooks PCI Compliance.

 

Keep me posted whenever you have concerns about merchant services.

JO118
Level 1

Self Assessment questionnaire PCI compliance

I have read through this community question regarding a Self-Assessment for PCI Compliance but I see no direct answer from Quickbooks. It would be helpful to provide the specific steps to complete a self-assessment for PCI Compliance that does NOT require a third party like SecurityMetrics, who will charge me regardless of whether I require their services or not. It seems to me, as a long-time loyal QB customer, who pays an annual significant amount for merchant services to process payments through the invoice feature, that QB holds the compliance requirement. I do not see, store or retain any credit card info for my business, rather payment is processed via QB directly by the customer. So, in this specific scenario, my question is: WHAT AM I LEGALLY REQUIRED TO SUBMIT, AND TO WHOM, TO SHOW PCI COMPLIANCE? If QB could provide a checklist that I may affirm and sign and submit to QB, would that cover it? And who is the authority who can hold us accountable to this compliance? Thank you for any NEW insight from anyone on this thread ...!

P.S. I have had absolutely no luck with SecurityMetrics following up with now two scheduled calls. 

Just_me
Level 11

Self Assessment questionnaire PCI compliance

QB will just tell you you HAVE to be compliant and will likely tell you to reach out to Security Metrics, because that is who they have the contract with. 

The reason they are telling everyone that they have to be compliant, is because THEY are the ones that have to be, but they don't want to pay for it, so they are making everyone else. 

cody_a
Moderator

Self Assessment questionnaire PCI compliance

Thank you for reaching out regarding PCI compliance and how it intersects with QuickBooks Payments. We understand the importance of PCI compliance as it pertains to credit card processing and the potential risks associated with non-compliance.

As a payment processor, QuickBooks Payments follows the PCI Security Standards Council guidelines to maintain PCI compliance for its platform. However, use of QuickBooks Payments services does not mean you’re already PCI compliant-- Just that pieces of the transaction processing chain are compliant. As a merchant, you are responsible for ensuring your business is compliant with the PCI DSS requirements.
In general, PCI compliance is not a one-time event but is an ongoing process that requires review and validation annually.

For merchants who use QuickBooks Payments, the process of PCI compliance includes completing a self-assessment questionnaire (SAQ).
QuickBooks Payments does not provide a checklist or questionnaire for self-assessments.

Regarding your question on who will hold you accountable for this compliance, the Payment Card Industry Security Standards Council is responsible for managing the compliance standards that all businesses must meet in order to accept payment cards. This association requires payment processors and merchants to certify their compliance annually. SSC provides guidance on how to comply with their standards on their website.

Here are some additional resources:
Learn more about QuickBooks PCI Compliance
Learn more about the PCI DSS Compliance Services

 

We hope this information is helpful. If you require further assistance, please contact QuickBooks Payments support, and they will be happy to assist you.

Just_me
Level 11

Self Assessment questionnaire PCI compliance

Delete it all you want, but NO ONE has to use Security Metrics.   There are TONS of other companies out there that you can use.  

Also, if QB customers DON'T take or handle credit cards there is NO reason for them to need to be compliant.  

Weigandi
Level 1

Self Assessment questionnaire PCI compliance

I have the same question. I am inundated by e-mails and phone calls from Security Metrics but I understand that I can do a self-assessment instead. Except I cannot find any information on that.

MelroseV
QuickBooks Team

Self Assessment questionnaire PCI compliance

Thank you for joining this thread, Weigandi. I assure you I can help you where you can find your self-assessment question.

 

Intuit has partnered with SecurityMetrics, a leading PCI service provider, to help merchants securely handle, process, and store payment card data.

 

First, signing up to SecurityMetrics simplifies the PCI compliance validation process. Once done, you'll receive the self-assessment question in your email.

 

Here's how:

 

  1. Select the Sign-up, then fill out the information needed.
  2. Click Create Account, then follow the Intuit FastPass to determine your PCI compliance requirements.
  3. Select Next, then click the security package that best fits your business.

 

If you have questions about the self-assessment, you can check the phone number in this article: Learn about the PCI DSS Compliance Services.

 

You can also check this article to learn more about PCI Compliance: Learn about QuickBooks PCI Compliance.

If you have other concerns besides the self-assessment, you can click the comments below. Stay safe and have a good one!

marvelglassllc
Level 3

Self Assessment questionnaire PCI compliance

Thank you SO much for posting this.. This whole Security Matrix/PCI compliance thing just hit me out of nowhere and I've been pretty stressed about it. I only got to this thread trying to figure out where I find my IP address or "Target" when I began the questionnaire after receiving a threatening email that I had a week to complete it..

 Just so I'm clear on your message in this thread, I do NOT store or take any of my customers credit card information EVER. I simply send them an invoice that accepts ACH transfer and on the rare occasion a customer requires payment by credit card, I change the setting so they can make the payment that way. Nothing is stored and I don't see any of their info. So are you saying I can disregard this whole questionnaire/ PCI compliance thing and my customers will still be able to pay their invoices using their cc information on the rare occasions?

Thank you!

JO118
Level 1

Self Assessment questionnaire PCI compliance

Same situation for me--I don't store anything, don't even see the numbers as it is all invoiced and paid directly through QB online. I had a helpful conversation with a representative from SPI (the QB-approved vendor) who explained the requirements and options. For me it was definitely worth the 20-minute conversation and he was very patient with all my questions. As a small business owner, I consistently asked lots of questions before spending money so I don't do so unless it has a real, vetted, and specific purpose. In this case, I opted for the minimum required option (less than $100 annually) as I decided it is a good "peace-of-mind" cost for me and I can add that security logo to my website to extend that assurance to my clients. In fact, the representative walked me through the questionnaire step by step, to explain each "feature" and what it meant and whether it was relevant for my purposes. 

Anne16720
Level 3

Self Assessment questionnaire PCI compliance

We were PCI compliant long before ever signing onto Intuit Merchant Services.  We renew our certificate of compliance with another company every year. And we retain the Intuit questionairre on file to prove Intuit's PCI compliance.

However, we continue to get emails from SecurityMetrics every year with the news" Currently you are not being reported as "Compliant", but we can help with that"  **Who is reporting us as non-compliant - Intuit??   

Then we get an automated email from Intuit stating if we are already PCI compliant then no action is required.  Why can we not prove our compliance and get into a status of compliant so we do not have to be badgered with these annual warnings that seem almost threatening?  If you are going to partner with a specific company then you need to let them know which of your customers are compliant so they leave us alone.  PLEASE!!  

Anne16720
Level 3

Self Assessment questionnaire PCI compliance

If they are so worried about our compliance then they should reach out and provide a method where we can prove our existing PCI compliance.  I personally do not have the time or patience to go through this with the reps there only to come up to dead end.  Just let us know where to emial, post or mail in our proof of compliance.  And get us off the list on non-compliants getting emails from your partner company SecurityMetrics - if you are partners then SecurityMetrics should know that we are compliant and not send out emails saying our current status is not compliant.  That is a lie and who gave them this information?  

Just_me
Level 11

Self Assessment questionnaire PCI compliance

I know there is a post that said something about where you can send your compliance info.  If I find it, I'll post it here.  But you DON'T need to prove to Security Metrics that you are compliant.  They are just bullies.  

AppliedPower
Level 1

Self Assessment questionnaire PCI compliance

Hey Matt,

I was wondering the same thing. I use QB Desktop and all my invoicing goes through QB, payments that are received are received through QB as I do not personally input any card numbers or take transactions face-to-face. Were you able to find where it says that you do not need the PCI certification in this case so I can print for me own records? I was thinking this was also a waste or them pushing for more money. Thanks!

cheekyHR
Level 1

Self Assessment questionnaire PCI compliance

I hope this information helps someone else since it is very clear the support team is goal oriented in pushing this onto everyone. 

 

 

To complete the PCI Compliance Assessment in QuickBooks Payments, follow these steps:

  1. Log into QuickBooks Online:

  2. Go to the Payments Section:

    • In the left-hand menu, click on "Settings" (the gear icon) in the upper right corner.
    • Under the "Your Company" section, select "Account and Settings".
    • Next, go to the "Payments" tab.
  3. Look for PCI Compliance Notifications:

    • In the Payments section, look for any messages or notifications related to PCI compliance. QuickBooks will often notify you if an assessment is needed.
    • If prompted, follow the on-screen steps to complete the PCI compliance process. You may be redirected to a third-party provider, such as SecurityMetrics, which handles PCI assessments for QuickBooks Payments.
  4. Complete the PCI Compliance Assessment:

    • The assessment typically involves answering a series of questions regarding how your business processes and handles payment card data.
    • If you use QuickBooks Payments exclusively for processing payments and don’t store any sensitive card data yourself, the assessment is usually straightforward.
  5. Download and Save Your PCI Compliance Certificate:

    • Once completed, you’ll receive a confirmation of your compliance, usually in the form of a certificate. Make sure to save a copy for your records.
    • If required by your bank or payment processor, provide them with a copy of your PCI compliance certificate.
  6. Contact QuickBooks Support (If Needed):

    • If you don’t see any PCI compliance-related options or need further assistance, you can contact QuickBooks Payments support for clarification on your status and next steps.

By completing the PCI compliance assessment, you ensure that your business adheres to the required standards for processing credit card payments securely.

Sign in for expert help
Ask questions, post replies & join our community of QuickBooks users.

Need to get in touch?

Contact us