Self Assessment questionnaire PCI compliance

It's nice to see a new face here, @Karen.d. 

Thank you for your interest in finding a self-assessment questionnaire for PCI compliance. I'll share more details to help you manage your local security environment.

PCI DSS Standards are required for all merchants that accept credit or debit cards. If you do these via the QuickBooks site, be PCI compliant. 

First, create an account with SecurityMetrics to streamline the PCI compliance validation process. After finishing it, you can purchase the PCI package and complete an SAQ.

1. Select Sign Up, then fill out all the fields on the Create Account page.
   
2. Select Create Account, then follow Intuit FastPass to determine your PCI compliance requirements.
3. Select Next then select a security package that best fits your business.

To know more about PCI DDS compliance, please see this article: Learn about the PCI DSS Compliance Services.

See this guide for the FAQs along with tools and services included in the QuickBooks PCI Service: Learn about QuickBooks PCI Service.

If you have other concerns about your QuickBooks account, please don't hesitate to let me know in the comments below. I'll gladly help. Take care.

karen.duncan434@ 

I know someone went thru it entirely themselves to see how their paid version and you-do-it version compares to our free version and our we-do-it-for-you version. Here’s the breakdown about Intuit’s new mandatory PCI Compliance process, buckle in b/c it’s a lot of info for your benefit:

Security Metrics PCI Test Review:
The initial self-assessment questionnaire is moderately the same as other payment processor do but would be difficult for someone unfamiliar with the type of tech heavy questions, as Security Metrics doesn’t help guide you through this process unless you buy the $195/year package.

Once the self-assessment questionnaire is complete, you’ll be led to the paywall where you must purchase one of packages above. Unless you opt for the $195/year Intuit Managed package you’ll be completing everything by yourself with little to no guidance.

You’ll answer another 40 or so questions on top of the 50+ you answered in the self-assessment. If these are answered incorrectly, you’ll either instantly be flagged as non-compliant or your upcoming scan will fail and that too will mark you as non-compliant, which leads to more monthly fees hitting your account.

For the scan you’ll need to know your IP address and input it then pick a date within the next quarter to run this scan. If you were to want to scan another time for a separate IP address your business may have, it will cost $129 per extra quarterly scan. Which brings you to $516 per year + whichever package you bought earlier while setting up the account.

Security Metrics does have a good feature of telling you what you need to do to become compliant, but they don’t tell you how to do it (Unless you purchase Intuit Managed PCI Pro $195). There’s a lot to keep track of and answer all while having many important questions not being able to be re-answered if you answered it incorrectly.

If you don’t feel like doing it yourself at the $85 initial cost, or being guided through it at $195, they have a separate yearly package that will do almost everything for you to attain compliance for a steep price of $670. Another option, you should consider having a 3rd party merchant service provider to integrate with QB. Everything listed above one provider does for no extra cost and is built into their $30 fixed fee for newly boarded merchants for the entire duration of their time with them.

Can I complete the self assessment questionnaire from the PCI standards website, and send it to Quickbooks without paying for this service? I am SAQ-A.

Hello there, @mattp42-bellsout. Let me share some insights regarding compliance with QuickBooks Payment Card Industry Data Security Standard (PCI DSS).

PCI compliance is vital for protecting your business and customers from theft and fraud. Major payment card providers like Visa, MasterCard, American Express, and Discover require annual PCI compliance for businesses that handle card data. Whether you accept, store, or transmit payment card data, PCI compliance is mandatory.

In regards to your question, I recommend contacting SecurityMetrics to verify if you need to subscribe or not. The steps below will walk you through the complete steps.

1. Go to this link: SecurityMetrics.
2. Select Sign Up. Fill out all the fields on the Create Account page.
3. Click Create Account. Then, follow Intuit FastPass to determine your PCI compliance requirements.
4. Hit Next. Then, select a security package that best fits your business.

Check out this article for more information about the requirements, how to deal with it, and how to be compliant: Learn about QuickBooks PCI Service. 

Here's more information about accepting electronic customer payments for online invoices and in-person sales: Take and process payments in QuickBooks Online with QuickBooks Payments. 

Let me know if you need further information about the PCI compliance. I'm always here to answer them for you. Keep safe, and have a wonderful day!

After doing my own research, if you use QBO to send invoices, and they handle all credit card information and you have no access to access client payment information, then you absolutely DO NOT need this PCI certification. In this case, Quickbooks is the one that needs the PCI certification, not your business. Do not sign up for Security Metrics thing if this is your situation. It will be a complete waste of money.

I am posting here in case anyone else is in the same situation.

You did not answer , @mattp42-bellsout 's question.  Where do I verify my PCI compliance?  I don't need a third party service.  I have the SAQ A.  Where do I turn it in to QB?

Hi there, Martissa.

Welcome to the thread. I'm here to answer your query.

If you already have PCI Compliance services with a company other than SecurityMetrics, you'll receive an email to ignore prior emails about signing up to be PCI Compliant.

You may also consider contacting our Merchant Team for more detail on what to do on how to verify your PCI Compliance when you have the SAQ A.

To reach them, click the Chat with us link or get the phone number in this article: Contact Payments or Point of Sale Support. Then, go to the QuickBooks Payments section.

Please don't hesitate to comment below if you have other concerns. I'll be right here to provide additional assistance. Keep safe!

This did not answer the question on how to verify my PCI Compliance if I don't want to use a third party vendor.  I wish you would answer my questions. 

1) Where is the SAQ A questionnaire?  meaning where do I get one.

2) How do I turn in my SAQ A questionnaire to QB once I have completed it?

3) Will turning in that questionnaire to QB mean that I am verifying my PCI Compliance?

Martissa Spencer

I also use a Quickbooks Mobile card reader at  events. I assume that I also do not need separate certification since the customer inserts the card in the card reader and sends the card data through the GoPayment app. I never touch or see the card. 

What IP address are they specifically wanting, when setting up PCI. It asks me to "Enter the target(s) (IP address or Domain) you need scanned here." 

What are they asking for and where do I find it?

Hello Misty,

You'll have to enter the IP address of the device you'll be setting up for the merchant services. 

To locate the IP address, you can follow these steps:

1. Press the Windows button on your keyboard.
2. Enter and select Settings.
3. Click Network & Internet.
4. On the Find a setting field, type in Properties.
5. Click View your network properties.

Moreover, you can check this article to learn more about PCI compliance: Learn more about QuickBooks PCI Compliance.

Keep me posted whenever you have concerns about merchant services.

I have read through this community question regarding a Self-Assessment for PCI Compliance but I see no direct answer from Quickbooks. It would be helpful to provide the specific steps to complete a self-assessment for PCI Compliance that does NOT require a third party like SecurityMetrics, who will charge me regardless of whether I require their services or not. It seems to me, as a long-time loyal QB customer, who pays an annual significant amount for merchant services to process payments through the invoice feature, that QB holds the compliance requirement. I do not see, store or retain any credit card info for my business, rather payment is processed via QB directly by the customer. So, in this specific scenario, my question is: WHAT AM I LEGALLY REQUIRED TO SUBMIT, AND TO WHOM, TO SHOW PCI COMPLIANCE? If QB could provide a checklist that I may affirm and sign and submit to QB, would that cover it? And who is the authority who can hold us accountable to this compliance? Thank you for any NEW insight from anyone on this thread ...!

P.S. I have had absolutely no luck with SecurityMetrics following up with now two scheduled calls. 

QB will just tell you you HAVE to be compliant and will likely tell you to reach out to Security Metrics, because that is who they have the contract with. 

The reason they are telling everyone that they have to be compliant, is because THEY are the ones that have to be, but they don't want to pay for it, so they are making everyone else. 

Thank you for reaching out regarding PCI compliance and how it intersects with QuickBooks Payments. We understand the importance of PCI compliance as it pertains to credit card processing and the potential risks associated with non-compliance.

As a payment processor, QuickBooks Payments follows the PCI Security Standards Council guidelines to maintain PCI compliance for its platform. However, use of QuickBooks Payments services does not mean you’re already PCI compliant-- Just that pieces of the transaction processing chain are compliant. As a merchant, you are responsible for ensuring your business is compliant with the PCI DSS requirements.
In general, PCI compliance is not a one-time event but is an ongoing process that requires review and validation annually.

For merchants who use QuickBooks Payments, the process of PCI compliance includes completing a self-assessment questionnaire (SAQ).
QuickBooks Payments does not provide a checklist or questionnaire for self-assessments.

Regarding your question on who will hold you accountable for this compliance, the Payment Card Industry Security Standards Council is responsible for managing the compliance standards that all businesses must meet in order to accept payment cards. This association requires payment processors and merchants to certify their compliance annually. SSC provides guidance on how to comply with their standards on their website.

Here are some additional resources:
Learn more about QuickBooks PCI Compliance
Learn more about the PCI DSS Compliance Services

We hope this information is helpful. If you require further assistance, please contact QuickBooks Payments support, and they will be happy to assist you.

Delete it all you want, but NO ONE has to use Security Metrics.   There are TONS of other companies out there that you can use.  

Also, if QB customers DON'T take or handle credit cards there is NO reason for them to need to be compliant.