Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
It's nice to see a new face here, @Karen.d.
Thank you for your interest in finding a self-assessment questionnaire for PCI compliance. I'll share more details to help you manage your local security environment.
PCI DSS Standards are required for all merchants that accept credit or debit cards. If you do these via the QuickBooks site, be PCI compliant.
First, create an account with SecurityMetrics to streamline the PCI compliance validation process. After finishing it, you can purchase the PCI package and complete an SAQ.
To know more about PCI DDS compliance, please see this article: Learn about the PCI DSS Compliance Services.
See this guide for the FAQs along with tools and services included in the QuickBooks PCI Service: Learn about QuickBooks PCI Service.
If you have other concerns about your QuickBooks account, please don't hesitate to let me know in the comments below. I'll gladly help. Take care.
I know someone went thru it entirely themselves to see how their paid version and you-do-it version compares to our free version and our we-do-it-for-you version. Here’s the breakdown about Intuit’s new mandatory PCI Compliance process, buckle in b/c it’s a lot of info for your benefit:
Security Metrics PCI Test Review:
The initial self-assessment questionnaire is moderately the same as other payment processor do but would be difficult for someone unfamiliar with the type of tech heavy questions, as Security Metrics doesn’t help guide you through this process unless you buy the $195/year package.
Once the self-assessment questionnaire is complete, you’ll be led to the paywall where you must purchase one of packages above. Unless you opt for the $195/year Intuit Managed package you’ll be completing everything by yourself with little to no guidance.
You’ll answer another 40 or so questions on top of the 50+ you answered in the self-assessment. If these are answered incorrectly, you’ll either instantly be flagged as non-compliant or your upcoming scan will fail and that too will mark you as non-compliant, which leads to more monthly fees hitting your account.
For the scan you’ll need to know your IP address and input it then pick a date within the next quarter to run this scan. If you were to want to scan another time for a separate IP address your business may have, it will cost $129 per extra quarterly scan. Which brings you to $516 per year + whichever package you bought earlier while setting up the account.
Security Metrics does have a good feature of telling you what you need to do to become compliant, but they don’t tell you how to do it (Unless you purchase Intuit Managed PCI Pro $195). There’s a lot to keep track of and answer all while having many important questions not being able to be re-answered if you answered it incorrectly.
If you don’t feel like doing it yourself at the $85 initial cost, or being guided through it at $195, they have a separate yearly package that will do almost everything for you to attain compliance for a steep price of $670. Another option, you should consider having a 3rd party merchant service provider to integrate with QB. Everything listed above one provider does for no extra cost and is built into their $30 fixed fee for newly boarded merchants for the entire duration of their time with them.
Can I complete the self assessment questionnaire from the PCI standards website, and send it to Quickbooks without paying for this service? I am SAQ-A.
Hello there, @mattp42-bellsout. Let me share some insights regarding compliance with QuickBooks Payment Card Industry Data Security Standard (PCI DSS).
PCI compliance is vital for protecting your business and customers from theft and fraud. Major payment card providers like Visa, MasterCard, American Express, and Discover require annual PCI compliance for businesses that handle card data. Whether you accept, store, or transmit payment card data, PCI compliance is mandatory.
In regards to your question, I recommend contacting SecurityMetrics to verify if you need to subscribe or not. The steps below will walk you through the complete steps.
Check out this article for more information about the requirements, how to deal with it, and how to be compliant: Learn about QuickBooks PCI Service.
Here's more information about accepting electronic customer payments for online invoices and in-person sales: Take and process payments in QuickBooks Online with QuickBooks Payments.
Let me know if you need further information about the PCI compliance. I'm always here to answer them for you. Keep safe, and have a wonderful day!
After doing my own research, if you use QBO to send invoices, and they handle all credit card information and you have no access to access client payment information, then you absolutely DO NOT need this PCI certification. In this case, Quickbooks is the one that needs the PCI certification, not your business. Do not sign up for Security Metrics thing if this is your situation. It will be a complete waste of money.
I am posting here in case anyone else is in the same situation.
You did not answer , @mattp42-bellsout 's question. Where do I verify my PCI compliance? I don't need a third party service. I have the SAQ A. Where do I turn it in to QB?
Hi there, Martissa.
Welcome to the thread. I'm here to answer your query.
If you already have PCI Compliance services with a company other than SecurityMetrics, you'll receive an email to ignore prior emails about signing up to be PCI Compliant.
You may also consider contacting our Merchant Team for more detail on what to do on how to verify your PCI Compliance when you have the SAQ A.
To reach them, click the Chat with us link or get the phone number in this article: Contact Payments or Point of Sale Support. Then, go to the QuickBooks Payments section.
Please don't hesitate to comment below if you have other concerns. I'll be right here to provide additional assistance. Keep safe!
This did not answer the question on how to verify my PCI Compliance if I don't want to use a third party vendor. I wish you would answer my questions.
1) Where is the SAQ A questionnaire? meaning where do I get one.
2) How do I turn in my SAQ A questionnaire to QB once I have completed it?
3) Will turning in that questionnaire to QB mean that I am verifying my PCI Compliance?
Martissa Spencer
I also use a Quickbooks Mobile card reader at events. I assume that I also do not need separate certification since the customer inserts the card in the card reader and sends the card data through the GoPayment app. I never touch or see the card.
What IP address are they specifically wanting, when setting up PCI. It asks me to "Enter the target(s) (IP address or Domain) you need scanned here."
What are they asking for and where do I find it?
Hello Misty,
You'll have to enter the IP address of the device you'll be setting up for the merchant services.
To locate the IP address, you can follow these steps:
Moreover, you can check this article to learn more about PCI compliance: Learn more about QuickBooks PCI Compliance.
Keep me posted whenever you have concerns about merchant services.
I have read through this community question regarding a Self-Assessment for PCI Compliance but I see no direct answer from Quickbooks. It would be helpful to provide the specific steps to complete a self-assessment for PCI Compliance that does NOT require a third party like SecurityMetrics, who will charge me regardless of whether I require their services or not. It seems to me, as a long-time loyal QB customer, who pays an annual significant amount for merchant services to process payments through the invoice feature, that QB holds the compliance requirement. I do not see, store or retain any credit card info for my business, rather payment is processed via QB directly by the customer. So, in this specific scenario, my question is: WHAT AM I LEGALLY REQUIRED TO SUBMIT, AND TO WHOM, TO SHOW PCI COMPLIANCE? If QB could provide a checklist that I may affirm and sign and submit to QB, would that cover it? And who is the authority who can hold us accountable to this compliance? Thank you for any NEW insight from anyone on this thread ...!
P.S. I have had absolutely no luck with SecurityMetrics following up with now two scheduled calls.
QB will just tell you you HAVE to be compliant and will likely tell you to reach out to Security Metrics, because that is who they have the contract with.
The reason they are telling everyone that they have to be compliant, is because THEY are the ones that have to be, but they don't want to pay for it, so they are making everyone else.
Thank you for reaching out regarding PCI compliance and how it intersects with QuickBooks Payments. We understand the importance of PCI compliance as it pertains to credit card processing and the potential risks associated with non-compliance.
As a payment processor, QuickBooks Payments follows the PCI Security Standards Council guidelines to maintain PCI compliance for its platform. However, use of QuickBooks Payments services does not mean you’re already PCI compliant-- Just that pieces of the transaction processing chain are compliant. As a merchant, you are responsible for ensuring your business is compliant with the PCI DSS requirements.
In general, PCI compliance is not a one-time event but is an ongoing process that requires review and validation annually.
For merchants who use QuickBooks Payments, the process of PCI compliance includes completing a self-assessment questionnaire (SAQ).
QuickBooks Payments does not provide a checklist or questionnaire for self-assessments.
Regarding your question on who will hold you accountable for this compliance, the Payment Card Industry Security Standards Council is responsible for managing the compliance standards that all businesses must meet in order to accept payment cards. This association requires payment processors and merchants to certify their compliance annually. SSC provides guidance on how to comply with their standards on their website.
Here are some additional resources:
Learn more about QuickBooks PCI Compliance
Learn more about the PCI DSS Compliance Services
We hope this information is helpful. If you require further assistance, please contact QuickBooks Payments support, and they will be happy to assist you.
Delete it all you want, but NO ONE has to use Security Metrics. There are TONS of other companies out there that you can use.
Also, if QB customers DON'T take or handle credit cards there is NO reason for them to need to be compliant.
I have the same question. I am inundated by e-mails and phone calls from Security Metrics but I understand that I can do a self-assessment instead. Except I cannot find any information on that.
Thank you for joining this thread, Weigandi. I assure you I can help you where you can find your self-assessment question.
Intuit has partnered with SecurityMetrics, a leading PCI service provider, to help merchants securely handle, process, and store payment card data.
First, signing up to SecurityMetrics simplifies the PCI compliance validation process. Once done, you'll receive the self-assessment question in your email.
Here's how:
If you have questions about the self-assessment, you can check the phone number in this article: Learn about the PCI DSS Compliance Services.
You can also check this article to learn more about PCI Compliance: Learn about QuickBooks PCI Compliance.
If you have other concerns besides the self-assessment, you can click the comments below. Stay safe and have a good one!
Thank you SO much for posting this.. This whole Security Matrix/PCI compliance thing just hit me out of nowhere and I've been pretty stressed about it. I only got to this thread trying to figure out where I find my IP address or "Target" when I began the questionnaire after receiving a threatening email that I had a week to complete it..
Just so I'm clear on your message in this thread, I do NOT store or take any of my customers credit card information EVER. I simply send them an invoice that accepts ACH transfer and on the rare occasion a customer requires payment by credit card, I change the setting so they can make the payment that way. Nothing is stored and I don't see any of their info. So are you saying I can disregard this whole questionnaire/ PCI compliance thing and my customers will still be able to pay their invoices using their cc information on the rare occasions?
Thank you!
Same situation for me--I don't store anything, don't even see the numbers as it is all invoiced and paid directly through QB online. I had a helpful conversation with a representative from SPI (the QB-approved vendor) who explained the requirements and options. For me it was definitely worth the 20-minute conversation and he was very patient with all my questions. As a small business owner, I consistently asked lots of questions before spending money so I don't do so unless it has a real, vetted, and specific purpose. In this case, I opted for the minimum required option (less than $100 annually) as I decided it is a good "peace-of-mind" cost for me and I can add that security logo to my website to extend that assurance to my clients. In fact, the representative walked me through the questionnaire step by step, to explain each "feature" and what it meant and whether it was relevant for my purposes.
We were PCI compliant long before ever signing onto Intuit Merchant Services. We renew our certificate of compliance with another company every year. And we retain the Intuit questionairre on file to prove Intuit's PCI compliance.
However, we continue to get emails from SecurityMetrics every year with the news" Currently you are not being reported as "Compliant", but we can help with that" **Who is reporting us as non-compliant - Intuit??
Then we get an automated email from Intuit stating if we are already PCI compliant then no action is required. Why can we not prove our compliance and get into a status of compliant so we do not have to be badgered with these annual warnings that seem almost threatening? If you are going to partner with a specific company then you need to let them know which of your customers are compliant so they leave us alone. PLEASE!!
If they are so worried about our compliance then they should reach out and provide a method where we can prove our existing PCI compliance. I personally do not have the time or patience to go through this with the reps there only to come up to dead end. Just let us know where to emial, post or mail in our proof of compliance. And get us off the list on non-compliants getting emails from your partner company SecurityMetrics - if you are partners then SecurityMetrics should know that we are compliant and not send out emails saying our current status is not compliant. That is a lie and who gave them this information?
I know there is a post that said something about where you can send your compliance info. If I find it, I'll post it here. But you DON'T need to prove to Security Metrics that you are compliant. They are just bullies.
Hey Matt,
I was wondering the same thing. I use QB Desktop and all my invoicing goes through QB, payments that are received are received through QB as I do not personally input any card numbers or take transactions face-to-face. Were you able to find where it says that you do not need the PCI certification in this case so I can print for me own records? I was thinking this was also a waste or them pushing for more money. Thanks!
I hope this information helps someone else since it is very clear the support team is goal oriented in pushing this onto everyone.
To complete the PCI Compliance Assessment in QuickBooks Payments, follow these steps:
Log into QuickBooks Online:
Go to the Payments Section:
Look for PCI Compliance Notifications:
Complete the PCI Compliance Assessment:
Download and Save Your PCI Compliance Certificate:
Contact QuickBooks Support (If Needed):
By completing the PCI compliance assessment, you ensure that your business adheres to the required standards for processing credit card payments securely.
You have clicked a link to a site outside of the QuickBooks or ProFile Communities. By clicking "Continue", you will leave the community and be taken to that site instead.
For more information visit our Security Center or to report suspicious websites you can contact us here