Learn about the QuickBooks Payment Card Industry Data Security Standard (PCI DSS) compliance.
As a merchant accepting cards for payment, you need to have payment security throughout your local environment. This includes all applications and systems on your local network.
Frequently asked questions
What is PCI DSS compliance?
The PCI DSS is a list of practices merchants must follow to accept payment cards. This includes how to securely handle, process, and store sensitive payment card data. The PCI standard covers the following 12 requirements:
Protect your system with firewalls
- Install a hardware and software firewall.
- Configure firewalls for your environment.
- Have strict firewall rules.
Use adequate configuration standards
- Change default passwords.
- Harden your systems.
- Implement system configuration management.
Protect stored data
- Find where card data is.
- Craft your card flow diagram.
- Encrypt stored card data.
Secure data over open and public networks
- Know where they send and receive data.
- Encrypt all transmitted cardholder data.
- Stop using SSl and early TLS.
Protect systems with antivirus
- Create a vulnerability management plan.
- Regularly update antivirus.
- Maintain an up-to-date malware program.
Update your systems
- Consistently update your systems.
- Apply all critical/high patches to systems and software.
- Establish secure software development processes.
- Restrict access to cardholder data.
- Document who has access to the card data environment.
- Establish a role-based access control system.
Use unique ID credentials
- Use unique ID credentials for every employee.
- Disable/delete inactive accounts.
- Configure multi-factor authentication.
Maintain physical security
- Control physical access at your workplace.
- Keep track of POS terminals.
- Train your employees often.
Implement logging and log monitoring
- Implement logging and alerting.
- Establish log management.
- Create log management system rules.
Conduct vulnerability scans and penetration testing
- Know your environment.
- Run vulnerability scans quarterly.
- Conduct a penetration test
Start documentation and risk assessments
- Document policies and procedures for everything.
- Implement a risk assessment process.
- Create an incident response plan. (IRP)
The way you process credit cards determines what requirements you need to follow. Find more details in the Self-Assessment Questionnaires (SAQ). Here are the SAQ types:
Who is required to follow PCI DSS Standards?
All merchants that accept credit or debit cards.
Why is protecting customer payment information important to me?
Data security is more important now than ever as hackers become more prevalent. If a breach occurs, you may be liable for the following fines. You may also need to spend on card re-issuance, acquirer and legal fees, and more.
|Merchant processor compromise||$5,000 - $50,000|
|Card brand compromise||$5,000 - $500,000|
|Forensic investigation||$12,000 - $100,000|
|Onsite QSA assessments following the breach||$20,000 - $100,000|
|Free credit monitoring for affected individuals||$10 - $30/card|
|Card re-issuance penalties||$3 - $10/card|
|Breach notification costs||$1,000+|
|Total Possible cost:||$50,000 - $773,000+|
Be PCI compliant to increase security for these types of attacks.
Why do I have to deal with PCI DSS?
QuickBooks applications are secure. However, other applications can compromise the security of your environment. Use of QuickBooks Payments services doesn’t mean you’re already PCI compliant.
How often is PCI validation required?
Becoming PCI compliant is an ongoing process. As a merchant, you’re required to validate your PCI compliance yearly. This includes re-submitting the SAQ and passing the required scans.
Although validation is only an annual requirement, you’re required and expected to follow the PCI requirements all the time. This includes watching the environment to identify any suspicious activity.
Learn about PCI compliance and your responsibilities:
How can I become PCI compliant?
How you handle and process payment cards and the number of transactions you process annually defines your validation requirements. All merchants are required to complete a Self-Assessment Questionnaire (SAQ). The required SAQ depends on how you store, handle, and process card data. Some additional requirements may include:
- External vulnerability scanning
- Internal vulnerability scanning
- Penetration testing
- Security policy implementation
Is there a PCI service fee?
Merchants who process, handle, transmit, or store credit card data are required to be PCI compliant. Intuit has partnered with SecurityMetrics to streamline the PCI compliance validation process. SecurityMetrics charges an annual fee to merchants who are validating compliance for Intuit.
Are ProAdvisors subject to PCI service fees?
ProAdvisors are subject to the same criteria as everyone else.
How can I add PCI Services?
You need to create an account with SecurityMetrics. After you complete SecurityMetrics’ FastPass, you can purchase the PCI package that best suits your needs. From there, complete an SAQ, then set up your scans.
What PCI plans are available?
How can I find the total number of transactions I've processed this past year?
- Sign in to the Merchant Service Center.
- Go to Activities & Reports, then Statements.
Know the tools and services included in the QuickBooks PCI Service
QuickBooks PCI tools and services
|LAYERS OF PROTECTION||DATA SECURITY BENEFITS|
|Security Awareness Training||Educates you about common cyber threats|
|Threat Prevention Tools||Simplifies your PCI compliance|
|Card Data Breach Protection||Protects you with a $100,000 Premium Service Warranty|
- Security awareness training: Intuit has partnered with SecurityMetrics to provide easy-to-understand security awareness training that will help protect your digital assets against common threats such as phishing scams and keylogging malware attacks.
- Threat prevention tools: Use threat prevention tools to simplify your PCI compliance process and better defend your customer card data. Vulnerability scans, mobile scans, and SecurityMetric PANscans make it easier to identify unencrypted card data and prevent a breach.
- Card data breach protection: Your PCI service provides up to $100,000 premium service warranty. To qualify for this benefit, you need to enroll in the program and be up-to-date on service fees.
Turn on PCI Service
If PCI Services is unavailable on your account, upgrade your pricing plan or add it to your current plan. Create an account with SecurityMetrics and complete FastPass, then they’ll present different PCI packages to fit your financial and security needs.
Exceptions may apply to non-standard plans. Visit our website or the PCI Security Standards website for more information.