QuickBooksHelpIntuit

Learn about QuickBooks PCI Compliance

SOLVED•by QuickBooks•121•Updated January 16, 2024

Learn about the QuickBooks Payment Card Industry Data Security Standard (PCI DSS) compliance.

As a merchant accepting cards for payment, you need to have payment security throughout your local environment. This includes all applications and systems on your local network.

Frequently asked questions

What's PCI DSS compliance?

The PCI DSS is a list of practices merchants must follow to accept payment cards. This includes how to securely handle, process, and store sensitive payment card data. The PCI standard covers the following 12 requirements

Protect your system with firewalls

Install a hardware and software firewall.
Configure firewalls for your environment.
Have strict firewall rules.

Use adequate configuration standards

Change default passwords.
Harden your systems.
Implement system configuration management.

Protect stored data

Find where card data is.
Craft your card flow diagram.
Encrypt stored card data.

Secure data over open and public networks

Know where they send and receive data.
Encrypt all transmitted cardholder data.
Stop using SSl and early TLS.

Protect systems with antivirus

Create a vulnerability management plan.
Regularly update antivirus.
Maintain an up-to-date malware program.

Update your systems

Consistently update your systems.
Apply all critical/high patches to systems and software.
Establish secure software development processes.

Restrict access

Restrict access to cardholder data.
Document who has access to the card data environment.
Establish a role-based access control system.

Use unique ID credentials

Use unique ID credentials for every employee.
Disable/delete inactive accounts.
Configure multi-factor authentication.

Maintain physical security

Control physical access at your workplace.
Keep track of POS terminals.
Train your employees often.

Implement logging and log monitoring

Implement logging and alerting.
Establish log management.
Create log management system rules.

Conduct vulnerability scans and penetration testing

Know your environment.
Run vulnerability scans quarterly.
Conduct a penetration test

Start documentation and risk assessments

Document policies and procedures for everything.
Implement a risk assessment process.
Create an incident response plan. (IRP)

The way you process credit cards determines what requirements you need to follow. Find more details in the Self-Assessment Questionnaires (SAQ). Here are the SAQ types:

Who is required to follow PCI DSS Standards?

All merchants that accept credit or debit cards.

How you handle and process payment cards and the number of transactions you process annually defines your validation requirements. All merchants are required to complete a Self-Assessment Questionnaire (SAQ). The required SAQ depends on how you store, handle, and process card data. Some additional requirements may include:

External vulnerability scanning
Internal vulnerability scanning
Penetration testing
Security policy implementation

Isn't Intuit PCI compliant already?

Yes. Intuit and our products are on the PCI Security Standards Council website as compliant. While QuickBooks applications are secure, other applications on your local computer/network can compromise the security of your environment. Use of QuickBooks Payments services doesn’t mean you’re already PCI compliant. Just that pieces of the transaction processing chain are compliant.

How can I add PCI Services and is there a fee?

Intuit has partnered with SecurityMetrics to streamline the PCI compliance validation process. SecurityMetrics charges an annual fee to merchants. If you choose to use SecurityMetrics, you need to create an account with SecurityMetrics. After you complete SecurityMetrics’ FastPass, you can purchase the PCI package that best suits your needs. From there, complete an SAQ, then set up your scans.

Why is protecting customer payment information important to me?

Data security is more important now than ever as hackers become more prevalent. PCI compliance increases your security against attacks .If a breach occurs, you may

Be liable for the fines listed below.
Need to spend on card re-issuance, acquirer fees, legal fees, and more.

Data Breach	Fines
Merchant processor compromise	$5,000 - $50,000
Card brand compromise	$5,000 - $500,000
Forensic investigation	$12,000 - $100,000
Onsite QSA assessments following the breach	$20,000 - $100,000
Free credit monitoring for affected individuals	$10 - $30/card
Card re-issuance penalties	$3 - $10/card
Security updates	$15,000+
Lawyer fees	$5,000+
Breach notification costs	$1,000+
Technology repairs	$2,000+
Total Possible cost:	$50,000 - $773,000+

How often is PCI validation required?

Becoming PCI compliant is an ongoing process. As a merchant, you’re required to validate your PCI compliance yearly. This includes re-submitting the SAQ and passing the required scans.

Although validation is only an annual requirement, you’re required and expected to follow the PCI requirements all the time. This includes watching the environment to identify any suspicious activity.

Learn about PCI compliance and your responsibilities:

Are ProAdvisors subject to PCI service fees?

ProAdvisors are subject to the same criteria as everyone else.

What PCI plans are available?

How can I find the total number of transactions I've processed this past year?

Sign in to the Merchant Service Center.
Go to Activities & Reports, then Statements.

How do I get a written agreement from Intuit about my merchant services?

Intuit's Terms of Service is your written agreement. You can provide it as part of the PCI questionnaire.

Know the tools and services included in the QuickBooks PCI Service

QuickBooks PCI tools and services

LAYERS OF PROTECTION	DATA SECURITY BENEFITS	DESCRIPTION
Security Awareness Training	Educates you about common cyber threats	Intuit has partnered with SecurityMetrics to provide easy-to-understand security awareness training that will help protect your digital assets against common threats such as phishing scams and keylogging malware attacks.
Threat Prevention Tools	Simplifies your PCI compliance	Use threat prevention tools to simplify your PCI compliance process and better defend your customer card data. Vulnerability scans, mobile scans, and SecurityMetric PANscans make it easier to identify unencrypted card data and prevent a breach.
Card Data Breach Protection	Protects you with a $100,000 Premium Service Warranty	Your PCI service provides up to $100,000 premium service warranty. To qualify for this benefit, you need to enroll in the program and be up-to-date on service fees.

Turn on PCI Service

If PCI Services is unavailable on your account, upgrade your pricing plan or add it to your current plan. Create an account with SecurityMetrics and complete FastPass, then they’ll present different PCI packages to fit your financial and security needs.

Exceptions may apply to non-standard plans. Visit our website or the PCI Security Standards website for more information.

Was this helpful?

You must to vote, reply, or post

QuickBooks DesktopQuickBooks Desktop PremierQuickBooks Desktop ProQuickBooks Enterprise QuickBooks Enterprise AccountantQuickBooks Enterprise DiamondQuickBooks Enterprise GoldQuickBooks Enterprise PlatinumQuickBooks Payments

Sign in for the best experience

Ask questions, get answers, and join our large community of QuickBooks users.