Skip to main content
E
erica34
June 15, 2023
Question

How can I confirm/verify my PCI DSS compliance to QB without using a 3rd party such as SecurityMetrics. I should only need SAQ-A and Attestation of Compliance.

  • June 15, 2023
  • 4 replies
  • 0 views
I manage very few credit card transactions and they are all handled exclusively through QB Payments with no website e-commerce. QB is trying to tell me that I'm not PCI compliant and they want me pay SecurityMetrics to verify my compliance, but the PCI website says I can self-assess using SAQ-A and an AOC. I don't know how to submit this to QB without using the 3rd party. The QB TOS do not mention anything about verification or certification. They just list the actual 12 requirements that constitute PCI compliance, all of which I meet or are N/A. Frankly, this all feels quite scammy?

    4 replies

    E
    ElectricSpaghettiNeon
    June 16, 2023

    I’m in the same position. I should be able to self-certify, but I can’t figure out how to do it. 

      JoesemM
      JoesemM
      June 19, 2023

      Hello there, erica34, ElectricSpaghettiNeon. It's nice to see you guys  in the Community forum. I'd be glad to help share information with the PCI DSS Compliance in QuickBooks Online.

       

      The Payment Card Industry Data Security Standard (PCI DSS) is a list of practices merchants must follow to accept payment cards. This includes how to securely handle, process, and store sensitive payment card data. 

       

      As a merchant accepting cards for payment, you need to have payment security throughout your local environment. This includes all applications and systems on your local network. 

       

      The way you process credit cards determines what requirements you need to follow. Find more details in the Self-Assessment Questionnaires (SAQ). For more details about the SAQ types and how to that certify, you may open this link: Learn about QuickBooks PCI Service. It also contains the tools, services, and FAQs about PCI DSS compliance.

       

      You may also contact our QuickBooks Payment Support Team. They can provide further details about the PCI compliance service and how it works. 

       

      Let me also share these resources that tackle about the PCI DSS Compliance Services and frequently asked questions about Security Metrics:

       

       

      I'm always around to help if you have other PCI Compliance concerns. You can drop a comment below, and I'll gladly answer them for you. Stay safe.

      V
      VJones
      June 20, 2023

      Hello!  My understanding is that if I am NOT ACCEPTING CREDIT CARDS through QBO / Intuit Payments, then I do not need to do PCI compliance with QBO / Intuit Payments.  Is that correct?

      P
      PCI Compliance 12
      March 4, 2024

      I just got a call from "QB official Partner" SecurityMetrics, for PCI Compliance and I will tell you it feels very scammy. When I told him that I would not pay for compliance he said "OK, I will note your file that you are refusing to be compliant". I called QB and was told that if I am not housing the credit card information or saving the data that it is QB that is responsible to being compliant. I have to tell you this is all confusing, and honestly, I felt a little threatened by the guy that called me.      

        A
        allysona
        March 18, 2024

        ME TOO!  The Security Metrics guy is bordering on "threatening" and "stalking".  He WON'T let it go.  He continues to harass me thru email and phone calls.  I'm really offended by this!

         

        When someone says "you have to pay for our service or else..." that's a threat!

         

        I called QB on the phone only to be on hold for 1 hour and 14 mins while the clueless cust service rep tried to get someone to answer her questions so she could answer mine.  I asked her several times to transfer me to that department.  She couldn't.  I asked her to have one of their reps (compliance dept) call me back.  She said they "wouldn't"!  

         

        I tried to get her to let me speak to a MANAGER or SUPERVISOR.  She said no one was available.  Finally (after 1 hour and 14 mins) she gave me this number to call...[removed].  I haven't tried it yet but I'm willing to bet whoever answers WON'T be able to tell me if I'm compliant!!

          S
          SisterJudith
          March 18, 2024

          We offer no payments outside of Intuit Payment Processing.  No physical card swipes. Nothing.  Client must pay through Intuit's web link on invoice.

           

          Look, you pay Intuit to do your payments exclusively, and they won't certify that they are PCI compliant, that's kind of a problem.

           

          People in my situation should merely sign / declare they take no payment information (ever) and outsource the entire payment workflow to Intuit.  DONE. 

           

          Intuit's refusal to answer this clearly can only be explained by:

          • Their legal department has reasons we don't know about
          • Their staff are not trained and don't know what they are talking about beyond the required script.
          • Intuit receives a commission for every customer they refer to the external compliance company.
          • There is a Federal rule we don't know about.

           

          Regardless, Intuit should be forthcoming instead of the run around.

           

            D
            dancingcat
            March 25, 2024

            I'm in the same boat as the above.. frustrated at Security Metric's threats, real and implied.  That's not the way to do business unless you are a scammer..   My company is a non-profit, and we process donations entirely through QuickBooks Online.  We never touch a credit card, or its associated data.  Our donors respond to an invoice, use whatever payment method they like, and the money goes straight to our bank.  No credit card data storage or transmission by my company, ever.  I'm happy to fill out whatever Intuit form (SAQ) there is to attest to same, but I'm not going to go through Security Metric's paywall to do that.  Get better, Intuit.  QBO is excellent and I would hate to stop using it, but I certainly can do that if you insist on insulting your customers.

              A
              accounts-cybernet
              July 16, 2024

              I got a real answer via Intuit support chat.


              We can self-assess or use PCI compliance offered by a 3rd party/insurance. We do NOT need to submit proof of compliance to Intuit. 

               

              I called SecurityMetrics earlier today and they did not know if we could do anything other than go through them, so they were not terribly helpful. He was very polite and nice though.

                B
                BeepBoob123
                September 11, 2024

                "they did not know" is how they speak and operate, all I got was open ended answers like "I think so" or "to the best of my knowledge" ending answers, they are covering themselves legally in case you get proof they were lying or were wrong about you needing them. 

                Terms & ConditionsAccessibility statement