When Intuit Customer Support Chat says we can self-assess:
a) Does that mean we have to submit an SAQ-A?
b) If so, where?
The SAQ-A form ( see https://docs-prv.pcisecuritystandards.org/SAQ%20(Assessment)/SAQ/PCI-DSS-v4-0-SAQ-A-r2.pdf ) is an approximately 23 page monster (plus directions) that lets you self-assess under certain situations mostly described in this thread.
Please note that -- as far as I can tell -- submitting credit card transactions through the MerchantCenter payment gateway (Intuit website for credit card processing) should qualify for SAQ-A as long as you don't store credit card information or store credit card information only in paper form.
Do we really have to do a 23 page form built with an giant corporation and corporate IT department in mind?
The last time I did this for another company there was a very annoying 3+ page form that basically just asked if I stored any credit card information in electronic form. This SAQ-A thing goes through a ton of assumed scans and layers of computer security.
Sure -- If I really have to check 23 pages of "Not Applicable" I will do so. At least that option exists. Where do I send it?
