This now 1-2 year-old game gets really old. Last I checked, there are multiple threads on this topic.
As the original poster in 2023 stated:
"I manage very few credit card transactions and they are all handled exclusively through QB Payments with no website e-commerce. QB is trying to tell me that I'm not PCI compliant and they want me pay SecurityMetrics to verify my compliance, but the PCI website says I can self-assess using SAQ-A and an AOC. I don't know how to submit this to QB without using the 3rd party."
I would add the SAQ-C-VT form as a possibility for many very small businesses.
At this point, I have multiple email addresses and contact points for Intuit including for the compliance team for this issue. I'm not going to pay a security contractor for something I don't need and for which I can self-certify (like I do with another credit card processing company I'm forced to use for other purposes).
For that matter, I won't be allowing a security contractor through my firewall to scan my laptop for the credit card information that they won't find on it as I don't need another potential security breach for my client medical data even if said contractor might sign a HIPAA BAA subcontractor form to keep the medical data safe. Just too many hacks these days.
As long as I can't get a straight answer on where to send the self-certification, I won't be filling out one of these onerous forms to send into the void of non-response.
So I will continue to get threatening emails from Intuit for being in non-compliance, directed to a security compliance firm I don't need, then ghosted when I try to find out how to self-certify and where to send it. I hope Intuit does not close my account over this, but then I do have another credit card processing company I don't like that I can continue with anyway.
-- Zagone
