To self-certify for PCI compliance for credit card transactions processed through QuickBooks Online (QBO), you need to follow the Payment Card Industry Data Security Standard (PCI DSS) requirements, which involve completing a Self-Assessment Questionnaire (SAQ) and submitting an Attestation of Compliance (AOC). Below is a step-by-step guide based on the available information:
Step-by-Step Guide to Self-Certify PCI Compliance for QuickBooks Online
Determine Your Merchant Level and SAQ Type:
Most small businesses using QuickBooks Online Payments, where customers enter payment information directly via QuickBooksβ secure payment links (e-invoicing) and no card data is stored or handled, are classified as Level 4 merchants (processing fewer than 20,000 e-commerce transactions or 1 million total transactions annually).
For these businesses, the appropriate SAQ is typically SAQ A, which is the simplest questionnaire, covering merchants who outsource all cardholder data functions to a PCI-compliant third party like QuickBooks Payments.
Confirm your SAQ type by reviewing the PCI Security Standards Councilβs guidelines or consulting with QuickBooks Payments support, as the SAQ depends on how you handle card data (e.g., no storage, no manual entry).
Download the SAQ A and AOC:
SAQ A consists of approximately 24 yes/no questions, many of which may be marked βN/Aβ if you solely use QuickBooks Payments for processing and do not store, process, or transmit cardholder data yourself.
Complete the Self-Assessment Questionnaire (SAQ A):
Review your credit card handling practices to ensure compliance with PCI DSS requirements. For QBO users, this typically involves:
Confirming you do not store credit card numbers (e.g., on paper, email, or internal systems). QuickBooks Payments handles all card data securely with encryption and tokenization.
Ensuring your systems (computers, networks) are secure with updated antivirus software, strong passwords, and restricted access to sensitive data.
Verifying that customers enter payment details directly through QuickBooksβ secure payment links, and you do not manually process or view card information.
Answer the SAQ questions honestly, marking βN/Aβ for requirements that do not apply (e.g., storing cardholder data).
If youβre unsure about any requirements, refer to the PCI SSCβs SAQ Instructions and Guidelines (available on their website) or contact QuickBooks Payments support for clarification.
Sign the Attestation of Compliance (AOC):
After completing the SAQ, fill out and sign the AOC to certify that your business meets the applicable PCI DSS requirements. This document confirms your compliance status.
Ensure all relevant sections of the AOC are completed, including details about your business and the SAQ type used.
Submit the SAQ and AOC to Intuit:
Intuit accepts self-completed SAQs and AOCs directly from customers, though the exact submission process is not always clearly outlined in their documentation.
Contact QuickBooks Payments Support to confirm how to submit your SAQ and AOC. You can reach them via:
Phone: Check the QuickBooks Payments support page for the current number (available under βContact Payments or Point of Sale Supportβ).
Chat: Access the chat link from the same support page or within your QBO account under βHelpβ or βSettingsβ > βPayments.β
Ask for specific instructions on where to send the completed SAQ A and AOC (e.g., via email, a portal upload, or another method). Some users report difficulty finding a direct submission method, so persistence with support may be necessary.
Do not rely on third-party services like SecurityMetrics unless you prefer their assistance, as they charge fees (e.g., $85β$375 annually) for services you can perform yourself for free.
Review and Maintain Compliance:
PCI compliance is an ongoing process, requiring annual reassessment and submission of an SAQ and AOC.
Regularly review your payment processes to ensure you continue to meet SAQ A requirements, such as:
Avoiding manual storage or entry of cardholder data.
Keeping your systems secure (e.g., updated software, secure networks).
Train staff on secure payment handling practices to minimize risks, even if you donβt directly handle card data.
Address Common Concerns:
Emails from SecurityMetrics or Intuit: You may receive emails from Intuit or their partner, SecurityMetrics, urging you to sign up for their PCI compliance services. These services are optional for Level 4 merchants who can self-certify using SAQ A. If you only use QuickBooks Payments and donβt handle card data, you can disregard these emails and self-certify instead.
No Card Data Handling: If you only send invoices through QBO and customers pay via secure links, your PCI compliance burden is minimal because QuickBooks Payments is already PCI compliant, handling all card data securely. However, you must still complete the SAQ to confirm your environment (e.g., devices, network) is secure.
Disabling Credit Card Payments: If you donβt need to accept credit cards (e.g., you only take checks or ACH), you can disable QuickBooks Payments to avoid PCI compliance requirements entirely. Contact QuickBooks Support to deactivate the Payments feature.
Key Notes
QuickBooks Payments is PCI Compliant: Intuitβs payment processing system uses encryption and tokenization, meeting PCI DSS standards. However, as a merchant with an active QuickBooks Payments account, you are responsible for ensuring your overall environment complies, even if you donβt directly handle card data.
Avoid Unnecessary Fees: SecurityMetrics and similar vendors may charge for compliance services, but for most small businesses using QBO Payments, self-certifying with SAQ A is sufficient and free.
Potential Risks of Non-Compliance: Failure to comply could result in fines, penalties, or suspension of payment processing capabilities if a data breach occurs, even if QuickBooks handles the transactions. Completing the SAQ A mitigates this risk.
Contact Support for Clarity: If youβre unsure about your requirements or submission process, QuickBooks Payments Support can guide you. Be persistent, as some users report vague or inconsistent responses.
Additional Resources
QuickBooks PCI Service FAQs: Visit Intuitβs PCI compliance page for more details (available via QuickBooks Help or the Payments section).
Contact QuickBooks Support: Use the phone or chat options listed under βContact Payments or Point of Sale Supportβ in QuickBooks Help.
If you donβt handle or store credit card data and only use QuickBooks Payments for invoicing, completing SAQ A and submitting it to Intuit should suffice. If you encounter issues or need further assistance, let me know, and I can help clarify or guide you through next steps!
