PCI Compliance for small business

crazy^millman · March 02, 2023, 03:34 PM

Just another money grab by the government for small business. I use Quickbooks online to run the company. I think I have taken 6-7 credit card transactions in all the years of doing this. I always send a link through Quickbooks to make the payment. I never deal directly with it and had a couple transactions recently where I thought it is easier for them and me should be no issue. Well now Quickbooks is telling me I am in violation of their Policies even though I pass everything through them and let them collect their 3.5% on the transactions. Now I have to pay a yearly fee to one of their sister companies to be compliant with this. I can stop taking credit cards and call it a day, but what a pain in the arse.

QuoteData Security (PCI Compliance); Payor/Cardholder Personal Information. The card networks (such as VISA and MasterCard) and the payment networks (such as the National Automated Clearing House Association or "NACHA") have similar standards for protecting sensitive payment information and cardholder or payor data. For example, the Payment Cards Industry Data Security Standards ("PCI DSS") define the requirements that all entities that store, process, or transmit payment card data must comply with. You must ensure you have data security policies and processes in place to protect cardholder and payor payment and personal data in compliance with PCI DSS and NACHA security requirements. You must keep all systems and media containing account, customer, or transaction information (physical or electronic, including but not limited to account numbers and card imprints) in a secure manner to prevent access by or disclosure to anyone other than your authorized personnel. You must destroy in a manner that will render the data unreadable all personal data subject to NACHA or PCI DSS standards and such media that you no longer deem necessary or appropriate to store (except for receipts maintained in accordance with this Agreement, laws, Rules, and policies). Further, you must take all steps reasonably necessary to ensure cardholder or payor payment information is not disclosed or otherwise misused. You may not require a cardholder to complete a postcard or similar document that includes the cardholder's account number, card expiration date, signature, or any other cardholder account data in plain view when mailed. You may not retain or store magnetic stripe or CVV2, CVC2, or CID data after authorization. You agree that in the event of a breach, unauthorized access or compromise of payor or cardholder data, you will immediately notify us and provide us with detailed information relating to the breach or compromise. You may not request or use a cardholder or payor account number for any purpose other than as payment for good or services rendered. You may not require cardholders to provide any personal information as a condition of honoring a card unless such information is required for delivery of the goods or services, or you have reason to believe that the person presenting a card may not be the actual cardholder. You agree that any service providers you may use for accessing, storing, transmitting, and processing cardholder data on behalf of Intuit, or any service provider you may use that controls or could impact the security of cardholder data, must be registered as authorized agents and Intuit must be notified of them. Furthermore, all agents must acknowledge compliance with PCI DSS.

Additionally, if you receive a user identification name or password from us to access our database or use the Merchant Payment Services (the "Account Access Password"), you will: (a) keep the Account Access Password confidential; (b) not allow any other entity or person to use the Account Access Password or gain access to our database; (c) be liable for all action taken by any user of the Account Access Password and indemnify Intuit for all claims brought by a third party against Intuit with regard to use of the Account Access Password; and (d) promptly notify us if you believe the Account Access Password has been used inappropriately, or the confidentiality of the information made available through such use has been compromised.

You agree that any loss incurred as a result of any party gaining access to your Bank Account or our website using information which that party was not authorized to obtain or using such information in a manner not permitted by this Agreement (including but not limited to improper or unauthorized use of the Account Access Password) shall be your responsibility.

mkd · March 03, 2023, 05:55 AM

Have you looked into Venmo or such? They charge a percentage for a business account.
Setup Zelle with your bank. People can just email you the money. easy peasy. and quick books will see the transaction

champshire · March 03, 2023, 07:02 AM

Pardon my ignorance, but no one pays via check anymore?

crazy^millman · March 03, 2023, 07:37 AM

Quote from: champshire on March 03, 2023, 07:02 AMPardon my ignorance, but no one pays via check anymore?

We get checks all the time when some companies feel like paying them. 90-120 day late on 30 day terms is the new normal for some. When a company wants something in a hurry I require money upfront to get started. I was offering to take Credit cards to make it easier, but after this latest issues looks like that will have to go away. I don't handle or even deal directly with Credit Cards. It all goes through Quickbooks and after going from $60 a month when I first started to now $85 a month what is next thing grab more money? I have to be compliant to their system that clearly states if i don't handle the credit card information directly then I don't need worry about it. I don't agree to sign up and pay the ransom they are asking then I have to quit using Quickbook that my accountant also uses to access everything needed to pay me and wife as employees and take care of our corporate taxes $170 a month and $1000 for yearly taxes. Add the $3,400 a month in health insurance, The $10k a year in software maintenance, $70k in taxes I pay and it is wonder I have two pennies to rub together at the end of each month.

More of frustration trying to feed my family and keep a roof over our heads.

champshire · March 03, 2023, 08:02 AM

I completely understand your frustration. Everyone has their hand out and tries to get in your pocket. Like you said, you are just trying to provide for your family.

Getting your money up front is a wise move, but you already know that. I was mainly curious as to if everything was handled electronically these days or if checks were still used. I'm sure like every small business, cash flow is king and it gets harder every day.

Could you charge a % more to your customers to help cover the extra expenses that you will incur? That's not the point, I get it, just spit balling ideas. Pass it on to the customer...that's what happens to the rest of us.

crazy^millman · March 03, 2023, 08:27 AM

So I paid the $85 a year fee to get compliant since I took 2 card transaction in the last month. Quickbooks/Intuit required that this be done or they would drop my company by the 3/7/2023. I had to answer basic questions before I could pay the $85 ransom. I then could go on filling out questions. It has as one of the last questions list the 3rd party company that we work with to collect credit card information. I go to list Quickbooks or Intuit and neither one are listed as approved or PCI Compliant. I call the company that is whom they listed as the helping with this requirement and they tell me will just fill in Quickbooks manually anyway even though they are not listed it will still be okay. Even though it clearly states they may not be compliant and I risk not being compliant.

I ask point blank so the company that required this compliance is not listed as an approved company for the compliance they are telling me our company has to have? They will get added this is all still getting work out? Wait a second your company is supposed to be one of the world leading companies in this area and your telling me Intuit and your company does not got their act together? Silence!!!!!!!!!!!!!!!!!!! Okay well thank you for time and certifying I doing exactly what I have been doing all along which was nothing to being which is now compliant to keep using Quickbooks to run my business. Have a wonderful day.

crazy^millman · March 03, 2023, 08:39 AM

Quote from: champshire on March 03, 2023, 08:02 AMI completely understand your frustration. Everyone has their hand out and tries to get in your pocket. Like you said, you are just trying to provide for your family.

Getting your money up front is a wise move, but you already know that. I was mainly curious as to if everything was handled electronically these days or if checks were still used. I'm sure like every small business, cash flow is king and it gets harder every day.

Could you charge a % more to your customers to help cover the extra expenses that you will incur? That's not the point, I get it, just spit balling ideas. Pass it on to the customer...that's what happens to the rest of us.

Yes I have passed on the 3.5% fee when someone does use a credit card, but just more things to track and add to my list of things to track and take care of. I am pretty much a one man show running the business. I do all the quoting, banking, reconcile, Vendor Purchase Orders and most of the customer interactions. I am blessed to have programming help and glad to have others to work with in that regard, but 5th Axis CG Inc. is pretty much me. I take care of the Workman's Compensation, Owners Liability Policy, $2 million Umbrella policy, Correct level of Auto Insurance required by customers to even drive on their property or be on site. I book my own travel, Car Rentals and then the Wife will book the Hotel when she goes along. ITAR compliance, partnerships with other companies and this stupidity added to my week that was really not needed.

Why I was venting like it really matters.

crazy^millman · March 03, 2023, 08:45 AM

QuoteThank you for choosing SecurityMetrics for your compliance and security needs. Congratulations on achieving the annual PCI Compliance certification!

As part of your merchant service, you are required to report your compliance with the Payment Card Industry (PCI) Data Security Standards. Compliance is required of all entities that store, process or transmit credit card data, including financial institutions, merchants, and service providers.

IT clearly states in their email showing I have compliance for companies that handle. I don't handle it I pass a link through QuickBooks that handles it. I never see it or touch it. I am the crazy person in the room as always.

champshire · March 09, 2023, 10:56 AM

Thank you for sharing all the hard work that goes on behind the scenes of running your own business. It's always hearts and flowers on the outside looking in. I have no idea what it takes to do what you do on a regular basis. I am currently a hourly employee so this is a real eye opener to me. I would like to move into having my own business one day so I will keep this conversation in the back of my mind.

I agree with you, just more BS for you to put up with and have to deal with. It seems dumb from my point of view as well.

Thank you, for all that you do and share with us. You have a lot on your plate, obviously, and I know I appreciate your help when I get it. Your "Crazy" is what makes you, you!