Why do I need to provide QB/Intuit with PCI Compliance when QB/Intuit handles the credit card transactions and I never see or touch the credit card?

I hear your sentiments and recognize that every penny counts, especially to a business person like you, @Brad59.

Intuit is PCI compliant, ensuring the security of QuickBooks applications. However, using QuickBooks Payments services doesn't automatically make you PCI compliant; it indicates that specific transaction components meet compliance standards.

The PCI Security Standards Council created the PCI DSS Standard to better protect customer payment card data from suspicious activities. All merchants that accept credit or debit cards are required to complete a Self-Assessment Questionnaire (SAQ) and are responsible for protecting payment card information and meeting PCI compliance requirements.

Yes, Intuit will request you to submit PCI compliance documentation to confirm that you have met security requirements. As a merchant, you are responsible for safeguarding payment card information and fulfilling all PCI compliance requirements.

For the PCI annual payment, Intuit works together with Security Metrics to streamline the PCI compliance validation process. Security Metrics requires merchants to pay an annual fee. If you choose to use Security Metrics, you have to set up an account with them. Once you have completed Security Metrics Fast Pass, choose the PCI package that meets your needs. Then, complete an SAQ and set up your scans accordingly.

You can check these articles to learn more about the PCI compliance usage:

• Learn more about PCI DSS Compliance Services
• Learn about QuickBooks PCI Compliance

On the other hand, If you don't have a QuickBooks Payment account and have been requested to fulfill the security requirements, I recommend contacting our Payment Support Team to authenticate your account and inform us that you no longer require this compliance.

Furthermore, I'll provide this article to assist you in accepting online payments.: Receive and process payments.

Let us know if you have other questions about security compliance. I'm always here to address them all. Stay well.

You did not answer the question and many of us share it. We do not store or digitally transmit or save our payments we receive from our clients via phone. We are told we can answer the questions for free yet at 51% of the questions answered it tries to have you choose an unneeded and not wanted service package. There should be a box for No credit card information sent, received, or stored, digitally. At which point the rest do not apply and we should be certified or at least or account should show no pci needed. Why does intuit try to nickel and dime us with not needed services? Promise us a way to proceed without it (if not needed) and then try to force us to sign up for a not needed service?

And I too agree with TravelingEye on this.  You did not answer the question, but instead referred to more mumbo-jumbo.

The need to PAY a third party company to use your products is ridiculous.  In addition, it appears that you have sold our contact information to Security Metrics, who has begun emailing unsolicited sales pitches.

As a small non-profit HOA that has about 1/7 of our owners (uh, that would be a total of about take advantage of your invoicing and payment modules, paying a penny to prove that is too much.  We need a solution to meet your compliance requirement that doesn't cost those of us that aren't "merchants".

Answer please.

I appreciate you on joining the thread, @JustMeAt107. Allow me to share more information about the Security Metrics.

All companies that process, store, or transmit credit card information must maintain a secure environment by the PCI Security Standards Council. So, even if you're not one of the merchants if you're processing customer payments through QuickBooks, you'll have to comply with this.

Moreover, this is not mandatory if you use outside payment processors such as PayPal or Melio. That said, the choice is up to you.

Additionally, you can generate reports to get an overview of your business finances.

Let us know if you still have further questions about compliance. Take care.

So, if I don't process, store, or transmit credit card information, I *DON'T* have to pay for a compliance verification?  Because we don't do any of that.  100% of that is handled by Intuit.  We send an electronic invoice, the customer then uses YOUR systems to "process, store, and transmit".

So I guess I still do not understand this.

As QuickBooks stores, processes and transmits credit card information on my behalf after I invoice a client, QuickBooks needs the PCI certification not my company. Correct?

I neither collect, store, process, or see this information in any way. I only receive a payment from QuickBooks. Please confirm in a clear not vague way. 

Thanks for becoming part of the Community, ARKMortSLLC.

As a business accepting cards for payment, you'll need to have payment security throughout your local environment. This includes all applications and system on the network you're using.

Intuit and our products are on the PCI Security Standards Council website, listed as compliant. While QuickBooks applications are secure, other applications on your local computer/network can compromise the security of your environment. Using QuickBooks Payments services doesn't mean you're already PCI compliant.

Data security is more important now than ever, as hackers become more prevalent. PCI compliance increases your security against attacks. If a breach occurs, you may be liable for fines or need to spend on card re-issuance, acquirer fees, legal fees, or etc.

Becoming PCI compliant is an ongoing process. As a merchant, you're required to validate your PCI compliance annually. This includes re-submitting the SAQ and passing your required scans. Although validation is only an annual requirement, you're required and expected to follow the PCI requirements all the time. This includes watching your environment to identify any suspicious activities.

You can learn more about how PCI compliance works in our Learn about QuickBooks PCI Compliance article.

I'll be here to help if there's any additional questions. Have a wonderful Monday!

My understanding is that QB/Intuit is PCI Compliant. I too, neither collect, store, process, or see this information in any way. I only receive a payment from QuickBooks.Sounds like just another way to generate revenue. We are already being squeezed dry in todays economy. I only have 1 client that pays with CC. A very minimal amount. 

ZackE,

Thanks for what appears to be a canned response (very similar to the last one).  

After speaking with an Intuit Customer Support specialist this morning, I have been assured that as a Quickbooks customer that relies SOLELY on Quickbooks Payments, there is no PCI requirement from us.  Intuit handles the card information, and therefore handles the PCI requirements.

Thank you for your input it is very helpful. I have been a Q books user for over twenty years, The one thing I can say about Q books is I loath them. I think Quick books is just trying to leverage  more money out of me! At some point they will threaten to close my merchant services. I think I will wait and see! 

Thank you for your input it has been really helpful. I have been using Q books for over twenty years. The one thing I can say about Q books is I have learned to loath them. I think they are trying to extort more money from me. If they are really have a leg to stand on they will threaten to close my merchant services. They do make a lot of revenue from credit card fees. It would not be in there best interest to close the account unless it is for real! I think I will wait and see.   

If all we are doing is submitting an invoice on Quickbooks, Quickbooks sends the payment link and invoice, Quickbooks processes the payment, and Quickbooks transfers that payment (less fees) to my bank account, we have zero involvement in the actual payment processing/credit card transaction. We have zero exposure to, or control of, that card data. As such we are not required to be PCI Compliant and Quickbooks needs to address this annoying issue.

Exactly as above. It's like having a senate hearing. They wont answer directly! They talk around the question and give canned responses that cause more confusion.

They handle 100% from their servers from the original invoice email to the link inside the email, to the web host, to the gateway processor of the credit cards.

My devices never touch anything during the payment process.  Therefore, Credit Card security was NEVER in our hands to begin with.

Well played on the scam though... They managed to scare a lot of merchants into unnecessary anual fees and used a company that bullies people with ambigious email statements of penatly fees and charges.

The official answer does not actually answer our questions and it took a user to call and answer for us.  I want to echo the question once more and really would like a concrete official answer.  Since we do not process or save anything regarding payments, why are we being pushed to do this compliance process?  The security of our desktop computers where we send our invoices from has no bearing to the question.  We do not store and process the payment systems.  Intuit is responsible for that. So once again, why are we being pushed this? I literally panic from the 12,000 emails I get about this which compresses my eyebrows every time.  

To protect sensitive payment information of your business, it's essential that users are PCI compliant. Let me clarify its relevance to your situation, @Michael B4. 

It's important to note that even though you're not processing payments, your account and QuickBooks interact with these systems. Therefore, completing this process is essential to safeguard your data and information. 

Additionally, maintaining compliance shows your commitment to safeguarding customer security, especially since their data can be stored in your account. This approach helps you identify potential risks and reduces the chance of payment data breaches affecting your business.

For further details, check out this informative article: Learn about QuickBooks PCI Compliance. This provides a detailed overview that helps customers understand the importance of PCI compliance in QuickBooks.

I'll include this article you can check to help you protect yourself from any security risks online: Identify suspicious activity, phishing scams, and potential fraud.

If you have other questions about PCI compliance, please feel free to use the Reply button. I'll be here to assist you.

Will you folks from Intuit that "support" for this forum stop with the canned responses and READ what's being posted.  Your own support staff CONFIRMED that since we only use Quickbooks Payments (Quickbooks sends the invoice and processes the card) my organization has ZERO PCI Compliance requirements.  I never see, hear, feel, taste, or smell credit card data.

If there is a way for me to close this thread, I will.  We're a little busy right now recovering from the aftermath of a hurricane, and don't need the aggravation.