Is QB Self-Employed PCI compliant? Is Security Metrics a scam?

Security Metrics is legit, theoregonweaver.

Intuit has a PCI service provider to help our QuickBooks Payments subscribers meet Data Security Standard (DSS) compliance requirements.

If you have created a QuickBooks Payments account to link with QuickBooks Self-Employed with SecurityMetrics, then you'll be asked to complete its FastPass.

Yes, this compliance is necessary for Security Metrics if you purchase the PCI package. That's why they charge a fee for the service. In addition, you need to complete the Self-Assessment Questionnaires (SAQ) and set up your scans. 

You should be able also to receive email instructions. If none, I suggest browsing this article to learn other details about PCI compliance and your roles: Learn about QuickBooks PCI Service.

On the other hand, I also suggest contacting our QuickBooks Payments Support Team. This way, they can securely check your subscription for any add-on PCI Service fee. I also encourage you to report this to our Intuit Security team since you find this prompt message suspicious or if you don't have a QuickBooks Payments subscription. This way, they can review if the information is legitimate.

1. Go to this link; https://security.intuit.com/.
2. Click Contact Us.
3. Look for Report a fake email (or phishing email) and click on it.

Please let me know if you have other concerns about completing the PCI compliance with Security Metrics. I'd be here to guide you more. Keep safe and more power to your business!

@theoregonweaver 

PCI Compliance applies to your business if it accepts credit cards as a form of payment.  It's not a scam and it's required.  The fee is not unusual and it's generally less than the non-compliance fee if you don't complete the PCI compliance questionnaire.   

I also received an email from QuickBooks stating that I am  "requested to complete validation of PCI Compliance by December 31st."  The way it is worded using the word "requested" and not "required", told me it was nothing but another QB sales ploy. But I took the bait, and  clicked the link provided.

Clicking the link took me to the Secure Metrics assessment page.  Upon completion of the assessment, I was taken to a page stating that if I buy a package I will be 23% compliant (see screen shot).  NO INFORMATION WAS PROVIDED TO TELL ME RESULTS OF THE ASSESMENT, and no information was provided to tell me how I can fulfill the other 77%.  Basically it's just, "Buy a package"

I'm baffled and befuddled by the "request". Since I invoice directly through QuickBooks, where my customers enter their own data to pay through QB online, I do not collect or enter any of my customer card data.  I am sure there are some things I should do to make my business compliant, but I am certainly not going to blindly buy some package without more details.

Until I receive an email stating that I am REQUIRED to get PCI compliance, I'll just ignore the REQUEST.

This is my 5th year using Intuit payments/ merchant and I was never required to be PCI compliant before.

My bookkeeping clients (many who also accept intuit payments) were never required to be PCI compliant.

Other merchants send clients a free online PCI complaint questionnaire that takes 15-20 minutes to complete. (for free).

I've done it to my company and clients before.

I believe that's another QB sales ploy to get people's money.

Somewhere in intuit PCI compliance information pages, you can find instructions to file a form directly with Intuit, but the link takes you back to the initial instruction page and you end up no where, frustrated, angry and baffled.

Echoing other comments on this post, I too received the "you are requested...." email.  I ignored it.  Yesterday I received a phone call from SecurityMetrics asking me to signup for PCI compliance.  I explained to the caller that I do not take credit card payments; some of my clients pay by card and INTUIT receives card information and payment and then deposits cash into my account.  The SecurityMetrics sales person insisted that I need it.  I ended the call and made a call to QuickBooks Support.  They verified that as my account is not setup for ME to accept card payments I DO NOT need to be PCI compliant.  I have seen elsewhere that if there is an issue, QuickBooks customers should contact QuickBooks and ask them to put  a note on their account record stating they do not need to be PCI compliant and ask them to include notification number ATTN-10602 in the record.

This is correct. Since QB handles all payment information and data storage, they are the ones being required to be PCI compliant in which it says they are in their term. If we do not ever ask for CC info or account info and its all inputted by the customer through QB; my company is NOT required to sign up for any sort of PCI compliance program. How does it make sense that I am not the card processor and only get paid by QB yet somehow QB seems to think I am responsible for being PCI compliant and paying a yearly cost. No sir this is incorrect.

So I called QuickBooks after receiving this pci email and they told me I had to do the pci compliance even though I do not process, store or deal with any customers card info. I’m at a loss. I don’t feel like I have to subscribe to this pci compliance. I do understand it’s to protect card info and that’s great but pouring out money doesn’t make sense.

I am a sole proprietor, I'm retired and work from home and have an Etsy shop to help pay the bills. I got all of these calls and emails but there is absolutely no way I'm going to pay that every month. It's way out of my league.

So because I was taking some payments on Intuit I have just discontinued using Intuit for payments and will move on with Venmo or PayPal.

I also called Quickbooks on this and was told I did not have to purchase a PCI package. The fees paid to Quickbooks for using their credit card processing service covers your PCI compliance fees. 

If we do not take credit card payments with cards in hand, but instead only allow customers to pay via the credit card payment links (using Intuit Merchant Services) sent by the Quickbooks software to our client, is it REQUIRED that we create an account and pay a fee to Security Metrics? Is it required that we complete the SAQ?

I told the Security Metrics sales person just that. And that I had talked to QuickBooks. So far they've stopped bothering me so I'd say you're good.

It's legit. And it's only 80 bucks for the year

$80 / year is a lot of money.  Warren Buffet's wife just complained about paying $4 for coffee. Money traveles to where it is valued and protected. 

Hi there, I received this as well, but I don't know how to answer the questions. We are a start-up bakery in a commercial/incubator kitchen with the two owners and 5 part time employees. We use the network there to send out invoices to our 4 wholesale accounts (they submit payment), but that's it in terms of credit cards. These questions ask about malware and secured networks and security cams and all that...but we don't control any of that at the business. They do have an IT team. I'm not sure what to do here. Shouldn't they be the ones filling this out? 

Thank you for adding your first post, @LittleLoafBakeshop.

SecurityMetrics is an official partner of Intuit that provides streamlined PCI DSS compliance services for QuickBooks Payments accounts.

When signing up for a SecurityMetrics account, you'll be asked to complete the FastPass and get the PCI package that works for your business needs. If you're uncertain about the answer to the questions, you can call for assistance at the number shown under Who can I contact if I have questions regarding my SAQ or questionnaire?.

On the other hand, I've also added this reference about working with PCI compliance that may be useful in the future: Intuit Security Center - PCI Compliance.

Please let me know if you have any other questions about the self-assessment questionnaire when completing the PCI compliance with Security Metrics. I'd be happy to assist you further. Have a good one!

Do I need to become compliant if I only use the bank transfer option?  I never use the credit card option. 

I appreciate you taking the time to share this concern in the Community, @Todd G1. I'm here to provide information about QuickBooks Payment Card Industry Data Security Standard (PCI DSS) compliance.

The need for compliance depends on the specific regulations and laws in your country or region. Using the bank transfer option in QuickBooks Online may still require compliance with certain financial regulations and data protection laws, even if you do not use the credit card option.

PCI compliance helps protect your business and customers from theft and fraud. Payment cards like Visa, MasterCard, American Express, and Discover require PCI compliance every year. If your business accepts, stores, or transmits payment card data, you have to be PCI compliant.

Otherwise, you don’t need to activate the service and submit any requirements. Please know that it won’t interrupt your QuickBooks subscription.

You can read these resources to learn more about PCI DSS Compliance Services:

• Learn about QuickBooks PCI Service
• Learn about the PCI DSS Compliance Services

Let me know if you need further information about the PCI compliance. I'm always here to answer them for you. Keep safe, and have a wonderful day!

I am continuing to get this email.  I cannot unsubscribe.  I encourage you to all visit https://reportfraud.ftc.gov/ and file a report.  This is selling a service that is not required and I cannot unsubscribe from the email.  I have filed a report but will probably hear nothing back.  If everyone annoyed does, maybe this money grab from unknowing small business owners, who are already burdened enough, will stop.

Perfect - I am so sick of this scam from QB and Security Metrics.  They continue to send "non-compliant" emails even though we have PCI compliance through another vendor.  And of course both QB and SM use a noreply email address so you can't even communicate back or unsubscribe.  I will file a complaint asap.

How do I get the PCI Compliant Questionnaire?  I am a small business and do not have that many credit card transactions and do not want to pay for the service.  Thanks. 

Hello BW38,

Thank you for chiming in on the thread! As my colleague mentioned if your business receives or accepts payment card data you would have to be PCI Compliant. To do the questionnaire, you would need to sign up for the SecurityMetrics  which simplifies the PCI compliance validation process. Once done, you'll receive the self-assessment question in your email.

Here's how:

1. Select the Sign-up, then fill out the information needed.
2. Click Create Account, then follow the Intuit FastPass to determine your PCI compliance requirements.
3. Select Next, then click the security package that best fits your business.

Please let me know if you have any other questions! I will be here to assist. Take care. 

PCI Security Standards provides Self Assessment Questionnaires   Here's a link for one if all your transactions are outsourced. https://listings.pcisecuritystandards.org/documents/SAQ_A_v3.pdf  

I also saw a site that looked interesting - it say PCI compliance is free...but I have not used them https://pcifree.com/  You can check them out for more information if you don't want to go it alone.

Our company uses another vendor (NOT Security Metrics) We use PCI+ and we are happy with their services, they do charge an annual fee but it is not as high as Security Metrics.  I am not sure why Intuit is pushing their customers into Security Metrics.  That is disturbing, maybe they get a kick back??  I don't like that Intuit has shared our information with this company and then allow them to send NON COMPLIANT emails to customers who are compliant!  If Intuit is expecting all users of their payment services to be compliant they need to provide better understanding of the task (as I am doing!!)  And also allow customers who are compliant outside of Security Metrics to declare this and get off the non-compliant email list. 

Really?  Again you are pushing Security Metrics as the answer to people's confusion!  Even giving instructions for them to sign up.  Some customers do not needs this for their compliance and there are other services that can do the same thing for less.  Those who totally outsource only need to complete a questionairre.  That costs nothing!!  The customers who have done PCI compliance without using Security Metrics need to have a way to let Intuit know so you stop bothering / threatening us.

I have reported this scam to FTC Fraud and would encourage others to do the same and maybe this misinformation will end.  https://reportfraud.ftc.gov/

If you use QuickBooks servers to send invoices which have a payment link directly to QuickBook's web host, who's responsible?

100% - CC security liability rests on QuickBooks.

I do not take CC information through a payment gateway on my web company web host.

If we follow the ambigious answers given here they would have you believe that ANY DEVICE contacting their servers must be secure. However, in the case of invoicing and payments directly through QB's owned servers, their is absolutely no contact with any of my devices.

So following what they are IMPLYING is that any and ALL CUSTOMERS devices would have to be PCI complaint when they go to pay their invoices.

Since my devices do not touch the server for CC payment information and I do not see ANY details of the CC number, security code, name, or even address it sounds like to me that someone here needs to TRAIN their team.