Is QB Self-Employed PCI compliant? Is Security Metrics a scam?

Security Metrics is legit, theoregonweaver.

Intuit has a PCI service provider to help our QuickBooks Payments subscribers meet Data Security Standard (DSS) compliance requirements.

If you have created a QuickBooks Payments account to link with QuickBooks Self-Employed with SecurityMetrics, then you'll be asked to complete its FastPass.

Yes, this compliance is necessary for Security Metrics if you purchase the PCI package. That's why they charge a fee for the service. In addition, you need to complete the Self-Assessment Questionnaires (SAQ) and set up your scans. 

You should be able also to receive email instructions. If none, I suggest browsing this article to learn other details about PCI compliance and your roles: Learn about QuickBooks PCI Service.

On the other hand, I also suggest contacting our QuickBooks Payments Support Team. This way, they can securely check your subscription for any add-on PCI Service fee. I also encourage you to report this to our Intuit Security team since you find this prompt message suspicious or if you don't have a QuickBooks Payments subscription. This way, they can review if the information is legitimate.

1. Go to this link; https://security.intuit.com/.
2. Click Contact Us.
3. Look for Report a fake email (or phishing email) and click on it.

Please let me know if you have other concerns about completing the PCI compliance with Security Metrics. I'd be here to guide you more. Keep safe and more power to your business!

@theoregonweaver 

PCI Compliance applies to your business if it accepts credit cards as a form of payment.  It's not a scam and it's required.  The fee is not unusual and it's generally less than the non-compliance fee if you don't complete the PCI compliance questionnaire.   

I also received an email from QuickBooks stating that I am  "requested to complete validation of PCI Compliance by December 31st."  The way it is worded using the word "requested" and not "required", told me it was nothing but another QB sales ploy. But I took the bait, and  clicked the link provided.

Clicking the link took me to the Secure Metrics assessment page.  Upon completion of the assessment, I was taken to a page stating that if I buy a package I will be 23% compliant (see screen shot).  NO INFORMATION WAS PROVIDED TO TELL ME RESULTS OF THE ASSESMENT, and no information was provided to tell me how I can fulfill the other 77%.  Basically it's just, "Buy a package"

I'm baffled and befuddled by the "request". Since I invoice directly through QuickBooks, where my customers enter their own data to pay through QB online, I do not collect or enter any of my customer card data.  I am sure there are some things I should do to make my business compliant, but I am certainly not going to blindly buy some package without more details.

Until I receive an email stating that I am REQUIRED to get PCI compliance, I'll just ignore the REQUEST.

This is my 5th year using Intuit payments/ merchant and I was never required to be PCI compliant before.

My bookkeeping clients (many who also accept intuit payments) were never required to be PCI compliant.

Other merchants send clients a free online PCI complaint questionnaire that takes 15-20 minutes to complete. (for free).

I've done it to my company and clients before.

I believe that's another QB sales ploy to get people's money.

Somewhere in intuit PCI compliance information pages, you can find instructions to file a form directly with Intuit, but the link takes you back to the initial instruction page and you end up no where, frustrated, angry and baffled.

Echoing other comments on this post, I too received the "you are requested...." email.  I ignored it.  Yesterday I received a phone call from SecurityMetrics asking me to signup for PCI compliance.  I explained to the caller that I do not take credit card payments; some of my clients pay by card and INTUIT receives card information and payment and then deposits cash into my account.  The SecurityMetrics sales person insisted that I need it.  I ended the call and made a call to QuickBooks Support.  They verified that as my account is not setup for ME to accept card payments I DO NOT need to be PCI compliant.  I have seen elsewhere that if there is an issue, QuickBooks customers should contact QuickBooks and ask them to put  a note on their account record stating they do not need to be PCI compliant and ask them to include notification number ATTN-10602 in the record.

This is correct. Since QB handles all payment information and data storage, they are the ones being required to be PCI compliant in which it says they are in their term. If we do not ever ask for CC info or account info and its all inputted by the customer through QB; my company is NOT required to sign up for any sort of PCI compliance program. How does it make sense that I am not the card processor and only get paid by QB yet somehow QB seems to think I am responsible for being PCI compliant and paying a yearly cost. No sir this is incorrect.

So I called QuickBooks after receiving this pci email and they told me I had to do the pci compliance even though I do not process, store or deal with any customers card info. I’m at a loss. I don’t feel like I have to subscribe to this pci compliance. I do understand it’s to protect card info and that’s great but pouring out money doesn’t make sense.

I am a sole proprietor, I'm retired and work from home and have an Etsy shop to help pay the bills. I got all of these calls and emails but there is absolutely no way I'm going to pay that every month. It's way out of my league.

So because I was taking some payments on Intuit I have just discontinued using Intuit for payments and will move on with Venmo or PayPal.

I also called Quickbooks on this and was told I did not have to purchase a PCI package. The fees paid to Quickbooks for using their credit card processing service covers your PCI compliance fees. 

If we do not take credit card payments with cards in hand, but instead only allow customers to pay via the credit card payment links (using Intuit Merchant Services) sent by the Quickbooks software to our client, is it REQUIRED that we create an account and pay a fee to Security Metrics? Is it required that we complete the SAQ?

I told the Security Metrics sales person just that. And that I had talked to QuickBooks. So far they've stopped bothering me so I'd say you're good.

It's legit. And it's only 80 bucks for the year

$80 / year is a lot of money.  Warren Buffet's wife just complained about paying $4 for coffee. Money traveles to where it is valued and protected. 

Hi there, I received this as well, but I don't know how to answer the questions. We are a start-up bakery in a commercial/incubator kitchen with the two owners and 5 part time employees. We use the network there to send out invoices to our 4 wholesale accounts (they submit payment), but that's it in terms of credit cards. These questions ask about malware and secured networks and security cams and all that...but we don't control any of that at the business. They do have an IT team. I'm not sure what to do here. Shouldn't they be the ones filling this out? 

Thank you for adding your first post, @LittleLoafBakeshop.

SecurityMetrics is an official partner of Intuit that provides streamlined PCI DSS compliance services for QuickBooks Payments accounts.

When signing up for a SecurityMetrics account, you'll be asked to complete the FastPass and get the PCI package that works for your business needs. If you're uncertain about the answer to the questions, you can call for assistance at the number shown under Who can I contact if I have questions regarding my SAQ or questionnaire?.

On the other hand, I've also added this reference about working with PCI compliance that may be useful in the future: Intuit Security Center - PCI Compliance.

Please let me know if you have any other questions about the self-assessment questionnaire when completing the PCI compliance with Security Metrics. I'd be happy to assist you further. Have a good one!

Do I need to become compliant if I only use the bank transfer option?  I never use the credit card option. 

I appreciate you taking the time to share this concern in the Community, @Todd G1. I'm here to provide information about QuickBooks Payment Card Industry Data Security Standard (PCI DSS) compliance.

The need for compliance depends on the specific regulations and laws in your country or region. Using the bank transfer option in QuickBooks Online may still require compliance with certain financial regulations and data protection laws, even if you do not use the credit card option.

PCI compliance helps protect your business and customers from theft and fraud. Payment cards like Visa, MasterCard, American Express, and Discover require PCI compliance every year. If your business accepts, stores, or transmits payment card data, you have to be PCI compliant.

Otherwise, you don’t need to activate the service and submit any requirements. Please know that it won’t interrupt your QuickBooks subscription.

You can read these resources to learn more about PCI DSS Compliance Services:

• Learn about QuickBooks PCI Service
• Learn about the PCI DSS Compliance Services

Let me know if you need further information about the PCI compliance. I'm always here to answer them for you. Keep safe, and have a wonderful day!