if you never see or handle credit card data, you do not need to be PCI compliant; PCI compliance is only required for businesses that store, process, or transmit cardholder data, meaning if you don't interact with any credit card information, you are not subject to the PCI standards.

I am in the same situation.  Our company uses another service (NOT Security Metrics)  We are PCI compliant but continue to get these non-compliant notices via email from BOTH Security Metrics and QB.  Oh, QB says "if you're already compliant you can ignore this message"  Figure out a way to either let us upload our compliance documents or let us please opt out of these very disturbing and threatening emails.  PLEASE!!!

I tried talking to Intuit - 35 minutes later they are no help.  They will report you to SecurityMetrics as non-compliant.  But they say they have no way to let them know that you are compliant if you use a 3rd party vendor.  This is not right and actually will cause people to buy products from Security Metrics that they may not need out of fear or ignorance on the subject. 

If QB can report us as non-compliant then they have an obligation to let their "partner" know this is incorrect.  Otherwise your compliant customer receives a shake-down email from Security Metrics.  Not nice and makes me wonder how much commission Intuit makes from every new account they sign up with SM.  For anyone else feeling distress about this subject I highly recommend you file a fraud complaint with the FTC https://reportfraud.ftc.gov/  If enough people take action we may be able to get Intuit to care a little bit about the frustration they have caused their customers with this greed-motivated / scam / scare tactic. Thank you @DarixWiseman 

The worst part is they will not allow for self-assessment certifications. They make you go through a 3rd party, or you can be fined, charged more, etc.

To me the worst part is that we already have a 3rd party vendor for PCI compliance but both Intuit and Security Metrics flat out refuse to recognize them and mark us as compliant.  They like keeping us in the non-compliant status. So I can only assume this is so we inadvertently sign up with their partner and double pay!  This is not a fair system and the customer is being ignored ... someone is behind this to make more money.  Otherwise - fix it!!

I just want to know if this is absolutely required simply because we run credit cards.  This is an extra cost!

"I just want to know if this is absolutely required simply because we run credit cards.  This is an extra cost!"

@dgoldstein   If you accept Credit cards, it IS absolutely required.   The extra cost sucks, but it is better than being fined for not being compliant. 

You don't have to use Security Metrics, either. In fact, I recommend finding another company. We use the one that we go through for payment processing. 

Other companies are  nicer, more professional, and a lot cheaper than this one that QB insists on.  

Security Metrics are just a bunch of rip-offs and bullies.  

Most businesses taking credit cards are required by their merchant account vendors to be PCI compliant.  However, if your merchant provider does not assist with this then you have to do it yourself or use a 3rd party.  Basically all small business taking credit cards should do an annual self assessment questionnaire.  There are companies that do this for a pretty low cost.  And I see the best place to get general info and questions answered is pcifree.com  Not sure if it's really free...but they do give a lot of good information.   

If you ask me, it's like Intuit reporting to Staples that we haven't bought toner.  Their tactics are a complete scam, but I'm not worried. 

If you never see or handle credit card data, you do not need to be PCI compliant; PCI compliance is only required for businesses that store, process, or transmit cardholder data, meaning if you don't interact with any credit card information, you are not subject to the PCI standards.  All my credit card transactions are between my customers and QBO and Shopify.  I never even see their cards or information, so let them try to make me buy their BS compliance.  Not gonna do it. 

It would probably be best if Security Metrics indicated in their email that they are an official partner of Quickbooks. Or maybe this email should come from Quickbooks directly.

I have the same question?

I truly appreciate you voicing your thoughts, @pedbender. My goal is to ensure you receive the precise information and assistance needed for your PCI compliance concerns. Let’s explore this further.

First, are you referring to an email you recently received? If so, please note that Intuit has been sending product messages to remind our customers about PCI compliance. Here are a few things to look for if you’re not sure an email came from Intuit.

• We’ll never ask for your personal info in an email.
• Our emails will always come from an email address that ends with @intuit.com. This includes @e.intuit.com.
• Any link we send you in an email will always be for an intuit.com address.

However, if the email is not from one of these addresses, it is likely not from Intuit but rather from Security Metrics.

Though Security Metrics is an official partner of Intuit for PCI compliance, you are not limited to them for your compliance solutions. Engaging with them ensures you’re partnering with a reputable provider, but there are other options available as well.

If your concern revolves around something else, please share the specifics so I can assist you more effectively.

Also, you can check out these articles that you can provide to your client for managing transactions and maximizing the benefits of their QuickBooks Payments account:

• Find transactions, deposits, or fees in the Merchant Service Center
• Find out when QuickBooks Payments deposits customer payments

Should you have any further questions or need additional assistance with PCI compliance, please don’t hesitate to reach out. We are here to help you anytime.

This has to be THE MOST UNPROFESSIONAL handling of this information I have EVER SEEN from QuickBooks, for over 25 years.  What is happening to this company.  

I recently set up credit card processing for a client and NOWHERE in any of the 3+ hour process did anyone mention that this partner would be reaching out to offer this compliance requirement.  To top it off there is a FREE solution to submit a self report (WHAT A SCAM). Don't even get me started on the completely UNPROFESSIONAL look of the email that was received. 

I searched AI to verify if this was true and at least they mentioned the FREE option whereas your response DOES NOT MENTION THAT many clients do NOT need to buy a package at all.  

SHAME IN INTUIT QUICKBOOKS, THIS IS A SHAKEDOWN PARTNERSHIP AND I AM NIOT HAPPY WITH THIS. I should have gone with Square to process.

Not sure what kind of "partnership" they have.  We are PCI compliant with a 3rd party (NOT Security Metrics)  but since Security Metrics "tells" QB we are not signed up with them we get annual threats via email that we are non-compliant.  Or maybe QB only recognizes compliance done through Security Metrics??  What is that?  Anyway, if you have an alternate vendor or do the self-assessment then QB needs to find a way to record this and stop with the "non-compliance" alerts designed to fool the unsuspecting into signing on with Security Metrics.  Many are on to the scam -- but please continue sharing the information until this deception ceases.  

Plus Intuit TRIPLED the cost of QB Desktop in the last 2 years. WHAT A RIPOFF. There are other companies who do what they do. 

They are emailing at a group address where I can not confirm email headers.

They can email me at my known address as admin and I will not pay for any service.

We use them online.

They need to be secure and compliant.

Our internal policy is extreme.

I would write up an employee that wrote down or record any CC data.

We take it from customers over the phone and enter it directly into Intuit.

We are secure against key loggers.

In the past when with the bank, PCI compliance wanted my system to be less secure and open a backdoor for them.

I will block them in our groups and then know where to find me.

Glad to find another vendor.

And I have studied the PCI law.

As someone said, the scam is selling me to outside service.

It's a scam, but a scam sponsored by Intuit.

Intuit has created a narrative that a cloud based account that has never had a single customer credit card number entered (all handled through Intuit's online pay portal) could be hacked, the bank accounts of the Intuit account changed by the hacker, and then the hacker could charge your customers credit cards...

Unless Intuit is storing customer credit card numbers on your devices, without your knowledge or permission, this is a false narrative.

The PCI compliance charge is a scam, and if you don't pay it, you get fined by Intuit.

So yes, it's from Intuit.  No, it's not legit, and believe you me, I'm searching every post on this forum looking for a post to legitimize it.  There isn't one, just evasiveness.  I'm flabbergasted that Intuit has created a whole staff of people that are willing to lie to small business owners, financially hurt their families, and keep small business owners trying to figure out Intuit's latest scam or broken feature, rather than spend time with our families.  It's truly, truly bizarre.

This is false.  Intuit is demanding compliance from QuickBooks Online customers that only accept payment via Intuit's online portal--they never see, handle or store a credit card number.  Please don't spread lies for Intuit.

This is false.  Intuit is demanding compliance from QuickBooks Online customers that only accept payment via Intuit's online portal--they never see, handle or store a credit card number.  Please don't spread lies for Intuit.

Thank you.  I will file a fraud complaint.  I'm guessing Intuit donates more money to politicians than me, and this will be a complete waste of time, but I'll give it a go.

Feedback to the QB team—security metrics has contacted me twice via text.  Never via email.  In a day of cyber scams, QuickBooks MUST do a better job of informing us in a more official capacity.  My preference is through a message via my QuickBooks app/online account. If it’s a number I don’t recognize I will not answer it.  There also no verifiable or referenceable information that tells us this is legit.

please fix this.