cancel
Showing results for 
Search instead for 
Did you mean: 
junwin
Level 2

Why is Intuit forcing us to be PCI compliant?

Here is the thing you dont seem to understand:

 

I NEVER interact with then client regarding payment

  • quick books online  generates the invoice in *your* data center
  • quick books emails then invoice to the client from *your* data center
  • quick books accepts payments using *your* webpages hosted in *your* data center
  • Finally after you sit on the payment - *you* send the money to may bank account

 

At no time does the client use any web pages or systems under my control.

In principle I can do all this on an iPad or even a phone

There is nothing I can do that affects the security of the clients payment details.

 

The whole reason for using QuickBooks online is to avoid these issues.

 

So can you do me the favor of answering in a Yes/No if I need to be PCI compliant!!

 

 

 

junwin
Level 2

Why is Intuit forcing us to be PCI compliant?

Really?

 

I use an iPad with QuickBooks online - can you name one item of data on the iPad relating to the client payments?

 

Thanks

John

JakAHearts
Level 1

Why is Intuit forcing us to be PCI compliant?

I did the same to see the prices and after answering questions that have nothing to do with how I operate my business or process payments, since I have no way to even process credit cards, I came to the prices and closed the tab. Now Security Metrics calls me trying to "help"...

junwin
Level 2

Why is Intuit forcing us to be PCI compliant?

Apparently not with paypal LOL

jpulizzi3
Level 2

Why is Intuit forcing us to be PCI compliant?

Any chance you can share specifics on the below claim?

 

Another option, you should consider having a 3rd party merchant service provider to integrate with QB. Everything listed above one provider does for no extra cost and is built into their $30 fixed fee for newly boarded merchants for the entire duration of their time with them.

jpulizzi3
Level 2

Why is Intuit forcing us to be PCI compliant?

I wonder if anyone has their legal team reviewing this requirement?  My legal team (me and whatever free online resource I can manage to find) was not able to learn much of anything in our exhaustive search.  This just feels like a shake down.

jpulizzi3
Level 2

Why is Intuit forcing us to be PCI compliant?

We pay a fee to QB for secure payment processing for the protection of our customers and ourselves.  Is this pushdown to become complaint an admission that what we have been paying for is somehow not secure?  Many of us are never exposed to anyones payment information in any way.  Do we as users, somehow posses the ability to corrupt the QB payment platform and put peoples secure financial information at risk?  If not, then what in the world is this supposed to accomplish?  Security when using the QB payment platform?  I'm confused because I feel like I already signed up and pay for this service.

Maybelle_S
QuickBooks Team

Why is Intuit forcing us to be PCI compliant?

I understand your concerns and confusion regarding the recent pushdown for compliance with the QB payment platform, jpulizzi3. Let me clarify and address your questions.

 

Given the increasing number of cybercriminals nowadays, data security is more important than ever. Any company or organization that handles cardholder data, whether to process, store or transmit, must meet PCI compliance requirements. It is a set of rules that businesses must abide by to take credit cards. Additionally, it will help you manage, process, and safely store delicate credit card data.

 

The process of becoming PCI-compliant doesn't have a specific deadline. It is an ongoing process that involves submitting Self-Assessment Questionnaires (SAQ) and passing the necessary scans annually. Hence, there's no recent update indicating that your account will be shut down for non-compliance.

 

However, please remember that failing to achieve PCI compliance leaves your business vulnerable to costly attacks and data breaches. If this occurs while non-compliant, your business may face penalties and fines.

 

For more details about this, I recommend browsing these resources:

 

 

Additionally, I've added these articles that'll help you protect your business account and data from fraudulent activities:

 

 

Please keep us posted if you have any further questions or concerns about PCI and being compliant. It's our priority to ensure your data is protected.

RPFdog
Level 2

Why is Intuit forcing us to be PCI compliant?

Not clear. Not an answer. You sound like a politician. This feels like banging my head against a brick wall, lol. So stupid. Also, your new commercials are embarrassing. 

Fiat Lux - ASIA
Level 15

Why is Intuit forcing us to be PCI compliant?

@jpulizzi3 

Any chance you can share specifics on the below claim?

 

Contact me in private and we will introduce you to them directly.

lucysunflower
Level 1

Why is Intuit forcing us to be PCI compliant?

This is profoundly annoying and frustrating. Minimal to no detail from Intuit, but a spammy email that turned out to be legit (ish?) from Security Metrics, and now it's costing me a minimum of $85 a year to be compliant with something over which I have minimal control or accesss. Any credit card fraud or failure is going to be fully due to a failure on Intuit's part, not mine.

I get that I agreed to use their credit card processing service and as such I need to agree to compliance on their terms. Fine. What I think I'm the most peeved about is the poor communication, having already used the service for years without the additional cost and headache, and the sketchy implementation. 

The full explanation to us could have been much, much more timely and much more comprehensive. If business got grades on communication like on grad school theses, most would fail. And faily badly. I feel like this was a shakedown, but at the same time I understand the need for it. Sadly, knowing that does not improve my feeling about it!

Guest09
Level 1

Why is Intuit forcing us to be PCI compliant?

"Any company or organization that handles cardholder data, whether to process, store or transmit, must meet PCI compliance requirements."

 

Based on this, QB must be PCI compliant and not us. Using QB to do everything, they are the only entity in the process flow that has cardholder data to process, store or transmit, etc.

 

If my company does none of those things, I am not required.

 

I'd ask any of these PCI experts or QB representatives to show me where in their process, which we pay for and use, do we ever fall under PCI compliance requirements as stated above? We simply do not.

Daddoo
Level 1

Why is Intuit forcing us to be PCI compliant?

Excellent because I have absolutely zero intention of bothering with PCI compliance when I never handle or see a customers CC info. If Quickbooks ever makes it mandatory, I will shut off their processing services the same day.

ProvenPCI
Level 2

Why is Intuit forcing us to be PCI compliant?

@daddo May I ask you a few questions? Have you ever been the victim of fraud or identity theft? Did you read the terms of the agreement you signed with Intuit/QuickBooks?

Reference 1 in the T&C of your merchant agreement:
Compliance with Law, Card Network, and NACHA Rules. In connection with your use of QuickBooks Payments, or in the course of your interaction with your customers or us, you agree to comply with all laws and regulations applicable to you, your business, and QuickBooks Payments. You further agree to use QuickBooks Payments in a manner that is consistent with all applicable laws, including laws pertaining to privacy and data protection, as well as rules and operating regulations issued from time to time by: credit card and payment networks (i.e. VISA, MasterCard, American Express, JCB, Discover, Apple Pay, PayPal, Venmo, etc.); the Payment Card Industry, including but not limited to the Payment Card Industry Data Security Standards (“PCI DSS”) and Payment Application Data Security Standard (“PA-DSS”) (collectively, “Rules”). The Rules are made available at the following page: https://quickbooks.intuit.com/payments/legal/; however your obligation to comply with the Rules apply regardless of whether we have posted such Rules on our website or otherwise made them available to you. The current versions of the Rules may be viewed on the Legal Documents page. In  requesting an ACH or card transaction, you agree to take all measures, actions and steps in order to ensure that no transactions or interactions with any persons (natural or entities) included in lists maintained by the United States or other applicable jurisdictions prohibiting transactions with and the export of US products to certain entities, people and jurisdictions  to include Cuba, Iran, North Korea, Syria and the Crimea region of the Ukraine. Specific to NACHA Rules, you agree to obtain customer consent to debit or credit their bank account and initiate a transaction over the ACH network. Such consent must be in a form and manner that complies with NACHA Rules and the documentation for ACH transactions.

Merchant Agreement

Other Payment and Legal Documentation

 

Basically when you signed the agreement, you already stated that you were going go comply with their rules, now because they are enforcing something, your made that you are being held accountable to what you said you were going to do

Just so you know, I run a 3rd party provider and have created a SaaS for merchants to automate the requirements of PCI.

ProvenPCI
Level 2

Why is Intuit forcing us to be PCI compliant?

@junwin 

Please see my other responses and posts. You can also look me up on LinkedIn.
In response to your question: I use an iPad with QuickBooks online - can you name one item of data on the iPad relating to the client payments?

 

1. Your browser may not be up to date. Although you are online w/QuickBooks, there could be malicious code in an outdated browser.

2. If the iPad is used for personal use. The apps you are running may impact your apps for work, such as QuickBooks. Again, if other apps are not PCI Compliant and run in your environment, they affect your data. They and you are responsible. The number one rule of PCI that many people need to learn is that you, as a business owner, are responsible for ensuring that the providers you engage with are PCI-compliant.

3. PCI is not just about storing the clients data, it is how it is handled and the environment and how that is impacted and or accessed. 

 

cwstanacious
Level 1

Why is Intuit forcing us to be PCI compliant?

I received an email with a survey regarding PCI- I'm an IT consultant - it didn't matter how I answered the survey, it always ended up with the same "purchase a package".

 

I did a little research and this is what I found on Quickbooks website relating to Security.  Pay attention to the sections I highlighted in red.

 

2. Your data is protected and private.

We rely on advanced, industry-recognised security safeguards to keep all of your financial data private and protected. QuickBooks Online is a DigiCert® secured product. DigiCert® is the leading secure sockets layer (SSL) Certificate Authority. With password-protected login, firewall protected servers and the same encryption technology (128 bit SSL) used by the world's top banks, we have the security elements in place to give you peace of mind.

 

Read the rest about their security here

 

https://quickbooks.intuit.com/global/security/

 

This whole PCI thing is a scam.

 

 

AWkwardd
Level 1

Why is Intuit forcing us to be PCI compliant?

What is the definition of ‘merchant’?
 

For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers. Source: PCI SSC

 

these aren't laws unfortunately, they created an unregulated requirement to make money off any credit transaction or not use the system at all but they all have a version of this.  

funny enough this doesn't seem to apply to direct bank wire transfers where you actually have access to account information.

Honest Feelings
Level 1

Why is Intuit forcing us to be PCI compliant?

The fact that a company as large and integrated in our country as Quickbooks is attempting to tell me that I need to pay extra money to A THIRD PARTY (that you have made sure to pick for us) to ensure "PCI compliance" is an ethical nightmare. If you want me to use your "specific service," you should buy the company and integrate their services, and just charge the price. Our laws are changing, upfront and honest pricing is in the process of being integrated in our country like it is in Europe. I smell a class action lawsuit. And you'll lose. Maybe not today, but soon.

 

The best thing your company can do is make an announcement telling us all the truth - that Quickbooks should be responsible for it's own PCI compliance, and if you can't do it on your own? You deserve to go out of business to whatever payment app is taking your business. It is greedy and disingenuous. Even if ensuring PCI compliance on our end does end up costing me more as a customer I could swallow it, but I would fully expect integrated help from Quickbooks regarding setting this whole thing up - THAT'S WHAT I PAY QUICKBOOKS FOR. The main problem is everyone has this "scam" company trying to contact them. With all of the pushback, one would think Quickbooks would want to help, explain, or extrapolate. But it's just... radio silence or bull crap.

 

I used to tell people all the time that "it is okay that Quickbooks costs more, I use them anyway" because "they provide a good, steady, reliable service and I don't feel like I am getting ripped off."

 

No one feels like that anymore. Now Quickbooks is just acting like all the other third-party apps. It begs the question, if Quickbooks is going to take a step down the ethical ladder to be like every other third-party vendor, why stay?

 

Regardless of what the"consumer focus groups" or investors tell you (looking at you Quickbooks), and what the underlings who work there must repeat verbatim out of fear of losing their jobs, we see you. The internet isn't going away, and your practices won't be forgotten. Might as well start calling you "Sears," thinking that just because you were the big dog your name will carry you forever.

 

Its gross. Do better.

Honest Feelings
Level 1

Why is Intuit forcing us to be PCI compliant?

The fact that a company as large and integrated in our country as Quickbooks is attempting to tell me that I need to pay extra money to A THIRD PARTY (that you have made sure to pick for us) to ensure "PCI compliance" is an ethical nightmare. If you want me to use your "specific service," you should buy the company and integrate their services, and just charge the price. Our laws are changing, upfront and honest pricing is in the process of being integrated in our country like it is in Europe. I smell a class action lawsuit. And you'll lose. Maybe not today, but soon.

 

The best thing your company can do is make an announcement telling us all the truth - that Quickbooks should be responsible for it's own PCI compliance, and if you can't do it on your own? You deserve to go out of business to whatever payment app is taking your business. It is greedy and disingenuous. Even if ensuring PCI compliance on our end does end up costing me more as a customer I could swallow it, but I would fully expect integrated help from Quickbooks regarding setting this whole thing up - THAT'S WHAT I PAY QUICKBOOKS FOR.

 

The main problem is everyone has this "scam" company trying to contact them. With all of the pushback, one would think Quickbooks would want to help, explain, or extrapolate. But it's just... radio silence or bull crap.

 

I used to tell people all the time that "it is okay that Quickbooks costs more, I use them anyway" because "they provide a good, steady, reliable service and I don't feel like I am getting ripped off."

 

No one feels like that anymore. Now Quickbooks is just acting like all the other third-party apps. It begs the question, if Quickbooks is going to take a step down the ethical ladder to be like every other third-party vendor, why stay?

 

Regardless of what the"consumer focus groups" or investors tell you (looking at you Quickbooks), and what the underlings who work there must repeat verbatim out of fear of losing their jobs, we see you. The internet isn't going away, and your practices won't be forgotten. Might as well start calling you "Sears," thinking that just because you were the big dog your name will carry you forever.

 

Its gross. Do better.

 

Posted under this reply, because people deserve to see this and it is a direct response to these "boilerplate" answers we get when we need help.

reeloba
Level 1

Why is Intuit forcing us to be PCI compliant?

Whar is the name of this 3rd party merchant service provider? 

3rd party merchant service provider to integrate with QB. Everything listed above one provider does for no extra cost and is built into their $30 fixed fee for newly boarded merchants for the entire duration of their time with them.

Hh222
Level 1

Why is Intuit forcing us to be PCI compliant?

I agree 1000% that quickbooks as a company whole should be pci compliant, therefore Quickbooks subscribers should be covered by that blanket. I don’t store any of my clients card information. I can’t even see it at all. Why are you forcing us into paying out more money just to use your services. I can ALWAYS find another way to bookkeep for my business. QUICKBOOKS: you should really work this out yourselves, we pay plenty of money for yall to be pci compliant, signed a lot of angry users!! 

Anne B
Level 1

Why is Intuit forcing us to be PCI compliant?

Thank you all for this conversation thread, it has been incredibly helpful!  It is important to be PCI compliant to protect our business, and the list that was given below ensures me that our company is already PCI compliant without having to purchase this product for which I receive weekly calls and emails.  I almost paid Security Metrics and would have had to allow them access to my secure system, that would have been a mistake.

bizpro1
Level 2

Why is Intuit forcing us to be PCI compliant?

To the moderator:

 

What everyone is saying is that they are NOT "handling, processing and storing sensitive payment card data".  Intuit is doing that.  The merchant never sees or handles a card or card information.  Therefore, why in the world would the merchant need to also be PCI compliant?  SecurityMetrics is known for their shady practices in trying to make people believe you MUST use their services and be compliant.  QuickBooks payment services is no different than Stripe or Paypal, where the merchant never sees a card number, they just receive the cash.

Please answer the question for everyone without continuing to just post the the same verbiage that doesn't apply.

bizpro1
Level 2

Why is Intuit forcing us to be PCI compliant?

To the moderator:

 

What everyone is saying is that they are NOT "handling, processing and storing sensitive payment card data".  Intuit is doing that.  The merchant never sees or handles a card or card information.  Therefore, why in the world would the merchant need to also be PCI compliant?  SecurityMetrics is known for their shady practices in trying to make people believe you MUST use their services and be compliant.  QuickBooks payment services is no different than Stripe or Paypal, where the merchant never sees a card number, they just receive the cash.

Please answer the question for everyone without continuing to just post the the same verbiage that doesn't apply.

FishingForAnswers
Level 9

Why is Intuit forcing us to be PCI compliant?

@bizpro1  While Security Metrics certainly seems to be a joke, if you accept credit card payments, you still need to be PCI compliant.

 

In short:

 

If you accept credit card payments, you have a merchant account, and the ability to log into that merchant account.

 

Whether you personally would be able to pry sensitive financial information out of your merchant account is irrelevant. If your equipment becomes compromised, bad actors would then have access to said merchant account, and they are able to do just such prying.

 

It's basic data security.

Sign in for expert help
Ask questions, post replies & join our community of QuickBooks users.

Need to get in touch?

Contact us