Security Metrics sent an email for PCI compliance. Is this legit?

Security Metrics, as well as PCI Compliance are actually legit.  

If you're not PCI compliant, you could get fined.  

Not sure who QB uses for PCI compliance, either.  Security Metrics is a company out of Orem Utah. You can look them up, and call them, if you're still not sure and maybe don't receive a better answer, here. 

Is it true you can be fined for not being compliant?

Hello there, @Gotcha.

As much as I wanted to help you, however, this falls outside the scope of what we're able to support with on the Community. To ensure you'll be able to get the correct information, I'd suggest contacting PCI directly. You may go to this link to reach them:  https://www.pcisecuritystandards.org/contact_us/.

For further QuickBooks related concern, feel free to utilize this page: View all help.

You can go back here if you have more questions. I'm right here together with the Community people to help you out. Stay safe!

We never see a credit card number.  All of our payments are done through the QB portal after we send an invoice to the customer.  I don't understand why we have to jump through the hoops of paying a PCI compliance company (after we have already paid QuickBooks) for PCI compliance.  None of it is applicable to us because we are not processing the credit card, QuickBooks is.  It sounds like a scam to me. 

@TK67   PCI compliance, itself, isn't a scam.  The scam is the way QB is making all of its customers that aren't even accepting payments, or have payments going through ONLY QB, are having to pay for compliance.  QB is the one that needs to be compliant, not you.  Yes, the payment is for your company, BUT, QB is the one taking and accepting the payments.  It makes NO sense. 

Thanks for the reply! I went thru all of the compliance stuff after my original post, but I was skeptical since we hadn't had to do that with QB before. We rarely take credit card payments, but I did find a company to use that charges the customer the processing fee, and I haven't used it more than a few times in 2023 and it's been a month probably since the last time. I just received a bunch of emails from Security Metrics yesterday. I'll be annoyed if I have to do all that compliance stuff already.

PCI is not a law, but an industry standard that payment processing companies (Visa, Mastercard, etc) have agreed to.  Payment processors like Intuit have subsequently added it to their Terms of Service as a requirement. There are many Quickbooks users who do not do any form of e-commerce, point of sale transactions, or any handling of card/account data. If that is your situation, I would recommend that you contact Intuit to request an exemption as this requirement places an unnecessary and ineffective burden on small businesses. 

Note: I'm not a lawyer and this is not official legal advice!

I wish I didn't take credit cards. We occasionally have out of town customers who we don't know, so it needs to be an option. 

I got the email and they said Intuit requires my company to be PCI compliant which I believe is not true.  Intuit needs to have a chat with Security Metrics and tell them to stop misleading customers.  I personally think it is junk email scaring people to buy their product.  We take payments through Intuit, but never handle any customer credit card information.  So I wager it is complete JUNK EMAIL...but this is just my opinion.

looks like PCI wants $399 per year for small business compliance - WOW.  Maybe they give a discount for Intuit users I don't know, I don't have time to inquire or put up with another sales pitch, but If I have to pay an additional $400 per year to use QB online, we may stop credit card payments altogether...this is pretty bad.  We used to use quickbooks desktop and they did not require this ,so I am really confused and disappointed.

How much would it cost?

I have received the email regarding the PCI compliance and from my understanding it is to ensure there is no fraud between my tenants bank and our own. If my tenants choose to pay their bills using the quickbooks links they enter in all their banking information on their own from their own devices without having to reach out to a third party. Our company is very small and can not afford to pay for services that are unnecessary, we do not wish to purchase a package and don't see the relevance of it for our company when we do not use any other forms of accepting credit or debit payments other than your site specifically. If we choose not to pay for their services will this disrupt our business with quickbooks? 

Welcome to the QuickBooks Community, reesedalemutualwater.

Yes, you are correct that PCI compliance is required to ensure that there is no fraud between your tenant's bank and your end. I'll share additional details on how vital it is in processing payments with QuickBooks. Let me also route you to our support to assist you further.

The PCI Security Standards Council created the PCI DSS Standard to sufficiently protect customer payment card data from suspicious actions. As a merchant, you’re responsible for protecting payment card information.

Choosing not to use the PCI service will have no disruptions to your business with QuickBooks. However, any company that handles cardholder data, whether to process, store, or transmit, must meet PCI compliance requirements to ensure that payments are safe and secure. 

I still suggest contacting our QuickBooks Payment Support Team. They can provide further details about the PCI compliance service and how it works. They'll also check your subscription for any add-on PCI Service fee. 

Lastly, I'm adding this article to see what are the 12 requirements that cover the PCI standard: Learn about QuickBooks PCI Service.

If you have more questions about PCI Compliance, you can add a comment below. I'll be willing to lend a hand, reesedalemutualwater. Have a good day!

ChristieAnn - that was very informative and helpful.  Since we don't store or handle any credit card or bank information from our customers we should be exempt based on this part of your response:  "Choosing not to use the PCI service will have no disruptions to your business with QuickBooks. However, any company that handles cardholder data, whether to process, store, or transmit, must meet PCI compliance requirements to ensure that payments are safe and secure. "  

Quickbooks should not say it is required - that part is scandalous, especially if it costs $399 per year...quickbooks online is a disappointment compared to the desktop version in regards to all this advertising / partnet stuff....very disappointing.  But I do thank you and appreciate your clarifications.

How much are you being paid by security metrics to advertise their services with such an awful misleading scaremongering email campaign. You really have decreased your companies reputation with this.

OMG. I pay money to just fill out a yes/no questionnaire !!!!!!!!!! 

I 100% agree that Intuit should be handling any pci compliance issues since they take the credit card information ( and hold on to our payments for an incredibly long period of time I might add). Why should my one person business have to pay an additional fee to become compliant???? I pay Intuit to be able to use this service.

It's some sort of scam.  It's a .GOV scam.  Look at the amount of $$$ a BIG company pays for PCI compliance.  it is huge.........................
Here's how it SHOULD work. 

I buy from XYZ with a CC

My CC gets hacked.  I deal w/my bank, they deal with XYZ. 
Word gets out that XYZ sucks and you stop using them.  

They hail this as consumer protection but it just costs EVERY consumer $$$ regardless of whether or not they use a CC.

I use dtop and they are requiring it.  

We do store customers credit card information in the QB fields that they provide in their software and i just got out of a chat with Intuit and asked where am I supposed to keep this confidential information and was told to put it in a book in my office...are you kidding me?  They would rather have someone break in and steal that book then allow us to store on their secure software.

I started answering Security Metrics questions until they asked me to sign up for a plan for $.  I am now being harrassed by them, calling and texting my cell phone and business phone, consistent emails.  DO NOT GIVE THEM YOUR MONEY.  I just called intuit customer service, and they said PCI compliance is required but we can use any company we want. She said they are partnered with Security Metrics. What a shame QB is doing this to small businesses.  Such a joke.  I've lost confidence in QB.

If you are not storing your client's credit card and bank information, you do not need this.  Regardless of what Security Metrics' email says. 

I keep seeing QB employees posting this same thing and never actually answering the questions.  Per the reps in QB's Payment department this is not a requirement by QB and if you do not have access to your client's payment information this definitely does not apply. 

This is not a good look for QBooks