See attached email from the QB Payment Department

I have received the same email and I have ignored it, today I received a “final notice “ what are they going to stop me for accepting cc payments? I started to look more into it and it seems that yes intuit wants to push another fee on the customers.

I used  to have invoice2go for my invoicing before and switched to quickbooks because of their greediness, it’s seems the same situation it’s happening with PCI requirement that quickbooks it’s trying to shove into our throats. My latest credit card fee for quickbooks was $597.79 ( please see screenshot below ) but yet we have to pay another subscription monthly fee for something they are handling. Greed! 

I know someone went thru it entirely themselves to see how their paid version and you-do-it version compares to our free version and our we-do-it-for-you version. Here’s the breakdown about Intuit’s new mandatory PCI Compliance process, buckle in b/c it’s a lot of info for your benefit:

Security Metrics PCI Test Review:
The initial self-assessment questionnaire is moderately the same as other payment processor do but would be difficult for someone unfamiliar with the type of tech heavy questions, as Security Metrics doesn’t help guide you through this process unless you buy the $195/year package.

Once the self-assessment questionnaire is complete, you’ll be led to the paywall where you must purchase one of packages above. Unless you opt for the $195/year Intuit Managed package you’ll be completing everything by yourself with little to no guidance.

You’ll answer another 40 or so questions on top of the 50+ you answered in the self-assessment. If these are answered incorrectly, you’ll either instantly be flagged as non-compliant or your upcoming scan will fail and that too will mark you as non-compliant, which leads to more monthly fees hitting your account.

For the scan you’ll need to know your IP address and input it then pick a date within the next quarter to run this scan. If you were to want to scan another time for a separate IP address your business may have, it will cost $129 per extra quarterly scan. Which brings you to $516 per year + whichever package you bought earlier while setting up the account.

Security Metrics does have a good feature of telling you what you need to do to become compliant, but they don’t tell you how to do it (Unless you purchase Intuit Managed PCI Pro $195). There’s a lot to keep track of and answer all while having many important questions not being able to be re-answered if you answered it incorrectly.

If you don’t feel like doing it yourself at the $85 initial cost, or being guided through it at $195, they have a separate yearly package that will do almost everything for you to attain compliance for a steep price of $670. Another option, you should consider having a 3rd party merchant service provider to integrate with QB. Everything listed above one provider does for no extra cost and is built into their $30 fixed fee for newly boarded merchants for the entire duration of their time with them.

Thanks for the info! I’m going to have to contact quickbooks and if I have to switch to a third party cc processing company so be it. Hell if that’s the case then why would I need to pay quickbooks altogether just to write some invoices? ipage does it for free! 

I also do not swipe credit cards. I use QuickBooks invoices only so the client pays through the invoice. When you Google "Do I need to be PCI compliance with SQUARE" this is what comea up

(Square complies with the PCI DSS so you do not need to validate your state of compliance individually. Our hardware and readers have end-to-end encryption out of the box, with no configuration required and at no additional cost, without monthly fees or annual assessment requirements.

I will be switching to Square for all invoicing now. 

Here are some helpful links and hints I've found:

Find out your SAQ with the Self-Assessment:

https://listings.pcisecuritystandards.org/documents/SAQ-InstrGuidelines-v3_2.pdf 

If your SAQ is A then all should need to do is fill out this:

https://docs-prv.pcisecuritystandards.org/SAQ%20(Assessment)/SAQ/PCI-DSS-v4-0-SAQ-A-r1.pdf 

Intuits AoC (Assentation of Compliance)

https://compliance-portal.app.intuit.com/app/PCI-DSS 

Somehow give your completed SAQ A and a copy of Intuits AoC to QuickBooks to show your compliance.

Geesh...Just tell everyone this!

Yet QB is allowing Secure Metrics to send out aggressive emails telling their clients that subscribing to their products is mandatory and that you may be fined by QB if you do not.

VERY scammy

Exactly...

why let a third party scan my computer, that sounds like phishing for sure!??   If you don't handle a customer's private financial information (credit card account numbers, etc.) then you don't have to be PCI compliant to my understanding, you can ignore all this nonsense.

I rarely get paid by Credit card, but when I do, I use the Quickbooks Online Platform to accept credit cards. If QBO is the platform accepting CC's, why do I have to pay for PCI Compliance? This should be something included in the cost of the subscription. Quickbooks is the platform collecting and holding data. I feel extremely frustrated by this extra cost (and what feels like a scare tactic.)

But the email comes from [email address removed]   

Isn't this coming right from Intuit?

What other company can we use to become compliant? 

After 20 years with QB I'm beginning to look for another way to keep books.

I totally agree with your comment. In addition to that, I use the card reader no more than 7-10 times/year, if that much. Even with the very minimal cost, we still wouldn't be totally guaranteed that the account wouldn't be compromised.

@neeseyone2 

You can have a 3rd party payment processor to integrate with QBO and become compliant for free as I mentioned earlier.

But why even waste the time becoming PCI compliant, even if free,  if you don't have to be PCI compliant.  Especially if the free service that requires some sort of scan of my files?(I think that is what the free service requires and it sounds very suspect)   This entire discussion is wasting my time, but I hope it helps other people who do not need to be PCI compliant.  It is irrelevant to those who don't handle private custome financial information as far is I know.

I just chatted with someone from QB and they basically said that if our customers only pay using the payment links offered through QB then we do not need to be PCI Compliant. We never handle cards directly and only use QB payment methods. I will say, while the agent was nice, I had to request a direct answer from them on it because I was tired of getting the run around about why PCI Compliance is important. Even then I didn't a direct answer so I asked for clarification and they responded that I was correct. He said I may still get emails but I can disregard them.

Trying to post this at the top of the thread as I have many questions.

In the e-mail (snip below) they say there are multiple companies that we can use to become PCI compliant, I'm already compliant through another merchant account and don't believe I need to then become compliant with a service I strictly allow the customers to pay online with as I don't integrate QBO Payments with any 3rd party. I belivve this is misleading expecially charging customers to "become PCI compliant" you either are or are not PCI Compliant. 

In fact, my other merchant services account does not charge to certify PCI compliance and nor should whomever is partnered with Intuit. 

If you really dig and really answer all the questions truthfully to ANY PCI compliance and if you are handling the PII (credit card numbers, etc) in your hands and the customer is not entering them into a company site like Intuit directly then it is nearly impossible for most small businesses to truely be 100% compliant, it is simply a way for the mechant service processing companies to shift blame to you under the veil of "protecting the customers information" Further, most companies want you to open back doors into your network so they can scan it for whatever they are scanning for, listen, if you cannot get in from outside then I'm doing my job and do not need to open a door for you to access. I'm not creating gaping holes in my network for a network I have no control of. Further, I do not see Intuit posting their PCI compliance certificates anywhere, how do WE know that you are really PCI compliant with OUR customer's data?

I think PCI Compliance had great intentions, and it is a great way for you to review your own processes, policies, network, devices etc every year to have as best proteciton as you can but in the end especially with Intuit Payments, this seems to be a money driven task that is pointless for 99% of intuit merchant services customers. 

I can't even get a hold of anyone at Security Metrics or QUICKBOOKS for that matter to have this discussion so with today 7/18/23 being the last day of "GET IT NOW OR ELSE" I would hope that Quickbooks or rather Intuit would send out a much better email with explination on how we can use our own 3rd party vendors to be "PCI Compliant" rather than this scammy company Security Metrics sending out these seemingly threating e-mails with "LAST DAY" "Better do it now" 

You can do better Intuit.

Exerpt from E-mail I received.1

"...There are multiple companies that provide security and compliance services you can use to become PCI compliant. Intuit has partnered with SecurityMetrics to help merchants become PCI compliant. You can receive a partner discount by using your email address ([email address removed]) to sign up for services. Visit the following link to get started online: [removed] or you can call them at [removed] ...." 

After reading all of the responses to this not quite a scam, but very disingenuous email, I have come to the conclusion that 1.) If you, like me, are not handling credit cards directly and are not storing any credit card numbers or financial data, it is not required of you.  ALL of my credit card transactions are processed through QuickBooks.  QuickBook handles the transaction and stores data.  It is Quickbooks who needs to be compliant.  I pay QB 2.9% +25¢ per transaction for this service.  Part of that money is because QB needs to be compliant.  2.) It leads you directly to a QB partner and makes it appear was though this is your only choice.  It is not your only choice and I would avoid SecurityMetrics on principal.  I am paying QB for a service.  But they want me to pay their partner for what QB is obligated to have.  3.  You can't send me a "Final Notice" to cover a data breach when I have no data.

Neeseyone2,

The emails they send appear to be coming from intuit, but they are NOT.  They are coming from a separate company with very aggressive tactics to get you to buy their services (that you do not need).  

Security Metrics is located in Utah.  You can file a complaint with the Utah Attorney General, and let them know how they are treating and threatening the Intuit/ QB customers.  

Security Matrix did not send the email Intuit sent the email. And this is why I've switched over to Square invoicing. If Intuit wants to send predatory scam emails, they no longer deserve to get my money.

This year Intuit has been making the obvious move to be a financial services company, and not a business software company. I question everything their leadership is doing. They screwed me earlier this year when they unilaterally removed my access to their own bank account offering saying I was a risk. I had to involve my state AG's office. This stinks as a kickback to SecurityMetrics who I'm sure is paying Intuit for the this privilege. 

I am exploring how to dump Intuit this year. Any suggestions for a less conflicted software product for a small services company?