Why is Intuit forcing us to be PCI compliant?

They are insisting on passing the charges on to the customers that use them for payments.  

It makes sense to them to make money off the deal. 

Hello there, HunterF.

I see that you expect Intuit to take responsibility for the fees since you already invest the amount in our services. I acknowledge your concerns regarding  PCI compliance and the additional fees associated with it. 

The purpose of PCI compliance is to protect cardholder data from security breaches and to maintain the trust and security of the overall payment. 

If you have any concerns or inquiries about Intuit's policies and the fees related to PCI compliance, I suggest reaching out to our QuickBooks Payments Support Team. To do so, please log in to your QBO account, click on the Help menu, and select Contact us for further assistance.

Additionally, you'll want to check this article for more details: Learn about the QuickBooks Payment Card Industry Data Security Standard (PCI DSS) compliance. 
 

You can always post your concerns here if you have more questions about QuickBooks PCI Service. I'll be around whenever you need assistance.

But the QuickBooks customers don't actually get their customers credit card information, QuickBooks does. Why does that fall on QuickBooks customers? Shouldn't we already be PCI compliant by using QuickBooks? Is this also saying that QuickBooks isn't covered under any type of insurance? If credit card information is stolen through Quickbooks, isn't that on Quickbooks?

Thank you for bringing up your concerns about credit card information and PCI compliance while using QuickBooks, Gill.

I completely understand the importance of security and the responsibility that lies with QuickBooks and its users.

Regarding your inquiry, it's important to note that QuickBooks applications themselves maintain a high level of security. However, the security of your overall environment can be influenced by other applications used in conjunction with QuickBooks. As for the use of QuickBooks Payments services, it's essential to understand that merely utilizing these services does not automatically make you PCI compliant. It's also crucial to recognize that as a merchant, you hold the responsibility of safeguarding payment card information and adhering to PCI compliance requirements.

Moreover, Intuit has collaborated with SecurityMetrics, a prominent PCI service provider, to assist you in meeting the necessary requirements. Along with the PCI Compliance from SecurityMetrics, Intuit also provides breach forgiveness. It has a coverage of up to $50,000 ($0 deductible, $0 co-pay) to pay for audits, fines, or other expenses associated with a breach.

If you have further concerns, I suggest contacting PCI support. They are more equipped 

Moreover, I'll be sharing the following articles to learn about the QuickBooks Payment Card Industry Data Security Standard (PCI DSS) compliance:

• QuickBooks PCI Service
• PCI DSS Compliance Services.

Should you have any further concerns about PCI compliance, please don't hesitate to share them with me. I'm here to assist you and ensure you have a clear understanding of these matters. 

This is ridiculous. I never even touch my customers’ credit cards. The only interaction their card has through the entire “process” is via intuit provided hardware and software. This is so obviously just a way to make money. I’m sure your “partnership” with SecurityMetrics involves a large commission for the revenue you send them. 

Inuit needs to realize it’s not the only game in town anymore. Keep squeezing people for every penny that you can, and you will lose clients.

I know someone went thru it entirely themselves to see how their paid version and you-do-it version compares to our free version and our we-do-it-for-you version. Here’s the breakdown about Intuit’s new mandatory PCI Compliance process, buckle in b/c it’s a lot of info for your benefit:

Security Metrics PCI Test Review:
The initial self-assessment questionnaire is moderately the same as other payment processor do but would be difficult for someone unfamiliar with the type of tech heavy questions, as Security Metrics doesn’t help guide you through this process unless you buy the $195/year package.

Once the self-assessment questionnaire is complete, you’ll be led to the paywall where you must purchase one of packages above. Unless you opt for the $195/year Intuit Managed package you’ll be completing everything by yourself with little to no guidance.

You’ll answer another 40 or so questions on top of the 50+ you answered in the self-assessment. If these are answered incorrectly, you’ll either instantly be flagged as non-compliant or your upcoming scan will fail and that too will mark you as non-compliant, which leads to more monthly fees hitting your account.

For the scan you’ll need to know your IP address and input it then pick a date within the next quarter to run this scan. If you were to want to scan another time for a separate IP address your business may have, it will cost $129 per extra quarterly scan. Which brings you to $516 per year + whichever package you bought earlier while setting up the account.

Security Metrics does have a good feature of telling you what you need to do to become compliant, but they don’t tell you how to do it (Unless you purchase Intuit Managed PCI Pro $195). There’s a lot to keep track of and answer all while having many important questions not being able to be re-answered if you answered it incorrectly.

If you don’t feel like doing it yourself at the $85 initial cost, or being guided through it at $195, they have a separate yearly package that will do almost everything for you to attain compliance for a steep price of $670. Another option, you should consider having a 3rd party merchant service provider to integrate with QB. Everything listed above one provider does for no extra cost and is built into their $30 fixed fee for newly boarded merchants for the entire duration of their time with them.

This is quite clearly a shakedown by Intuit. Their corporate culture is starting to leave a very bad taste; they are doing similar things with MailChimp - trying to milk the customer for everything they can get away with.

I do not collect, transmit, or store credit card payment details - there is no requirement for me to be PCI compliant other than Intuit requiring it, and from what it looks like here, that is solely to make a profit for them.

If Intuit tries to force me to go through this unnecessary process, I will simply close my payment account and move all customer payments to Stripe.

To squeeze more money out of us - I thought the email was a scam at first since the whole reason I use QB payments is to avoid handling consumers credit cards numbers! and you are only *recommended* to be PCI compliant if you store the card details

This is what they(quickbooks chat/help) told me:

the PCI compliance email notice was generated by our back-end staff and it's a legitimate email notice. This is an additional protection for your QuickBooks Payments account and a heads up that it's an optional for you to sign up. Since your current QuickBooks Payments account is PCI compliant. You may disregard the email notice.

That said from my point of view given they are asking you to pay for service you don't actually need - its bad form.

I also wondered why I kept getting these emails because I don't ever touch any customer credit cards or store. We already pay an exorbitant amount of money for Intuit Service for the little we get from them. Ridiculous! 

Never doing this, or paying for it. Quickbooks is 100% handling customer payment data. Quickbooks is acting as a 3rd party in its entirety in handling the transaction and ALREADY charging multiple fees for it. 

This is a rip-off and I would rather quickly leave the platform for many of the other options than be extorted pennies at a time.

Thanks for asking the question! Seriously just thought I was getting spammed, can’t believe it was actually real. I feel better seeing how many others are confused and irritated by this.

This is a shakedown.  So I pay for QBO, pay for a QB payment account, and I buy a QB card scanner and then they want me to pay a random company, they are in bed with that can hardly explain in simple terms what it is they do??? Their equipment is supposed to be PCI compliant. We aren't required to use QB payments or their equipment.  I am not paying for anything else.  I am not paying for this and neither should anyone else.

Like you my credit card info is stored on QBo servers.  Because they are forcing me - I now have to look somewhere else for a merchant account.  This will make it harder for me in the long run because QBO's merchant is integrated, but I don't like them forcing me to pay for something that I shouldn't have to. So well I will give my fees to another merchant and just deal with the additional work to post my fees.

I agree!  

I am exploring other payment options now. With all of the issues of running a business successfully, Intuit has made a very greedy mistake. They have no business making customers pay extra to provide services that should be covered within regular monthly fees. Instead of adding value to their product to cause synergy and positive feedback from satisfied customers, they have guaranteed the opposite effect. Do they think any of us will tell our colleagues to use their products after forcing charges that are clearly unwarranted? Do they think that any of us have time or wish to allocate staff to answer PCI questionnaires? Do they think we will be satisfied having to pay extra charges for mistakes that can be made in the PCI process while the reason businesses used their services initially was to avoid having to become credit card processing experts? I really don't think they get all of the ramifications this decision will have moving forward. I don't trust this product as I once did. This is a sign to make sure my other similar products from other providers are up to date, just in case someone like Intuit tries to interrupt my operations with fear tactics. 

Looks like I will be accepting cash and checks, only

Junwin, I’m curious to hear what this platforms moderator thinks of that! I’m not paying for this money grab.

Check Junwin’s post.

While I appreciate what QB Chat support said, I wouldn't bet my business on it. The added fact that there is a disconnect between the 'back office' and what the front customer-facing office is saying, is disturbing. The QB T&C and the email notices are quite clear - this is a requirement, there is no ambiguity there.

If QB back-office suspends your account for non-compliance, quoting QB chat support's advice to ignore them ain't going to do much good in my opinion.

Maybe it's time to go back to using QB for what it is great for - bookkeeping, and I'll use other platforms for payment processing. Ultimately I hope at some point in the near future to recieve an official email, saying that PCI compliance is optional for those who don't strictly need it. If not, Stripe and ConvertKit will be my default go to for payment processing for my business, and I will advise all my clients likewise - while I am but a speck of dust to QB, it will have impact in my tiny corner of the world.

This is straight off the Quickbooks payment site.

"If you are a merchant who stores, transmits, or processes Visa, MasterCard, American Express, Discover, and JCB payment card information, you need to be PCI compliant. With QuickBooks, your PCI compliance is ensured. And all of your security needs are up to date."

Hmm... sounds like Security Metrics is a huge marketing campaign.

Money grab 100% shakedown street.

It would be good to hear what the moderator or a QB employee had so say - but  it does not look like they are monitoring this.

Hi junwin,

As my colleague shared above, QuickBooks maintain a high level of security. Thus, there are practices that merchants must follow when accepting payment cards. This includes securely handling, processing, and storing sensitive payment card data. The PCI standard covers the following 12 requirements: 

• Protect your system with firewalls.
• Use adequate configuration standards
• Protect stored data
• Secure data over open and public networks
• Protect systems with antivirus
• Update your systems
• Restrict access
• Use unique ID credentials
• Maintain physical security
• Implement logging and log monitoring
• Conduct vulnerability scans and penetration testing
• Start documentation and risk assessments

Feel free to browse these articles if you have concerns about PCI compliance:

• QuickBooks PCI Service
• PCI DSS Compliance Services

The Community team is upm24/7 to help with your queries.