Hello there, @junwin. I have here some details to share about being PCI compliant. Let me elaborate on them for you.

All merchants who process, handle, transmit, or store data are required to be PCI compliant. If you receive customer payments through credit or debit cards, regardless of not saving the customers' detail, you are still required to be PCI compliant. However, if you only accept checks or cash, then you don't need to be one.

To determine what requirements you need to follow, I recommend checking out this article for detailed information: Learn about QuickBooks PCI Service.

Also, if you already have PCI compliance service with another company other than SecurityMertrics, you can disregard the emails you received. Since these are just security emails to make sure that all merchants that fall into the mentioned categories can comply. 

Additionally, I'd still suggest getting in touch with PCI support to confirm if you really need to comply.

Moreover, here's an article that'll give you some tips on how to keep your account and financial information secure: Privacy and security in QuickBooks.

I know these are trying times but we appreciate your patience while we continue to work with this. Please don't hesitate to hit me up by leaving a comment below if you have further questions about PCI compliance. I'll be sure to get back to you. Take care.

Reading the QB links provided by the QB team causes even more confusion, as they are not definite answers or guidance. I've found this website to be helpful in providing clarity: https://www.pcisecuritystandards.org/document_library/?document=pci_dss

And specifically this section in the Quick Reference Guide:

These responses from support staff seem like they may be AI generated. They keep saying the same thing over and over as if repeating it will make it make sense

I have another point I want to highlight (sorry but this matter is a really sore point for me and probably a lot of others too):

SecurityMetrics, as part of the process will scan one IP address at some point in the near future. If your IP address changes or you wish to add another IP address then they will charge you extra! My web servers are behind a web and DNS proxy and the root record is a flattened CName by Cloudflare, not to mention they are cached on 300+ Edge servers around the planet. Using a single IP address is going to be a bit limiting.

Another point, if anyone uses Shared/Retail webhosting, then their website is co-located on a server - does that mean you have to certify everyone on that server too?

These are all complex questions, if QB wants to enforce compliance, then it needs to provide comprehensive guidance prior to having to sign up with the likes of SecurityMetrics.

I concur on having to accept cash only but it only took ONE time to stop taking checks...was never able to recover that loss and had to pay extra because of it!

In our business we… don’t handle, process, or store any card payments. QuickBooks does all of the above. When I send out an electronic invoice I don’t even get to see the card number. Quite simple. 

Where do we go to start the process?  I will probably have my client use another processor because he is not going to want to pay the extra fees.

Hi there. Let me share some insights about the process to be PCI compliant.

The way you process credit cards determines what requirements you need to follow. You can find more details in the Self-Assessment Questionnaires (SAQ) types from this link: Learn about QuickBooks PCI Service. This enables you to determine what type of assessment you'll going to take. 

Regarding the extra fees, it's best to contact Security Metric Support for further questions about this. You can scroll down to find their phone number by using this link: Learn about the PCI DSS Compliance Services. Or click on Contact Us here. 

Furthermore, I've included this article so you can get tips on how to keep your account secure and how we protect your financial information: Privacy and security in QuickBooks.

Should you have any further concerns about PCI compliance, please don't hesitate to share them in the comments below. We're here to assist you and ensure you have a clear understanding of these matters. Have a good one.

@JonoSC 

I understand your frustration and have dealt with this for close to 20 years as I was an agent in the merchant services field. I worked closely with merchants of all sizes to help them understand the importance of PCI compliance and why it is critical. PCI stands for Payment Card Industry Data Security Standards. Anyone who stores, processes, or transmits cardholder data is responsible for being compliant. Quickbooks is PCI Level 1 Compliant.

However, as a merchant using their services, you agreed to the terms and conditions of their agreement, stating that you would also uphold and meet those requirements. Stripe is no different, as they state the same thing. In short, PCI stands for “Protecting Customers Information,” and it is a “shared responsibility” between you and the provider. 

“Without the protection that PCI Compliance brings, your business could be vulnerable to costly attacks and data breaches.” Don’t think for a minute that you don’t have data that someone wants. It is law in a few states, depending on where you do business. 
You can always refer to the PCI Security Standards website for free information: PCI Security Standards Document Library 
“What You Need to Know about PCI 3.2.1 to 4.0 Transition” 
Stripe Security Guide 
You cannot inherit PCI Compliance from a provider. The industry has done a lousy job of educating people about it. That’s why we are trying to change that and make it easier for merchants like you to do.

@bestbookkeepernj 

I know someone went thru it entirely themselves to see how their paid version and you-do-it version compares to our free version and our we-do-it-for-you version. Here’s the breakdown about Intuit’s new mandatory PCI Compliance process, buckle in b/c it’s a lot of info for your benefit:

Security Metrics PCI Test Review:
The initial self-assessment questionnaire is moderately the same as other payment processor do but would be difficult for someone unfamiliar with the type of tech heavy questions, as Security Metrics doesn’t help guide you through this process unless you buy the $195/year package.

Once the self-assessment questionnaire is complete, you’ll be led to the paywall where you must purchase one of packages above. Unless you opt for the $195/year Intuit Managed package you’ll be completing everything by yourself with little to no guidance.

You’ll answer another 40 or so questions on top of the 50+ you answered in the self-assessment. If these are answered incorrectly, you’ll either instantly be flagged as non-compliant or your upcoming scan will fail and that too will mark you as non-compliant, which leads to more monthly fees hitting your account.

For the scan you’ll need to know your IP address and input it then pick a date within the next quarter to run this scan. If you were to want to scan another time for a separate IP address your business may have, it will cost $129 per extra quarterly scan. Which brings you to $516 per year + whichever package you bought earlier while setting up the account.

Security Metrics does have a good feature of telling you what you need to do to become compliant, but they don’t tell you how to do it (Unless you purchase Intuit Managed PCI Pro $195). There’s a lot to keep track of and answer all while having many important questions not being able to be re-answered if you answered it incorrectly.

If you don’t feel like doing it yourself at the $85 initial cost, or being guided through it at $195, they have a separate yearly package that will do almost everything for you to attain compliance for a steep price of $670. Another option, you should consider having a 3rd party merchant service provider to integrate with QB. Everything listed above one provider does for no extra cost and is built into their $30 fixed fee for newly boarded merchants for the entire duration of their time with them.

This looks like another money making scheme by Intuit!

This is a shakedown for more money.  We have 106 bookkeeping/payroll clients on this software and do over 800 returns per year. We are getting major pushback and have lost clients due to the cost of the software and continuous rate increases which has forced us to look at other options.  We are moving to Drake for tax (sorry ProConnect) and have high hopes for the changes they are making to their cloud accounting software.  We actually live in the town where Drake's headquarters reside and Phil Drake was our neighbor for several years so we have some inside knowledge of the changes coming.  I would encourage you all to do the same because this is not going to stop until they lose enough customers to make them revisit their current pricing, increases, and additional fees such as PCI compliance. 

Where did you find this at? Seems they may have taken it down. 

@ProvenPCI 

Thanks for your reply. I go to great lengths to protect client data, and one of those is to not collect, store, or transmit customer credit card data. 

PCI stands for Payment Card Industry Data Security Standards. It is a way for the Card Industry to push their liability back on you, the client. Even though you may have liability and cyber insurance etc..., this is another layer designed to protect their business, not yours. By taking that survey, you are stating that you meet those standards; if there is a data breach, the first thing their Lawyers will look at is YOUR compliance and will attempt to place any blame on you, even though they could be at fault, and a 'small' business is not going to beat a $B company in court.

The way QB/Intuit has gone about this is a clear shakedown and has destroyed brand trust in my eyes. This is not about protecting you; it's about protecting their bottom line and their liability.

@JonoSC 

After spending close to 20 years in the payments industry and another combined ten as an entrepreneur, there is one thing I have learned. Often industries have rules to the game but aren’t willing to share them with the players, which creates an unfair advantage. 

So if you want to play, you need to know the rules. 

There appear to be numerous threads on this subject, so I have taken it upon myself to create a new discussion, “All Things PCI: What is it? Who’s it for? Why do you have to do it?”

Regarding your points, I can get into more of a discussion with you and would like to connect outside of here if you are open to it.

Hello quick books employees -- It is perfectly fine to simply reply 'I don't know the answer'  and to be extra helpful escalate the question to someone who can answer.

The question is perfectly simple:

If I am a quick book online/cloud subscriber, and use the quick books billing feature to send and process invoices do I need to be PCI compliant given I *never* have access to the client payment details?

The only answer I need is Yes or No.

@junwin 

The answer is yes. 

Please understand where I am coming from, as I know where you are and have helped countless merchants with their PCI requirements.

Based on all the similar questions, I will write a blog specifically on this. I hope you find it beneficial.

PCI states that all businesses that store, process, or transmit cardholder data must be PCI Compliant. You have a simple option if you don’t want to go through this. Don’t take credit cards.

Yes, junwin.

PCI compliance ensures the security of customer payment details when accessed through your merchant account. Even though you don't store their data, there is still a risk of unauthorized access through your devices and internet connection, which can introduce security vulnerabilities.

For more details about this, I recommend browsing these resources:

• PCI Compliance
• Learn About QuickBooks PCI Service

Additionally, I've added these articles that'll help you protect your business account and data from fraudulent activities:

• Data Security and Fraud Prevention
• Identify Suspicious Activity, Phishing Scams, and Potential Fraud

Please don't hesitate to click the Reply button to get back on this thread if you have any further questions or concerns about PCI and being compliant. It's our priority to ensure your data is protected.

@CharleneMaeF 

While your statement may actually be correct, the businesses that use QB to process online payments don't technically take payment, QB does. Then those funds received are paid out after a fee has been charged for 'payment processing'. Therefore the part of the prcoess which has to be PCI compliant is totally owned by QB.

Also, if this was really about 'customer' data security, why is no one bothered with checks which display customer bank account details? Credit card companies are liable for fraud - this is about proctecting them, not us or the customer.

At the end of the day, sure if we don't like it we can go elsewhere (and will). However, that type of corporate culture will impact a business the size of QB. If you multiply the number of clients that all those who have commented on this thread have, it will be in the 000s, and any disatifcation will spread - this will cost QB. If you then extrapolate the number of commentors vs the number of people who will just read the comments (usually on social media that is just 2% who comment and interact), this thread will have an even greater impact.

As many said, we are free to leave, and some of us will.

Quit with the links to articles about PCI compliance. There isn’t an issue with understanding what PCI compliance is or what it does. It’s disingenuous and insulting.

For the record:

"As many said, we are free to leave, and some of us will”.

You will have to go through PCI compliance no matter where you go or who you use as a provider. 

Same here, I was told by a rep in the QB payment department that since we do not have access to our customer's payment information, that this is not necessary for us.  I did complain to QB about the aggressive nature of the emails that were sent out by SecureMatics.

@ProvenPCI You know that's not strictly true (it depends on many factors, also see comments in this thread with feedback from QB), but hey, you are actually in the business of 'selling' PCI compliance  

And for a fact, I don't need to be paying SecurityMetrics for PCI compliance, which is the whole point of this thread - the heavy handed way QB has communicated this matter and the lack of clear instruction and information. I would guess any of the commentors and readers here have no desire to expose their customer data, be subject to hacks/fraud, or less secure, but the initial 'marketing' emails (not 'communications') from QB were not helpful.

I use a tablet, I have no IT infrastructure - that is why I use QuickBooks Online, it looks like you are suggesting that is not fit for purpose, since to meed the PCI requirements - I would probably need to host a machine on a service like Microsoft Azure and use their add services to protect it!