With QB Online do I need PCI Compliance

Yes. All businesses that store, process or transmit payment cardholder data must be PCI Compliant.

Found these bits of information for you, as well.

"PCI is a security standard, not a law. Compliance with it is mandated by the contracts that merchants sign with the card brands (Visa, MasterCard, etc.) and with the banks that actually handle their payment processing."

Without the protection that PCI compliance brings, your business could be vulnerable to costly attacks and data breaches. If a data breach occurs and you're not PCI compliant, your business will have to pay penalties and fines.

Welcome to the Community, @wottonr. Thank you for choosing QuickBooks Online.

Yes. PCI Compliance is essential in QuickBooks Online. As a merchant who accepts credit cards, you must have payment security throughout your local environment. It is a set of guidelines merchants must follow to accept payment cards. It will assist you in handling, processing, and securely storing sensitive payment card data.

For more detailed information about the QuickBooks Payment Card Industry Data Security Standard (PCI DSS) compliance, please read this article: Learn about QuickBooks PCI Service.

You can also check out this article for details on how to keep your account secure and how QuickBooks protects your financial data: Privacy and security in QuickBooks.

As you begin your QuickBooks Online journey, you may also want to visit this link as a guide for managing your account: QuickBooks Video Tutorials.

Don't hesitate to click the Reply button below if you have further questions or concerns about the PCI Compliance. We're always looking forward to assist you. Have a great day.

Thank you for the advice!

Is there a QB deadline to become compliant? I've started the process just to see what was involved then closed the link saying I would be back to finish. In the last couple weeks, I've received 2 phone calls asking if I needed help finishing the application and to click on the link to do so. Problem is that link wouldn't open no matter how or where I tried...made me leery of the call/company. I had no problem using the original link to get there the first time but can't return to finish. So again, is there a deadline to become compliant?

Thanks for joining this thread, Gotcha. I'll ensure you'll be routed to the right support team.

There's no mention of a deadline for becoming PCI-compliant. It is still an ongoing process, including resubmitting the Self-Assessment Questionnaires (SAQ) and passing the required scans annually.

In your case, I recommend contacting our Payments Support Team to assist you with accessing the link to proceed with the compliance process.

You can check out this resource that answers frequently asked questions about the PCI service compliance process: Learn about QuickBooks PCI Service.

Please let me know if you have other concerns about managing your payments account. I'm just here to help. Stay safe always!

I only accept credit cards via QB site. I do not have any store, terminals, swiping ability. I do not store credit card data.  Clients on occasion pay for invoices via QB online.  What is that I need to do to be PCI Compliant?  The email sent is very confusing and misleading.  Asking me to agree to a 1 year agreement without knowing if it even applies to me and no idea what the cost is.

I see where you're coming from, @SB54321.

I'll share more details about QuickBooks Payment Card Industry Data Security Standard (PCI DSS) compliance to help you manage your local security environment.

All merchants that accept credit or debit cards are required to follow PCI DSS Standards. Since you accept credit cards via the QuickBooks site, you need to be PCI compliant. 

Moreover, Intuit has partnered with SecurityMetrics to streamline the PCI compliance validation process. SecurityMetrics charges an annual fee to merchants who are validating compliance for Intuit.

To know more about PCI DDS compliance, please see this article: Learn about QuickBooks PCI Service.

Also, when you use QuickBooks Payments to take payments from QuickBooks, you'll accrue a processing fee. You may want to check out this article for the overview of fees and plans to help you make the best decision for your business: What are the fees for QuickBooks Payments?.

If you have other concerns about your QuickBooks Payments account, please don't hesitate to let me know in the comments below. I'll gladly help. Take care, and I wish you continued success, @SB54321.

I do not accept credit card payments. I am paid by clients via direct deposit. I do not store their payment details. This PCI COmpliance mandate is just another way to milk money out of small businesses. I have no point of sale service. I simply invoice for billed hours. This is a "compliance" that is not needed. I love the way these emails are sent making everyone feel they are somehow doing something incorrect or in violation of some rule. 

My thoughts exactly.

Same here. I only take ACH through Quickbooks for the few hours I bill. I don't take credit cards. I don't even get to see the full details of that ACH information when I get paid in my QB merchant center.

I made the mistake of asking Security Metrics a question about this and now they keep calling & emailing me and telling me I'm going to be reported and fined for non-compliance. If QB truly requires this PCI compliance of us ACH only folks, I guess I'll have to switch to another invoicing and payment service.

We use QB desktop. If QB online needs to be PCI compliant then why are we receiving this email. Moreover we are receiving payments through ACH and pay through ACH as well. I do not recollect receiving this email reminder in the past so many years. What is the fee for this?

@AcctNLR 

I know someone went thru it entirely themselves to see how their paid version and you-do-it version compares to our free version and our we-do-it-for-you version. Here’s the breakdown about Intuit’s new mandatory PCI Compliance process, buckle in b/c it’s a lot of info for your benefit:

Security Metrics PCI Test Review:
The initial self-assessment questionnaire is moderately the same as other payment processor do but would be difficult for someone unfamiliar with the type of tech heavy questions, as Security Metrics doesn’t help guide you through this process unless you buy the $195/year package.

Once the self-assessment questionnaire is complete, you’ll be led to the paywall where you must purchase one of packages above. Unless you opt for the $195/year Intuit Managed package you’ll be completing everything by yourself with little to no guidance.

You’ll answer another 40 or so questions on top of the 50+ you answered in the self-assessment. If these are answered incorrectly, you’ll either instantly be flagged as non-compliant or your upcoming scan will fail and that too will mark you as non-compliant, which leads to more monthly fees hitting your account.

For the scan you’ll need to know your IP address and input it then pick a date within the next quarter to run this scan. If you were to want to scan another time for a separate IP address your business may have, it will cost $129 per extra quarterly scan. Which brings you to $516 per year + whichever package you bought earlier while setting up the account.

Security Metrics does have a good feature of telling you what you need to do to become compliant, but they don’t tell you how to do it (Unless you purchase Intuit Managed PCI Pro $195). There’s a lot to keep track of and answer all while having many important questions not being able to be re-answered if you answered it incorrectly.

If you don’t feel like doing it yourself at the $85 initial cost, or being guided through it at $195, they have a separate yearly package that will do almost everything for you to attain compliance for a steep price of $670. Another option, you should consider having a 3rd party merchant service provider to integrate with QB. Everything listed above one provider does for no extra cost and is built into their $30 fixed fee for newly boarded merchants for the entire duration of their time with them.

Fiat Lux - Asia: thank you for the breakdown. With what I do, the fees would take a chunk out of my services and still not be totally guaranteed total coverage, anything can slip through the tiniest cracks. Guess my best bet would be to go back to accepting cash only. I realize it's insurance to cover the client and they should be in our best interest, but if it cuts into the profits THAT much, like it would mine, I'll have to make that decision to go cash only, again...I'd rather not, but to become compliant, I may as well just give my services away!

Again, thanks for the breakdown!!

I still not a clear answer, is it mandated to be a PCI compliant if we are :

-> Using QuickBooks desktop NOT QuickBooks Online

-> Processing payment via p-card, but the details are not stored in the QuickBooks. The details are taken over the phone

-> Only hand full of customers use this mode of payment, the majority is through ACH or physical checks

-> If I convert the p-card customers to physical check or ACH do I still have to be PCI complaint

-> What does "passing required scans annually" mean to become PCI complaint

Let me share additional information about your PCI compliance concerns, AcctNLR.

When processing payments, transmitting, or storing data, you must comply with PCI DSS compliance regardless of your QuickBooks version.

Regarding ACH payment, it isn't mandatory. However, the ACH payment follows the PCI guidelines for the safety of ACH payment processes. So, when converting P-card customers to a physical check or cash, PCI compliance is no longer required but still necessary for ACH because, again, Intuit follows its guidelines.

Finally, "passing required scans annually" indicates that you must undergo validation for PCI compliance yearly.

In addition, check the following resources for additional insights about PCI compliance:

• Learn about QuickBooks PCI Service
• Security Metrics

I'm still available to assist if you have further questions regarding compliance concerns or any other questions by adding them in the comment below. Keep safe!

I don't think that this PCI compliance is needed if a company/firm doesn't handle the customer's cc information though and I think this is where some of us were confused and wanted to know if it was actually necessary. 

QBO's security would be responsible not the accountant for customers that enter their own information. On the other hand, if an accountant was entering the cc information themselves, then this is where they should have something in place for security measures. 

Bottom line: These emails are obviously confusing to many people and should have more information as to when and where these services should actually be applied. We don't want to pay for something that we don't actually need. 

I'm still not totally clear. Can I keep using QB self-employed for ACH only payments without having to pay extra for PCI compliance? Or will I be fined? Per the message here I'm seeing  "Regarding ACH payment, it isn't mandatory"

Allow me to clear up your confusion, @Makingclothes.

If you're processing, storing, or transmitting any payment card information, including ACH account details, it is important to ensure PCI compliance. It's crucial for protecting sensitive payment information, ensuring the security of your customers' data, and meeting legal and industry standards. You can sign up using your email address connected with your Merchant account at www.securitymetrics.com/pcidss/intuit.

Regarding the specific requirements and potential fines, it is best to reach out to SecurityMetric. This is to ensure you meet all the necessary requirements and obligations. You may want to check out these resources for more info about this matter: 

• QuickBooks PCI Service FAQs
• SecurityMetrics’ PCS DSS Compliance FAQ
• Intuit Security Metrics Guide to PCI DSS compliance

We're always here if you have other PCI Compliance concerns. I'll gladly answer them for you. Take care and have a great day!

So is signing up with the third party Security Metrics REQUIRED???  Where can I find Self-Assessment Questionnaire so that I can "certify" compliance without having to sign up with a third party that will charge me for something I don't need? 

I've been through ALL of the information on support pages as well as messages from support here and other strings.  The messaging around this process by QBO is absolutely horrendous, quite obviously aimed at pumping another service (this is a general theme with QBO--pump pump pump S#!^ I don't want or need). 

I just need a link to the place where I can complete the Self-Assessment Questionnaire, no explanation of why PCI/DSS is important, etc. is needed. 

Thanks.   

@MichaelAparicio 

Check the information as I mentioned earlier.

As per your message -

"If you don’t feel like doing it yourself at the $85 initial cost, or being guided through it at $195, they have a separate yearly package that will do almost everything for you to attain compliance for a steep price of $670. Another option, you should consider having a 3rd party merchant service provider to integrate with QB. Everything listed above one provider does for no extra cost and is built into their $30 fixed fee for newly boarded merchants for the entire duration of their time with them"

I still do not understand why the difference from $85 compared to $670. Apart from the SAQ' s what does the user need to fill and what are the other features for the steep price of $670. Who are the other 3rd party provider apart from security metrics.

Thanks for joining this thread, MichaelAparicio.

To verify if you're only able to use SecurityMetrics with a QuickBooks Payments account, or if you have the option of utilizing a different third party PCI provider, I'd recommend getting in touch with our Customer Care team. They'll be able to pull up your account in a secure environment, conduct further research with you, and go over what options are available.

They can be reached while you're signed in.

Here's how:
 

1. Use the Help (?) icon.
   
   
    
2. Click Contact Us.
   
   
    
3. Enter a description of your situation in the What can we help you with? field, then hit Let's talk.
   
   
    
4. Select Start messaging or Get a call.
   
   

Be sure to review their support hours so you'll know when agents are available.

In regard to where you can find the Self-Assessment Questionnaire (SAQ), you'll initially need to create an account with SecurityMetrics. After completing their FastPass, you can purchase a PCI package that best suits your business's needs. Afterwards, you'll be able to complete an SAQ and set up the appropriate scans.

I've also included a detailed resource about working with PCI DSS compliance which may come in handy moving forward: Learn about QuickBooks PCI Service

If there's any additional questions, I'm just a post away. Have an awesome Tuesday!

It's still not clear whether going through the third party is REQUIRED or if there is another method.  This is the most ridiculous company I've ever done business with, yet it's so painful to move elsewhere I just stay put.  I may try the "wait for someone to call me about non-compliance" and then "just close my account" approach.  This could be the last straw.  

This is so confusing... Okay, I'm a small business that does video and marketing for my clients. I only send them invoices through QBO, and they choose on their end how to pay. I don't see my clients when they pay, I don't talk to my clients when they pay. They get an invoice in their email, they open said invoice, and pay it how they see fit. I don't handle payment methods, I don't accept credit card or ACH information, and I don't do anything with their payment methods. I just send an invoice, and they pay it through my QuickBooks invoice. Do I have to jump thru these hoops or pay SecurityMetrics a bunch of money to make sure I'm "Compliant"? I hope you can help me make sense of this.