Do I need to be PCI Compliant if the only credit card transactions are through Intuit Merchant Services ?

Welcome to the Community, BBPC.

I understand how alarming it is to receive an email from a security company regarding a PCI Complaint. Please know that Intuit QuickBooks Payments has partnered with a PCI compliance vendor to help our customers achieve PCI compliance.

Therefore, emails are generated by our system and sent out to our merchants to inform them about the partnership. If you're already PCI compliant with a different PCI, kindly disregard the email.

Furthermore, all merchants should be PCI compliant for as long as their account is active and they are processing online payments as part of the Merchant user license agreement.

These helpful materials can give more information regarding the PCI compliance of Intuit:

• PCI DSS Compliance Services
• Learn about QuickBooks PCI Compliance

Let me know if you have additional concerns with the PCI Compliance or any QBO-related inquiry, BBPC. You can reach out to the Community at any time. Take care!

I received the email from security metrics that I need to be PCI complaint and called to speak with them.  Hearing them say it’s $10k per occurrence if there’s a credit card breach was unnerving, especially since I’ve only sent 1 invoice using QuickBooks this year and the customer paid on their end by credit card through QuickBooks.   I believe I’ve now turned off the options to accept credit cards when sending out invoices, so do I still need the PCI compliance insurance?  I only take credit cards at vendor shows through a different merchant which is already PCI compliant.  I’m still pretty new to QB.  Thank you.

Is a 3rd party service required? Security Metrics needs us to loosen our security standards so their scans aren't blocked, thereby proving we're secure requires us to be less secure. It's counterintuitive.

I understand how this situation can feel confusing and even counterproductive when protecting sensitive data is your priority, @InfoSec. Let me give some clarification so you know the next steps to take.

Yes, being PCI compliant is required, especially for businesses accepting credit card transactions. Working with compliance solution providers such as SecurityMetrics, which partners with Intuit and other organizations, helps keep your company aligned with necessary security protocols.

I can see where you're coming from, since the idea of temporarily adjusting security settings can feel vulnerable. However, these scans are designed to identify areas for improvement, ultimately enhancing security for both your business and your customers.

If you feel uncertain, I recommend contacting SecurityMetrics directly. They can explain why these changes are necessary and whether there are alternative arrangements that align with your security preferences without compromising safety. You can reach them through this link: https://www.securitymetrics.com/contact.

I hope this explanation helps. Remember, PCI compliance is in place to ensure your business remains secure, and we are here to support you every step of the way. If you have any further concerns or would like to discuss this in more detail, please don't hesitate to reply below. Take care.