Hi there, @LBenware.

I'll be more than happy to give you details about the email you received from Intuit about becoming PCI-Compliant using SecurityMetrics.

To ensure the security of our customer's accounts. Intuit QuickBooks Payments is partnering with PCI Compliance vendor, SecurityMetrics. You've received an email to let you know how you can enroll in SecurityMetrics' PCI services. 

Once you're enrolled in the needed coverage, you don't need to take any more steps with Intuit. Know that Intuit doesn't require proof of PCI Compliance at this time.

You may want to learn more about PCI and how to securely process sensitive payment card data, you can read through this article: Learn about the PCI DSS Compliance Services.

If you have more questions about SecurityMetrics in PCI Compliance, you can reply to this post. I'll be willing to lend a hand. Have a good day!

So is becoming PCI Compliant required? It seems optional by Intuit, but suggested? I do not store credit card data, but simply use Quickbooks to invoice. It seems to me I would fall under SAQ-A with this. But is there somewhere I could fill out the SAQ-A and turn in on my own to show compliance rather than pay for SecurityMetrics?

Thanks for getting back to us, @LBenware.

I'll gladly share further details about the Payment Card Industry Data Security Standard (PCI DSS) Compliance with QuickBooks Payments.

Yes, becoming PCI Compliant is required by Intuit for any company or organization that handles cardholder data, whether to process, store or transmit. With this, QuickBooks has partnered with SecurityMetrics, to help you meet the PCI compliance requirements accordingly. 

On the other hand, we've dedicated a special department to answer all SAQ-related concerns. I encourage you to call phone support for this matter.

You can visit this article to answer the most commonly asked questions about PCI DSS Compliance Services in Intuit: Learn about the PCI DSS Compliance Services.

Also, you may want to check out these resources as your reference for more info about PCI DDS Compliance: 

• PCI security standards council 
• SecurityMetrics’ PCS DSS Compliance FAQ
• Intuit Security Metrics Guide to PCI DSS compliance

I'm always around to help if you have other PCI Compliance concerns. You can drop a comment below, and I'll gladly answer them for you. Take care, and have a great day, @LBenware.

I guess I am still confused as to why I have to be PCI Compliant if the vendor merchant I use (Quickbooks payments) is compliant. I do not store or have access to data. From what I see, if you use a third party processor and they are compliant, you are compliant as well since you are not the one processing, storing, or transmitting data.

Thank you for getting back to us, @LBenware.

Intuit's PCI program will let you defend your customer card data by making it a Threat Prevention Tool and a Card Data Breach protection. 

I also suggest reaching out to our Customer Support team to get answers about the PCI compliance service. They're the ones handling this type of concern. You can get their phone number by going to the Who can I contact if I have questions regarding my SAQ or questionnaire? section of the following article: Learn about the PCI DSS Compliance Services. 

If you process payments for other businesses, level 3 data can have benefits for you. For more information about Level 3 data and processing detailed info to Visa and MasterCard, check out this article: What merchants need to know about Level 3 data processing.

Visit us here again if you have more questions about your QuickBooks account! I'm always here to amswer them for you. Keep safe, and have a great rest of the day!

I agree with the original poster of this question.  All it looks like is that QB is trying to charge us for something.  Do we have to do this?

The most recent mailing I received from Intuit indicates that I must be PCI Compliant. In order to do that, I have to handle credit-card data directly, which I do not. There is no option to say that I've delegated these tasks to Intuit, but all of the language is very threatening regarding contractual obligations.

There should be an option with Intuit or with their PCI Compliance partners to indicate this, so that there's no need to fork over $85 to be told that there's no way to comply in this situation.

Thanks for joining the Community and getting involved with this thread, JohnAAA.
 

Businesses who process, handle, transmit, or store credit card data are required to be PCI compliant. Intuit has partnered with SecurityMetrics to streamline your PCI compliance validation process. The fee charged by SecurityMetrics is annual.
 

You can add PCI services to your account by creating an account with SecurityMetrics. After completing their FastPass, you'll be able to purchase a package that best suits your business's needs. After purchasing an appropriate package, you can complete the SAQ and set up your scans.
 

I've also included a detailed resource about working with PCI services which may come in handy moving forward: Learn about QuickBooks PCI Service
 

If there's any questions, I'm just a post away. Have an awesome Friday!

This is why I was confused. I don’t handle any credit card info, it’s all through Intuit, who says they are PCI compliant. So I do not see a reason to be PCI compliant myself, as I don’t have any contact with the credit cards 

I also received this notification yesterday. The email lacks certain details that are important.

1) Is this mandatory to keep a QuickBooks Payments account open?

2) Is this required for all accounts, accountants and businesses alike?

3) When is this due by? As you know we accountants are neck deep in tax season work at the moment.

4) Is there an exemption for this? Personally, I never handle credit card details. And I mean truly never; I don’t even accept credit cards. 

I agree with you as I just got the same email. If QB is the processor of all customer CC/ACH payments and I do not personally obtain any type of card or account information; there is no reason I should be paying an annual fee for PCI compliance. Based on what I have read and also being in banking, the company who utilizes and stores the card information are the responsible parties to PCI compliance. Not a small business who never sees or touches a customer's CC or bank info. Cmon thats like paypal or some other company I use to receive payments telling me I have to be PCI compliant when in fact I have nothing to do with their database. Someone does not know their job in asking QB customers to attest they are PCI compliant when QB is the actual data holder; not the business simply getting paid through QB. 

The reason I use Quickbooks Online payments is precisely that I do NOT want to store customer card data. Now they want me to pay $85 even though I have no access to card data at all. Technically not a 'scam' but personally it feels like QBO is scamming me into paying $85 just to answer a questionnaire that is going to say I have no access to card data. What is going on here other than a 'sweetheart' deal where QBO (Intuit) is handing us over to SecurityMetrics to pay them money for something we do not want.

Has anyone been able to get thru this process without paying at least $85 so far?

I am already paying $9.95 to QB for PCI compliance with my merchant account. Why am I paying another $85 a year? I'd rather pay the $85 than the $120...

I, too, am perplexed at having to pay security metrics this fee. The representatives trying to answer these questions appear to be dodging the questions and just referring questioners to the process.  Also, I "liked" or clicked on the thumbs up response to these replies, but the system wouldn't tabulate the clicks.  

I am not impressed with the customer service. 

Is there any updates on this? Has anyone figured out if we actually have to do this if we are not personally taking credit card payments through anything except QBO?

I'm joining in to share more about Payment Card Industry Data Security Standard (PCI DSS) Compliance with QuickBooks.

Please be aware that the Payment Card Industry Data Security Standard (PCI DSS) is a list of practices merchants must follow when accepting or accepting payment cards. It includes how you securely handle, process, and store any sensitive payment card data.

If you have any other questions, you can visit this page to get in touch with our support team:  Learn about the PCI DSS Compliance Services.

Furthermore, here's an article to help you manage your company subscription: Manage billing, payment, and subscription info in QuickBooks Online.

Feel free to leave a comment below if you have any additional QuickBooks-related concerns or need help accomplishing tasks inside the program. We've got you covered. Take care!

This is why we use QBO to accept payments and never see a customer's card. Ever.

Intuit QBO needs to provide us with a checkbox somewhere so we can say "I do not accept cards directly, nor do I ever take a customer's credit card number into my systems."

I think the problem here is that we merchants consider QBO to be OUTSIDE our company, and to provide a "firewall" of sorts that isolates us from credit card numbers. QBO wants to consider merchants to be INSIDE and QBO wants to cover their liabilities by requiring that merchants pay for and secure PCI compliance, even if we have to say "We never see a credit card number at all."

If they eventually decide to shut down my QBO invoicing and payments, I will just switch to Paypal invoicing, which I already do with certain clients. Paypal is not requiring PCI compliance. (And similarly they do not share any financial info with me except the client's name.)

The referenced materials say 

• "If you’re storing credit card processing data, it should always be in a manner that makes it difficult to access. Any company or organization that handles cardholder data, whether to process, store or transmit, must meet PCI compliance requirements."

My firm does do not handle or store card data, there is no reason it must be PCI compliant.

I want to know exacly what SAQ level applies to Quickbooks payments on-line.  I want chapter and verse from Intuit that states that.  There is no documentation that states what level we should be at.  SAQ-D is not acceptable for an on-line service like Quickbooks, where we never see the PII to leverage on it's users.

At the moment it looks like Intuit is forcing it's customers to pay 'insurance' through Securty Metrics incase they screw up.

I appreciate you for joining the thread, @MFling. I'll share insights about the SAQ level that applies to QuickBooks payments in QuickBooks.

As mentioned by my colleague in this thread PCI Compliant is required by Intuit that handles cardholder data, whether to process, store or transmit. That said, Intuit has partnered with Security Metrics to streamline the PCI compliance validation process.

To further explain the SAQ level that QuickBooks Payments applies, you may contact the support team. Just scroll down at the bottom of the page to get their phone number: Learn about the PCI DSS Compliance Services.

I'll be adding these resources that help you with PCI DDS compliance:

• Security Metrics’ PCS DSS Compliance FAQ
• Intuit Security Metrics Guide to PCI DSS compliance

For additional QuickBooks-related concerns, don't hesitate to post them here in the Community. We're always available and willing to lend a hand to your queries. 

I am being hounded by SecurityMetrics starting this week. Ivan failed to read my out of office responders and continues to call and email in a very threatening manner...my 6 year old just had surgery, so I'm out of the office and I'm not calling him back until I feel like it at this point. I started their questionnaire after receiving the same email a month ago, but I didn't move forward after they started wanting me to pay money. I also, started thinking, I don't collect CC data like all of you, I use QB payments, just like I would Square or Stripe and I started doing research and they are PCI compliant so the business using their service for their customers is protected as long as you are following their rules. I am PCI compliant based on the PCI Security Standards Council. Also, I am allowed to perform a self assessment. Then today I decided to look at my QB Payments account a little bit more and look what I found:

FYI - Intuit - All of your links below were not working today when I tried to click on them, so that wasn't very helpful

I have done PCI compliance audits for a number of my clients who use other merchant account providers and their providers give them the PCI audit service access for FREE.  Considering the expensive fees we are paying for both the merchant account services AND the ridiculously expensive cost for QB online that you keep jacking up, why doesn't Intuit cut a deal with one of these PCI compliance companies and give us access to the program for FREE like all of your other competitors?  I have been paying the VERY High Merchant account fees for the convenience of sending the invoices with a payment option embedded, but this makes me seriously consider cancelling that and having my customers pay me by Zelle or Venmo or PayPal or by mailing a check....   You guys have competition and trying to extract every penny out of your customers is not a good way to build customer loyalty and good will.

I just got the same email and I think this is ridiculous, and QB cannot provide a reasonable answer. I have NO access to customer's credit card info - ever.   I will not be paying SecurityMetrics for any services and will cancel my QB payments account if it gets to that.

In typical Intuit fashion, you guys did an awful job explaining what is involved with this new compliance issue. You need to tell your customers what the cost is, what options are available, etc. Awful job communicating this to users. Who is overseeing this program? If I was running the business, they would be looking for a new job.