PCI compliant and Security Metrics

Stacybephotography · ‎November 12, 2025

I understand the following: Even though I never see or store customer card numbers, I’m still classified as a merchant because I accept credit card payments. The Payment Card Industry Data Security Standard (PCI DSS) applies to any business that handles, processes, or transmits cardholder data even indirectly through a third-party like QuickBooks (QB). QuickBooks is PCI compliant as a platform, but the merchant (me) must also validate my own compliance by confirming that:

I use secure systems (no handwritten card numbers, no unencrypted forms, etc.)
I don’t store card data locally or in any unapproved system
I follow best practices (password protection, secure Wi-Fi, etc.)

I also understand that Security Metrics is a third-party company Intuit uses to collect that self-validation (the Self-Assessment Questionnaire or SAQ). The $85–$375 annual fee covers that service and their documentation portal it’s not an Intuit fee for processing payments.

In short, it’s about proving I’m following PCI rules, even if QB actually processes the payments.

BUT, in my case, I want to clarify that I do not collect, store, or directly process any customer credit or debit card information. ALL transactions are conducted through the QuickBooks Payments platform via a secure link I send to clients. QuickBooks handles the payment processing, including refunds, and at no point do I have access to my customers’ card data.

Given that QuickBooks is already PCI compliant and that I don’t handle cardholder data directly, can you please confirm why I’m required to pay the additional annual Security Metrics PCI fee on top of the existing QuickBooks fees?

If there’s a simplified self-assessment option for small merchants who exclusively use QuickBooks’ hosted payment links, I’d like to pursue that instead. Please advise if I can be marked as “SAQ-A” compliant, since this category is typically for merchants that fully outsource payment processing and do not store or handle card data.

Thank you for clarifying so I can ensure full compliance without incurring unnecessary costs.

Because quite frankly this is some BS.

Ethel_A

Thank you for raising this important point about PCI compliance, @Stacybephotography. While QuickBooks Payments provides a secure and compliant platform for transaction processing, it's important to understand that businesses are still responsible for maintaining their own PCI compliance. Let me break this down further to explain why additional steps may be required, even when using a secure third-party service like QuickBooks.

Using QuickBooks Payments services does not automatically make your business PCI compliant. While QuickBooks ensures its own systems are secure and PCI compliant, your overall compliance can still be affected by other applications or systems on your computer or network. Additional steps may be required on your part to ensure full compliance with PCI standards.

All merchants that accept credit or debit cards must comply with PCI DSS standards. Your payment methods and annual transaction volume determine your validation requirements. Every merchant must complete a Self-Assessment Questionnaire (SAQ), depending on how they handle card data.

Intuit has partnered with SecurityMetrics, a leading PCI compliance service provider, to help you meet the required standards. However, you also have the option to choose a third-party provider outside of QuickBooks to achieve compliance.

PCI compliance is essential for protecting your business and your customers’ payment data. QuickBooks and SecurityMetrics provide helpful tools to assist you, and you can explore additional options as needed. If you have any questions, feel free to leave a comment below

Stacybephotography

Just to clarify, I’ve already completed the self-assessment. However, I’m still being prompted to purchase one of the SecurityMetrics packages and honestly, I have no idea what these packages include or why I would need them if I’m not processing any payments directly. My understanding is that completing the self-assessment should confirm that I do not process or store client credit card information. If that’s the case, why am I being required to purchase any package from SecurityMetrics?

Stacybephotography

Just to clarify, I’ve already completed the self-assessment. However, I’m still being prompted to purchase one of the SecurityMetrics packages and honestly, I have no idea what these packages include or why I would need them if I’m not processing any payments directly. My understanding is that completing the self-assessment should confirm that I do not process or store client credit card information. If that’s the case, why am I being required to purchase any package from SecurityMetrics?

ClaireSamanthaS

Hello there, Stacy.

To clarify, QuickBooks has partnered with Security Metrics to provide a streamlined compliance validation process and associated services, which is why you are repeatedly prompted to purchase a package after completing the initial Self-Assessment Questionnaire (SAQ).

Merchants who complete SAQ and don’t handle cardholder data typically don’t need extra services under PCI DSS. However, QuickBooks Payments may still require merchants to purchase Security Metrics packages for two main reasons. First, these packages provide formal compliance certification and reporting, ensuring the merchant’s compliance is officially documented. Second, QuickBooks Payments may mandate additional monitoring to protect the security of its broader payment ecosystem, even if the merchant doesn’t directly handle cardholder data.

You can also check out this article to know more about PCI DSS Compliance Services: Learn about QuickBooks PCI DSS Compliance Services.

Let us know if you have additional questions or concerns. We're here to help.

laborboy1

Are you saying that QB will "require" some merchants to purchase Security Metrics' package? If so, which merchants?

Jelayca V

Hi there, @laborboy1. While working with SecurityMetrics is a reliable and trusted option, it isn't necessarily required for you to purchase their package.

Intuit partners with SecurityMetrics to provide merchants with a dependable and compliant option to protect sensitive customer payment data. However, you're free to explore other compliance solutions that meet the same standard, as long as your business remains PCI compliant.

We encourage all merchants who accept credit card payments to be compliant with PCI DSS. This step is crucial for safeguarding payment transactions, protecting customer data, and reducing risks linked to non-compliance.

Let me know if you would like more details or have any questions. I'm here to help.

Topics

Training

Community

Resources

PCI compliant and Security Metrics