Why is PCI compliance companies emailing me? All my CC transactions are handled by e-invoices through Intuit.

I understand the confusion you have about PCI compliance, ddb281. Let me explain and share some information about it.

In QuickBooks, merchants who process, handle, transmit, or store credit card data are required to be PCI compliant. The emails you're receiving from PCI aim to inform you about the necessary PCI compliance standards for merchant services. 

While Intuit handles your credit card transactions through e-invoices, PCI compliance provides resources where merchants can obtain security and compliance services. It's important for all businesses that accept credit card payments to maintain PCI compliance to ensure the security of sensitive financial information. 

Additionally, Intuit has partnered with SecurityMetrics, a leading PCI service provider, to help you meet the requirements.  It's important to note that SecurityMetrics charges an annual fee to merchants validating compliance for Intuit. 

You can visit this article to learn more about PCI compliance: 

• Learn about QuickBooks PCI Compliance
• Learn about the PCI DSS Compliance Services

If you have further concerns or questions about PCI compliance and its relation to your specific situation with QuickBooks Online, please feel free to comment below. We're here to assist you.

Can you share what company you do use, if not SecurityMetrics?

It seems ridiculous that we have to pay an ADDITIONAL fee to another company when we are paying for you to process these things. Is there a way for us to directly submit the SAQ form? (Otherwise, I will be discontinuing using Quickbooks as a payment platform. I am already using other 3rd party processors who do not harass me for this like Securitymetrics.) This seems like an undisclosed fee that you are requiring users to pay in order to utilize your services, unless there is another way for us to submit it.

Does everyone who accepts credit card payments have to subscribe to Securymetrics services?

@LuisDRamirez , You do NOT have to use Security Metrics.  There are plenty of other companies that do it, and WON'T bully or belittle you. They are cheaper, too. 

I don't know the name of the one that we use here.  I will try to find out, though. 

I think it's through our CC processor... that ISN'T QB.  

Thanks for joining the Community and getting involved with this thread, LuisDRamirez.

Intuit partners with SecurityMetrics to help businesses using our QuickBooks Payments services meet PCI requirements.

The program includes:
 

• Threat prevention tools to simplify your PCI compliance process and better defend customers card data. This includes vulnerability/mobile scans and SecurityMetric PANscans, which make it easier to identify unencrypted card data and prevent a breach.
• Card data breach protection for up to $100,000 premium service warranty. To qualify for this benefit, enroll in the program that offers the warranty. You should also be up-to-date on service fees.

Currently there's no other options Intuit provides for PCI compliance. SecurityMetrics will be the only available option if you're using a QuickBooks Payments account. Outside of Intuit, all merchants that accept credit and/or debit cards are required to follow PCI DSS Standards.

I've also included a couple detailed resources about working with SecurityMetrics which may come in handy moving forward:
 

• Learn about the PCI DSS Compliance Services
• QuickBooks PCI Compliance FAQ

Please don't hesitate to send a reply if there's any additional questions. Have a lovely Tuesday!

Joining the conversation here - I do NOT process any credit card payments, take credit card numbers, store information, etc. as this is all handled through QB invoices which are paid directly to QB.  Why would I need to have a third party to subscribe to, in this case shouldn't I could on QB as being PCI compliant because they are the ones accepting, processing, and storing the information?

Allow me to dive into this thread to address your concerns in QuickBooks Payments, @Shift_CO.

Consumers with active payment accounts are required to comply with QuickBooks Payment Card Industry Data Security Standard (PCI DSS) compliance. This is a global card brand requirement to protect customers and their businesses from cardholder data breaches. 

The data standard must be followed by any business or service provider that stores, processes, or transmits payment card data, regardless of their size or the amount of annual payment card transactions. 

Regardless if you don’t store credit card information, as long as you process or take payments from your customer with QuickBooks Payments, then you’re required to comply with the security measures implemented by Intuit.

You might find these articles helpful to learn more about PCI DSS Compliance Services:

• Learn about the PCI DSS Compliance Services
• Learn about QuickBooks PCI Service

If there are any other queries you would like to address regarding PCI DSS or if you have any further inquiries, please do not hesitate to leave a comment below. I am always at your service to assist. Stay well!

Since this is contrary to the advice I received a year ago and seems to contradict both the Intuit TOS and research I did by making a lot of phone calls last year, I'd like to speak to a representative about this instead of getting the chat post. 

Who can I call?

This just seems like a scam to me. I have no secure data because I never handle the credit card. That is all done by QuickBooks. I don’t even put in the info, it’s all done by the customer on intuits site. I have no business network to security test because I don’t have a brick and mortar sight. Everything I process is done via my phone, except cc transactions which I don’t do at all. This just makes no sense. Why am I paying QB for the service if they can’t isolate me and prevent this additional extortion of fees?

Let me share some insights about QuickBooks Compliance, @SteveKEC and @ddb281.

If you're processing, handling, transmitting or storing credit card data in QuickBooks, it's important to be PCI compliant. The emails you're getting from PCI are meant to inform you about the necessary standards for merchant services.

While Intuit handles credit card transactions through e-invoices, PCI compliance offers resources that can help you obtain security and compliance services. It's essential for any business that accepts credit card payments to maintain PCI compliance to ensure the security of sensitive financial information. For your reference, visit: Learn about QuickBooks PCI Compliance and Learn about the PCI DSS Compliance Services.

If you need further guidance, you can contact our support team. They have the proper tools and resources to address your concerns. Here's how:

1. Sign in to your QuickBooks Online company.
2. Choose Help (?) at the top right.
3. Select or type Contact Us.
4. Enter your concern, then click Let's talk.
5. Choose a way to connect with us.

Please note that support is available Monday through Friday, from 6 AM to 6 PM Pacific Time. Additionally, you can visit the QuickBooks Payments FAQ page to review a list of articles that can help you with the most commonly asked questions. 

If there's anything else related to QuickBooks Payments you need help with, feel free to leave a reply. We're always here to assist in any way we can. 

The canned response just smacks of bs. I think QB is just trying to scam us out of more money. Be sure to do your research on PCI Compliance requirements. I did. 

Take payments how?  QB takes the payments, we merely receive the funds, after QB takes a percentage.  My company never sees a credit card #, QB is the sole processing, there is nothing for us to be in compliant for as we DO NOT get ANY credit information, QB does.

@FTP17 @syringaboutiquei 

PCI compliance is required even if you don't do any processing of credit cards on your local workstation/terminal because you still have a merchant account that you can log into from a browser.  When you log in, you can place charges and issue refunds through your merchant account.  PCI compliance makes sure that you have adequate safeguards and a plan of action if your login/merchant account is compromised.  It ain't BS.  

Are we required to use Security Metrics? That seems sketchy.

Yes, if you process credit card and debit card transactions, you need to use security metrics, TerraOwriter.

PCI DSS compliance ensures that credit card data is handled securely to prevent fraud and data breaches. Companies like Security Metrics offer services to help businesses achieve and maintain PCI compliance.

Let me also share these resources that tackle the PCI DSS Compliance Services and frequently asked questions about Security Metrics: Learn about the PCI DSS Compliance Services.

I'll be right here to keep supporting you regarding PCI compliance. The Community forum is always available to help you

My question was whether SECURITYMETRICS was the only game in town. Your 'partnership' comes across as sketchy. You know that, right?

"Yes, if you process credit card and debit card transactions, you need to use security metrics,"

@TerraOwriter   Actually, NO, you're NOT required to use Security Metrics.  You can use ANY company you choose, as long as you are PCI compliant.  

Thank you for your reply. I have read about self-assessment and submittal of a SAQ (?) I am just trying to avoid going through a company that had no regulations in regards to how much they charge us on an annual basis, it $100+ now and next year could go up and up all for a compliance that I feel should be in Intuits side as they are the ones taking transactions. 

You didn't answer the question. We don't recieve and CC credentials when people pay though QB, so why are we required to be PCI compliant? I don't take the number nor do I see it.  Can you answer that please.

We know that PCI compliance can be confusing for you, 3LT. Allow me to clarify and provide you with more information about it.

The necessity for PCI compliance arises from the presence of computers and mobile devices that have access to both QuickBooks and your merchant account using your login information. Even though you may not physically have access to your customer's credit card credentials, they are stored in your merchant account, leaving you vulnerable. PCI compliance is specifically designed to address and mitigate this vulnerability.

 You are receiving emails from PCI to inform you about necessary PCI compliance standards for merchant services.

Intuit manages your credit card transactions through e-invoices. PCI compliance offers services for merchants to ensure security and compliance. It's crucial for all businesses accepting credit card payments to maintain PCI compliance, safeguarding sensitive financial information.

Furthermore, Intuit collaborates with Security Metrics, a prominent PCI service provider, to assist you in meeting the requirements. It’s essential to be aware that Security Metrics imposes an annual fee on merchants who validate compliance for Intuit.

You can visit this article to learn more about PCI compliance: 

• Learn about QuickBooks PCI Compliance
• Learn about the PCI DSS Compliance Services

Keep me posted if you have other concerns or additional questions about PCI compliance. I'm always ready to assist you further. 

@3LT 

"We don't recieve and CC credentials when people pay though QB, so why are we required to be PCI "compliant?

You need to be PCI compliant because you have computers/mobile devices that have access to QB and your merchant account via your login.  Your customer's cc credentials are stored in your merchant account even if you can't "see" their credentials.  That makes you vulnerable and PCI compliance is designed to address that.