@awasos  That is incorrect, and @Rainflurry  has already explained why on the first page of this thread.

Though they are definitely trying to bully you into using their partner, SecurityMetrics, specifically.

That QBO PCI compliance pdf *looks* legit ... for up to 2020. It's a new rules scenario, apparently.

@awasos 

"If everything is handled through quickbooks online, then you are compliant and you don't need to pay for other services.  I've attached QB Online PCI compliance attestation."

That is completely false. The document you posted is Inuit's PCI compliance, not yours.  That doesn't show that you are PCI-compliant.  I'm not sure how many ways it needs to be stated but PCI compliance is required for any business that accepts credit cards.  Even if every single one of your customers pays via a payment link, you still have a merchant account that can be accessed or hacked.  PCI compliance addresses that.    

Apparently I very well may be wrong. I don't have anything to cite my statement and I'm sure @Rainflurry has much more credibility than I have (this is not sarcastic). My source doesn't have proof so I still don't know. They referred to Square which is apparently different than every other payment processing site. I still don't think you have to pay anyone for it and you should be able to handle it yourself (as far as i know), but I'm learning here too.

@awasos 

"I still don't think you have to pay anyone for it and you should be able to handle it yourself (as far as i know), but I'm learning here too."

If you can find a company that provides a free PCI compliance assessment then it's my understanding that you can use them as @FishingForAnswers mentioned.  My apologies if I sounded harsh, it's just that there's a lot of confusion regarding PCI compliance and posts that add to the confusion are frustrating.  PCI compliance is confusing (I'm no expert at all) and even the PCI Security Standards Council's website doesn't make the process easy to understand.  

So I was wrong. I apologize if I added to the confusion. I'll try to add as much detail as I can here to help others with what I've learned. 

If you only use QB online for payments then they are your Third Party Service Provider (TPSP). You still have a requirement to be PCI compliant as well and you would fill out Self Assessment Questionnaire A (SAQ A). I attached it, but you can find these documents on the PCI website document library (it would only let me attach one document to this chat). https://www.pcisecuritystandards.org/document_library/

Work yourself through the questionnaire and then fill out the Attestation of Compliance for SAQ A (AOC SAQ A). There should only be a couple questions that are applicable depending on whether or not you have a website that directs customers to QB Payments or via link. If QB payments sends your customer the link directly from their system then those questions are not applicable either.

That should be it. Everything online says that you need a vulnerability scan as well (ASV scan), but the PCI website says otherwise. It says: 

Do ASV scans apply to all SAQ A merchants?
No, ASV scan requirements in SAQ A only apply to e-commerce merchant system(s) that hosts the webpage that either 1) redirects payment transactions to a PCI DSS compliant TPSP or 2) includes an embedded payment page/form from a PCI DSS compliant TPSP. The intent is for merchants to minimize the risk of compromise by scanning for and resolving identified vulnerabilities that could potentially expose their link to the TPSP’s payment page.

I don't have either of those so I think I don't need a scan. A scan is the only thing that you would have to pay for in doing this self assessment process so that's why I think every PCI company online says all merchants need one now. I think it is just a ploy for your money. My reference above is in the PCI SSC ASV Resource Guide. You can find it by searching that name in the above link on their website. It is dated 2024 and refers to Version 4 (which is the newest requirements).

Ironically, QBO Payments PCI AOC is expired as of 31 July 2024. You need a copy of their current AOC as your TPSP to be current yourself. I'm still waiting on QB to give it to me. It would be posted here if they update it: https://compliance-portal.app.intuit.com/app/PCI-DSS

I hope this helps everyone. Sorry for my bad info earlier. This is still all a scam by the credit card companies and not law, but necessary.

@awasos 

Great post.  Thank you. 

So, you're saying that Quickbooks taking our customers payments cards isn't protected?  That's essentially what you're saying.   And then trying to charge an additional $200/year for a service that should be included in our monthly plans.  

If that's the case I'm canceling my service now. 

No @Handyman74 I'm not saying that. QB is PCI compliant, but they are only a part of your company profile (so to speak). They are your Third Party Service Provider (TPSP) and must be compliant. But you as the merchant who accepts payments via credit card must also be PCI compliant. If all you use is QB then the process is not too difficult to do yourself because you show that all your transactions go through your TPSP on your SAQ A.

I am not with QB. I am just a merchant like you, figuring this stuff out. I think it's absolutely BS too and doing everything I can not to pay into the scam for more of my money. This isn't a QB policy but a credit card company policy. QB is just trying to capitalize on the opportunity by partnering with a company that provides this service. I'm sure they get a nice cut from every QB customer who uses Security Metrics.

@awasos Apologies I was trying to reply to the Quickbooks employee comment from @RoseJillB .  But apparently hitting reply on every individual comment still doesn't do what it's supposed to.  Loving Quickbooks more and more.  

But I found a separate reddit thread that came from another Quickbooks customer that stated they emailed Quickbooks,  and were told they did NOT have to be separately PCI compliant if all they did they was use the payment card acceptance through Quickbooks online and did not actually handle any physical credit card data.  

I'm not paying anything extra as it's not needed.  Quickbooks is already PCI compliant and is the one handling the credit card data.   Thats what we pay them for and they partner separately with someone else for their own PCI compliance.  

My customers aren't coming to me and swiping cards, or any data on my network.  They enter it directly into the Quickbooks invoice and I see absolutely nothing.  

A business that swipes cards, or takes card information,  yes I understand them needing to be PCI compliant.   But for my specific situation, I'm good.  

Great posts by @Rainflurry and @awasos , thank you both. It's hard to tell what is a sales pitch and what is relevant information.

I'm curious though, has there been a recent change in the last year or so in PCI regs? I've had PP, Stripe, and a merchant account for a number of years and have never been bombarded with PCI compliance requests until 2024. Suddenly it seems that even mom and pop shops have to run the PCI compliance gauntlet.

@FT OPS I don't know the answer to that. I am a brand new business owner this year, so just figuring it all out as I go. PCI DSS Version 4.0 just officially began this year so it probably changed to reach more businesses like us, which is why we are probably seeing this bombardment.

Have they increased your monthly subscription by half? We are feeling the same way about all of this PCI stuff.

Who is "they?" Quickbooks or Security Metrics? My quickbooks subscription hasn't changed, but I get it at a discount rate through my CPA. I didn't cave into getting security metrics so I don't know what they do with their subscriptions. I can imagine they would increase the price once they have you hooked but that's just speculation.

Someone please start a class action lawsuit against QuickBooks for this, and I will sign the list of people who have been scammed by this. Thanks