I just want to weigh in here because I am livid.
I have spent upwards of 3 hours on the phone trying to get an answer to this. The first two people I spoke with from QB told me that it was a phishing attempt and would not discuss PCI compliance. They insisted it was a scam. While I agreed that it indeed felt very scammy, it was consistent with what the QB website states, so I felt it was not likely to be a phishing email.
The next person I spoke with from Merchant Services told me verbally that I could ignore the emails, but I had nothing in writing to contradict QB's repeated claim that I'm not in compliance and therefore in breach of their TOS. She then told me that I could just upload my SAQ-A and AOC to a portal, and proceeded to send me the SecurityMetrics website. I explained that this was exactly what I was trying to avoid, and that it costs money. She insisted that it was free, (it's not). And then said, "Well if you won't listen to me then I'll send you a different link" and that link is literally a "how to sign up for SecurityMetrics" tutorial! *head-exploding emoji*
Seeing no ability to get clarity through QB, I called the SecurityMetrics folks who assured me that a 3rd party certification was required (of course). They offered me a "very special discounted price of $85." I asked what the basic QB customer discount price was, and surprise! $85. I laughed indignantly, and they offered me $50 instead since I was such a nice lady (I was not).
I finally just relented and paid the $50 to just be done with it, but I'm regretting that now since I can't find anything in the actual TOS that says 3rd party verification/certification is required. It just lists out the explicit requirements, all of which I'm already meeting because I do all my CC transactions through QB Payments.
Also, for extra icky measure, the SecurityMetrics guy told me that he knew another woman with my name and she was also "quite spicy." I feel absolutely disgusted and gross. I'm debating trying to cancel the charge since they bald-faced lied to me about needing a 3rd party certification.
Speaking of lying... the QB Payments landing page/marketing has this FAQ:
Q: Do I have to sign up separately to accept credit cards and bank transfers?
A: QuickBooks Payments requires application approval, but once you have an account, you don’t have to do anything else to take credit cards and bank transfers.
I added the emphasis, but this feels like false advertising if they truly are going to *force* you into paying a mandatory annual PCI compliance fee. I think a careful reading of the TOS shows that SecurityMetrics or any 3rd party fee is not actually required though. Simply doing business in alignment with the principles appears to be sufficient.
