Do I need to pay another company to be PCI compliant? I keep getting contacted about it. I accept online payment from a few customers but do not store their information

Greetings, @machelle.

Since you’re processing payments, it’s important to note that you’re required to be PCI compliant. While QuickBooks is PCI compliant, this doesn’t automatically make its users PCI-compliant. Also, even though you’re not storing information, you’re still required to ensure PCI compliance and attest to it.

QuickBooks has partnered with SecurityMetrics to help users manage their PCI compliance requirements, and there is a fee involved for using their services. However, if you are already PCI compliant through another provider, you don’t need to pay another company and can simply disregard the marketing emails or any information related to compliance services. 

You can check this article to learn more about PCI requirements: Learn about QuickBooks PCI DSS Compliance Services.

Let us know if you have any other concerns.

I do not actually process the payments.   All I do is send an invoice and it all goes through QuickBooks (which I have to pay for).   I never see any customer information regarding payment.  I am not sure why I need to be “compliant” when I don’t have anything to do with processing payments and my computer is not used in any way to process a payment.  

I understand your confusion, Machelle. Since you use QuickBooks Payments and don’t handle customer payment details directly, it’s natural to wonder why PCI compliance is required. Let me clarify this for you.
 

Payment Card Industry Data Security Standard (PCI DSS) compliance is a set of security standards designed to ensure anyone involved in processing, transmitting, or handling credit card payments does so securely. Its primary purpose is to protect cardholder data, reduce the risk of fraud or breaches, and safeguard the entire payment ecosystem.
 

While QuickBooks Payments itself is PCI compliant, maintaining compliance is required at your level as the merchant ensures your business also meets the security standards outlined by PCI DSS. Even if you're only sending invoices or using QuickBooks Payments to process transactions, you are still considered part of the payment ecosystem and need to validate your compliance.
 

It is the merchant's responsibility to uphold PCI compliance, which applies to any business that accepts credit or debit card payments, regardless of size or how payments are processed. Even though you don’t directly handle payment information, you are still responsible for ensuring your systems, policies, and practices meet security standards.
 

Being PCI compliant helps businesses rebuild trust, reduce risks, detect issues early, and mitigate the impact or liability of a security incident. You have the option to use SecurityMetrics or other third-party providers to help with your compliance process.
 

Check this article to know more about PCI DSS compliance: Learn about QuickBooks PCI DSS Compliance Services.

Please leave us a response if you have other questions or concerns.