Do I have to go through Security Metrics for PCI Compliance? I only take a few small payments per month.

Yes, @sean103. It's required to participate and complete the security metrics for PCI compliance when accepting payments in QuickBooks Online (QBO). Completing this will help you prevent penalties, audit costs, and additional restrictions. I will provide more details below to offer further insights.
 

Intuit and QuickBooks offerings are also listed to be compliant with the PCI Security Standards Council website. Although QuickBooks applications are secure, additional applications on your local computer or network may jeopardize your security environment. Moreover, utilizing QuickBooks Payments services does not ensure automatic PCI compliance. By acquiring this, you are safe from possible penalties, audit costs, and other potential restrictions when accepting payments. For more information about PCI DSS compliance, please refer to these articles:
 

• Learn about QuickBooks PCI Compliance
• Learn about the PCI DSS Compliance Services

Moving forward, it can be helpful for you to learn about the way QuickBooks Payments handles bank data and transactions. For more detailed information, please refer to this article: Learn about Level 3 data processing in QuickBooks Payments.

I'm always at your service to help clear out details regarding PCI compliance and how you can complete it. Feel free to post additional inquiries regarding QuickBooks as well. Rest assured, I'll always be available and will respond promptly. Stay safe and take care.

I just chatted with a Quickbooks agent online and she said I do not need to pay them any money and that I can just tell them I am CPI compliant. 

@sean103   If you accept credit cards for ANY amount, you MUST be PCI compliant. 

However, you do NOT have to, nor should you use Security Metrics.  They are extremely expensive, mean, dishonest and bullies.  

There are a large number of other companies out there that you can, and should look into.  

You can also do it yourself, as it would save money.  

How can I be CPI compliant without using a company or Security Metrics? I would like to do it on my own to save money

Hello there, Coleman. To achieve PCI DSS compliance in QuickBooks Online (QBO) without using a SecurityMetrics, you can self-assess your compliance using the SAQ A form and follow basic security practices.

Here's how:

1. Understand the PCI Compliance requirements because PCI is focused on securing cardholder data.
2. Complete the Self Assessment Questionnaire based on your business's credit card payment processes.
3. Secure Your Systems:
   • Use a PCI-compliant payment processor (e.g., QuickBooks Payments).
   • Keep devices, software, and networks updated with firewalls and antivirus.
   • Avoid storing sensitive cardholder data.
4. Implement Best Practices:
   • Train your staff on proper security measures.
   • Limit access to sensitive information.
   • Monitor transactions and report suspicious activity promptly.
5. Maintain records of your compliance actions, including SAQs, policies, and training, to stay prepared for audits or inquiries.
6. By following these steps and leveraging QuickBooks Payments (if applicable), you can take significant steps toward PCI compliance without hiring external companies like Security Metrics.

For more detailed guidance on achieving PCI compliance and how QuickBooks Payments helps with it, you can refer to the article: Learn about QuickBooks PCI Compliance.

If you have further questions or need additional guidance, feel free to reach out.

@Dandie_A - This is really helpful. So if a small, non-profit using QBO does all this, is "5. Maintain records of your compliance actions, including SAQs, policies, and training, to stay prepared for audits or inquiries" sufficient for us so that we can be considered "PCI Compliant" and Security Metrics will cease spamming us with email threats (or incessantly offering to assist us to achieve PCI Compliance)?

Or how does a company actually "report compliance" to Intuit Quickbooks, if that is who we need to be on record with as not being "Non-compliant"? For example, is there a way to submit/upload our SAQ A to Intuit Merchant Services so that we can be on record and never ever have to receive an email from SecurityMetrics again?

You will be considered PCI compliant once you have completed the PCI compliance assessment, jfisher27.

Intuit QuickBooks does not require to submit or upload your PCI compliance documents, such as your SAQ A. Your PCI compliance status is self-attested by completing the PCI compliance assessment provided by your acquiring bank or payment processor. However, there is no need to submit any proof or documentation at this time.

You may still receive emails from SecurityMetrics, these messages primarily explain PCI compliance, share security resources, and highlight Intuit’s partnership with SecurityMetrics. Please disregard these messages.

For more detailed information about PCI compliance, you can read this article: Learn about QuickBooks PCI DSS Compliance Services.

Feel free to respond to this conversation if you have any further questions.

@jfisher27   You're going to constantly be bullied by Security Metrics.  It's what they do.  

Throw the threats back at them if you have to.  Turn them in for their practices and bullying.  Don't let them keep mistreating you. 

Thanks @ThomasJosephD. This is the way I have understood it, too. That's not exactly what the SecurityMetrics emails are communicating. They strongly imply that they are the arbiters of PCI Compliance for all Intuit Quickbooks users.

How do I do a self assessment? I am not paying Security Metrics $155!

It's completely understandable that you want to avoid an extra fee for PCI compliance assessment, Cindy.

First, you'll need to determine which Self-Assessment Questionnaire (SAQ) is appropriate for your business. There are several types of SAQs, and using the wrong one could result in your self-assessment being invalid. Also, the questions can be quite technical and challenging, especially if you aren't familiar with them. Thus, I recommend consulting with an expert who can assist you in completing the assessment accurately.

Alternatively, you can find other security companies that can help you with the PCI compliance assessment. However, please note that you'll need to pay fees based on the company's services.

To learn more about QuickBooks PCI DSS compliance services, you can refer to this article: PCI DSS Compliance.

Let us know if you have any additional questions.