I understand the following: Even though I never see or store customer card numbers, I’m still classified as a merchant because I accept credit card payments. The Payment Card Industry Data Security Standard (PCI DSS) applies to any business that handles, processes, or transmits cardholder data even indirectly through a third-party like QuickBooks (QB). QuickBooks is PCI compliant as a platform, but the merchant (me) must also validate my own compliance by confirming that:
- I use secure systems (no handwritten card numbers, no unencrypted forms, etc.)
- I don’t store card data locally or in any unapproved system
- I follow best practices (password protection, secure Wi-Fi, etc.)
I also understand that Security Metrics is a third-party company Intuit uses to collect that self-validation (the Self-Assessment Questionnaire or SAQ). The $85–$375 annual fee covers that service and their documentation portal it’s not an Intuit fee for processing payments.
In short, it’s about proving I’m following PCI rules, even if QB actually processes the payments.
BUT, in my case, I want to clarify that I do not collect, store, or directly process any customer credit or debit card information. ALL transactions are conducted through the QuickBooks Payments platform via a secure link I send to clients. QuickBooks handles the payment processing, including refunds, and at no point do I have access to my customers’ card data.
Given that QuickBooks is already PCI compliant and that I don’t handle cardholder data directly, can you please confirm why I’m required to pay the additional annual Security Metrics PCI fee on top of the existing QuickBooks fees?
If there’s a simplified self-assessment option for small merchants who exclusively use QuickBooks’ hosted payment links, I’d like to pursue that instead. Please advise if I can be marked as “SAQ-A” compliant, since this category is typically for merchants that fully outsource payment processing and do not store or handle card data.
Thank you for clarifying so I can ensure full compliance without incurring unnecessary costs.
Because quite frankly this is some BS.
