Get 50% OFF QuickBooks for 3 months*

Buy now
United States United Kingdom Australia Canada (English) Canada (French) France Singapore South Africa Global Ireland
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Work smarter and get more done with advanced tools that save you time. Discover QuickBooks Online Advanced.

Reply to message

View discussion in a popup

Replying to:
fhughes90
Level 1
‎November 25, 2024 07:41 PM

Reply to message

I stumbled upon this post while researching what is actually required for a small business owner to be PCI-compliant. Like many of you, I received aggressive emails about compliance, which seemed more like scare tactics than genuine assistance. The approach by QB and SecurityMetrics feels evasive—making blanket statements without clarifying specifics, likely hoping customers will blindly sign up for their services.

Let’s be clear: the question isn’t “Should I be PCI-compliant?” (because we all should); the real question is, “What are the actual requirements for PCI compliance for my specific setup?” The answer depends on your payment environment. After some digging, I found this document from the PCI Security Standards Council, which I thought was straightforward and insightful. Here’s how I’ve interpreted it for my own use case, which I believe will resonate with many of you who only use QuickBooks Online (QB) invoicing, where customers are sent a link to make a payment:

The PCI compliance guide outlines 12 requirements, but not all are applicable in our case. Here’s the breakdown:

  1. Use strong passwords – Always use complex passwords for your accounts and systems.
  2. Protect card data – Not applicable (NA) for us; QB handles this.
  3. Inspect payment terminals – NA; no physical terminals involved.
  4. Use trusted business partners – QB is a trusted PCI-certified partner.
  5. Update machine patches – Ensure your devices (computers, software) are up-to-date with security patches.
  6. Network access control – Limit network access to only those who need it.
  7. Limit remote access – Similar to the above; restrict who can remotely access your systems.
  8. Use Anti-Virus – Keep your computers protected with reputable antivirus software.
  9. Scan for vulnerabilities on your payment website – NA; QB manages and certifies the payment website for PCI compliance.
  10. Use secure payment terminals – NA for online-only payments.
  11. Avoid payment system accessibility from the Internet – NA; this applies to self-hosted payment systems, not QB.
  12. Encrypt all card data – NA; QB takes care of encryption.
  13.  

For those of us simply using QuickBooks Online invoicing, the bulk of PCI requirements are already handled by QB as a PCI-certified payment processor. Our responsibility lies in basic cybersecurity hygiene—strong passwords, updated systems, and secure access practices.

The aggressive emails seem like a ploy to upsell unnecessary services, preying on confusion. While PCI compliance is critical, understanding your specific requirements is the key to avoiding unnecessary costs and stress.

Reply Join the conversation

Need to get in touch?

Contact us