@Dandie_A - This is really helpful. So if a small, non-profit using QBO does all this, is "5. Maintain records of your compliance actions, including SAQs, policies, and training, to stay prepared for audits or inquiries" sufficient for us so that we can be considered "PCI Compliant" and Security Metrics will cease spamming us with email threats (or incessantly offering to assist us to achieve PCI Compliance)?

Or how does a company actually "report compliance" to Intuit Quickbooks, if that is who we need to be on record with as not being "Non-compliant"? For example, is there a way to submit/upload our SAQ A to Intuit Merchant Services so that we can be on record and never ever have to receive an email from SecurityMetrics again?