Question

Is QB Self-Employed PCI compliant?Is Security Metrics a scam?

Forum|Forum|3 years ago
November 27, 2022
8 replies
0 views

I recently received an email saying:
"Intuit has partnered with SecurityMetrics, a leader in data security and compliance to simplify PCI certification for you. You are requested to complete validation of PCI Compliance by December 31st, so please ACT NOW."
Is this a scam? I am suspicious of this because:
1. it is short notice
2. there is a fee
3. QB self-employed is already PCI compliant
Is this compliance really necessary from Security Metrics and why do they charge a fee?

QuickBooks Self-Employed

M

mv32

Security Metrics is legit, theoregonweaver.

Intuit has a PCI service provider to help our QuickBooks Payments subscribers meet Data Security Standard (DSS) compliance requirements.

If you have created a QuickBooks Payments account to link with QuickBooks Self-Employed with SecurityMetrics, then you'll be asked to complete its FastPass.

Yes, this compliance is necessary for Security Metrics if you purchase the PCI package. That's why they charge a fee for the service. In addition, you need to complete the Self-Assessment Questionnaires (SAQ) and set up your scans.

You should be able also to receive email instructions. If none, I suggest browsing this article to learn other details about PCI compliance and your roles: Learn about QuickBooks PCI Service.

On the other hand, I also suggest contacting our QuickBooks Payments Support Team. This way, they can securely check your subscription for any add-on PCI Service fee. I also encourage you to report this to our Intuit Security team since you find this prompt message suspicious or if you don't have a QuickBooks Payments subscription. This way, they can review if the information is legitimate.

Go to this link; https://security.intuit.com/.
Click Contact Us.
Look for Report a fake email (or phishing email) and click on it.

Please let me know if you have other concerns about completing the PCI compliance with Security Metrics. I'd be here to guide you more. Keep safe and more power to your business!

L

LittleLoafBakeshop

Hi there, I received this as well, but I don't know how to answer the questions. We are a start-up bakery in a commercial/incubator kitchen with the two owners and 5 part time employees. We use the network there to send out invoices to our 4 wholesale accounts (they submit payment), but that's it in terms of credit cards. These questions ask about malware and secured networks and security cams and all that...but we don't control any of that at the business. They do have an IT team. I'm not sure what to do here. Shouldn't they be the ones filling this out?

Angelyn_T

Thank you for adding your first post, @LittleLoafBakeshop.

SecurityMetrics is an official partner of Intuit that provides streamlined PCI DSS compliance services for QuickBooks Payments accounts.

When signing up for a SecurityMetrics account, you'll be asked to complete the FastPass and get the PCI package that works for your business needs. If you're uncertain about the answer to the questions, you can call for assistance at the number shown under Who can I contact if I have questions regarding my SAQ or questionnaire?.

On the other hand, I've also added this reference about working with PCI compliance that may be useful in the future: Intuit Security Center - PCI Compliance.

Please let me know if you have any other questions about the self-assessment questionnaire when completing the PCI compliance with Security Metrics. I'd be happy to assist you further. Have a good one!

Rainflurry

@theoregonweaver

PCI Compliance applies to your business if it accepts credit cards as a form of payment. It's not a scam and it's required. The fee is not unusual and it's generally less than the non-compliance fee if you don't complete the PCI compliance questionnaire.

N

neilhschwartz

I also received an email from QuickBooks stating that I am "requested to complete validation of PCI Compliance by December 31st." The way it is worded using the word "requested" and not "required", told me it was nothing but another QB sales ploy. But I took the bait, and clicked the link provided.

Clicking the link took me to the Secure Metrics assessment page. Upon completion of the assessment, I was taken to a page stating that if I buy a package I will be 23% compliant (see screen shot). NO INFORMATION WAS PROVIDED TO TELL ME RESULTS OF THE ASSESMENT, and no information was provided to tell me how I can fulfill the other 77%. Basically it's just, "Buy a package"

I'm baffled and befuddled by the "request". Since I invoice directly through QuickBooks, where my customers enter their own data to pay through QB online, I do not collect or enter any of my customer card data. I am sure there are some things I should do to make my business compliant, but I am certainly not going to blindly buy some package without more details.

Until I receive an email stating that I am REQUIRED to get PCI compliance, I'll just ignore the REQUEST.

GranadaBook

This is my 5th year using Intuit payments/ merchant and I was never required to be PCI compliant before.

My bookkeeping clients (many who also accept intuit payments) were never required to be PCI compliant.

Other merchants send clients a free online PCI complaint questionnaire that takes 15-20 minutes to complete. (for free).

I've done it to my company and clients before.

I believe that's another QB sales ploy to get people's money.

Somewhere in intuit PCI compliance information pages, you can find instructions to file a form directly with Intuit, but the link takes you back to the initial instruction page and you end up no where, frustrated, angry and baffled.

U

unitedelectric220

This is correct. Since QB handles all payment information and data storage, they are the ones being required to be PCI compliant in which it says they are in their term. If we do not ever ask for CC info or account info and its all inputted by the customer through QB; my company is NOT required to sign up for any sort of PCI compliance program. How does it make sense that I am not the card processor and only get paid by QB yet somehow QB seems to think I am responsible for being PCI compliant and paying a yearly cost. No sir this is incorrect.

M

martinjvh

Echoing other comments on this post, I too received the "you are requested...." email. I ignored it. Yesterday I received a phone call from SecurityMetrics asking me to signup for PCI compliance. I explained to the caller that I do not take credit card payments; some of my clients pay by card and INTUIT receives card information and payment and then deposits cash into my account. The SecurityMetrics sales person insisted that I need it. I ended the call and made a call to QuickBooks Support. They verified that as my account is not setup for ME to accept card payments I DO NOT need to be PCI compliant. I have seen elsewhere that if there is an issue, QuickBooks customers should contact QuickBooks and ask them to put a note on their account record stating they do not need to be PCI compliant and ask them to include notification number ATTN-10602 in the record.

L

Legacy 12

So I called QuickBooks after receiving this pci email and they told me I had to do the pci compliance even though I do not process, store or deal with any customers card info. I’m at a loss. I don’t feel like I have to subscribe to this pci compliance. I do understand it’s to protect card info and that’s great but pouring out money doesn’t make sense.

nsshawaii

I am a sole proprietor, I'm retired and work from home and have an Etsy shop to help pay the bills. I got all of these calls and emails but there is absolutely no way I'm going to pay that every month. It's way out of my league.

So because I was taking some payments on Intuit I have just discontinued using Intuit for payments and will move on with Venmo or PayPal.

S

shislop

If we do not take credit card payments with cards in hand, but instead only allow customers to pay via the credit card payment links (using Intuit Merchant Services) sent by the Quickbooks software to our client, is it REQUIRED that we create an account and pay a fee to Security Metrics? Is it required that we complete the SAQ?

L

laurynrecchia-gm

I told the Security Metrics sales person just that. And that I had talked to QuickBooks. So far they've stopped bothering me so I'd say you're good.

P

PBCW

It's legit. And it's only 80 bucks for the year

A

aq-b

$80 / year is a lot of money. Warren Buffet's wife just complained about paying $4 for coffee. Money traveles to where it is valued and protected.

D

DarixWiseman

I am continuing to get this email. I cannot unsubscribe. I encourage you to all visit https://reportfraud.ftc.gov/ and file a report. This is selling a service that is not required and I cannot unsubscribe from the email. I have filed a report but will probably hear nothing back. If everyone annoyed does, maybe this money grab from unknowing small business owners, who are already burdened enough, will stop.

A

Anne16720

Perfect - I am so sick of this scam from QB and Security Metrics. They continue to send "non-compliant" emails even though we have PCI compliance through another vendor. And of course both QB and SM use a noreply email address so you can't even communicate back or unsubscribe. I will file a complaint asap.

B

BW38

How do I get the PCI Compliant Questionnaire? I am a small business and do not have that many credit card transactions and do not want to pay for the service. Thanks.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded