Why is Intuit forcing us to be PCI compliant?

This is profoundly annoying and frustrating. Minimal to no detail from Intuit, but a spammy email that turned out to be legit (ish?) from Security Metrics, and now it's costing me a minimum of $85 a year to be compliant with something over which I have minimal control or accesss. Any credit card fraud or failure is going to be fully due to a failure on Intuit's part, not mine.

I get that I agreed to use their credit card processing service and as such I need to agree to compliance on their terms. Fine. What I think I'm the most peeved about is the poor communication, having already used the service for years without the additional cost and headache, and the sketchy implementation. 

The full explanation to us could have been much, much more timely and much more comprehensive. If business got grades on communication like on grad school theses, most would fail. And faily badly. I feel like this was a shakedown, but at the same time I understand the need for it. Sadly, knowing that does not improve my feeling about it!

The fact that a company as large and integrated in our country as Quickbooks is attempting to tell me that I need to pay extra money to A THIRD PARTY (that you have made sure to pick for us) to ensure "PCI compliance" is an ethical nightmare. If you want me to use your "specific service," you should buy the company and integrate their services, and just charge the price. Our laws are changing, upfront and honest pricing is in the process of being integrated in our country like it is in Europe. I smell a class action lawsuit. And you'll lose. Maybe not today, but soon.

The best thing your company can do is make an announcement telling us all the truth - that Quickbooks should be responsible for it's own PCI compliance, and if you can't do it on your own? You deserve to go out of business to whatever payment app is taking your business. It is greedy and disingenuous. Even if ensuring PCI compliance on our end does end up costing me more as a customer I could swallow it, but I would fully expect integrated help from Quickbooks regarding setting this whole thing up - THAT'S WHAT I PAY QUICKBOOKS FOR. The main problem is everyone has this "scam" company trying to contact them. With all of the pushback, one would think Quickbooks would want to help, explain, or extrapolate. But it's just... radio silence or bull crap.

I used to tell people all the time that "it is okay that Quickbooks costs more, I use them anyway" because "they provide a good, steady, reliable service and I don't feel like I am getting ripped off."

No one feels like that anymore. Now Quickbooks is just acting like all the other third-party apps. It begs the question, if Quickbooks is going to take a step down the ethical ladder to be like every other third-party vendor, why stay?

Regardless of what the"consumer focus groups" or investors tell you (looking at you Quickbooks), and what the underlings who work there must repeat verbatim out of fear of losing their jobs, we see you. The internet isn't going away, and your practices won't be forgotten. Might as well start calling you "Sears," thinking that just because you were the big dog your name will carry you forever.

Its gross. Do better.

Thank you all for this conversation thread, it has been incredibly helpful!  It is important to be PCI compliant to protect our business, and the list that was given below ensures me that our company is already PCI compliant without having to purchase this product for which I receive weekly calls and emails.  I almost paid Security Metrics and would have had to allow them access to my secure system, that would have been a mistake.

We just hassled them about charging for PCI compliance and this is the response we got:
This is to informed you that PCI Compliance is not required by Intuit. We just strongly advises that our account holders/merchants to be PCI Compliant. Intuit is compelled to send out notifications to the merchants about it.
Intuit does not charge for PCI Compliance thus, we will not invoke penalties if you are not a PCI Compliant.

This is a pathetic money grab.  I refuse to do it.  I subscribed to Quickbooks for my 501c 3.  It is a very small non profit.  I use Stripe and Donorbox for all transactions.  If Quickbooks requires another layer of security then they should include it in the subscription and make it invisible to the customer.  I can easily download my info from Stripe to a spreadsheet as I have done in the past.  I had decided to test Quickbooks on this small business.  Total fail.  I plan to cancel my subscription and to keep my external accounting firm for our other businesses.  Complete joke...

I stumbled upon this post while researching what is actually required for a small business owner to be PCI-compliant. Like many of you, I received aggressive emails about compliance, which seemed more like scare tactics than genuine assistance. The approach by QB and SecurityMetrics feels evasive—making blanket statements without clarifying specifics, likely hoping customers will blindly sign up for their services.

Let’s be clear: the question isn’t “Should I be PCI-compliant?” (because we all should); the real question is, “What are the actual requirements for PCI compliance for my specific setup?” The answer depends on your payment environment. After some digging, I found this document from the PCI Security Standards Council, which I thought was straightforward and insightful. Here’s how I’ve interpreted it for my own use case, which I believe will resonate with many of you who only use QuickBooks Online (QB) invoicing, where customers are sent a link to make a payment:

The PCI compliance guide outlines 12 requirements, but not all are applicable in our case. Here’s the breakdown:

1. Use strong passwords – Always use complex passwords for your accounts and systems.
2. Protect card data – Not applicable (NA) for us; QB handles this.
3. Inspect payment terminals – NA; no physical terminals involved.
4. Use trusted business partners – QB is a trusted PCI-certified partner.
5. Update machine patches – Ensure your devices (computers, software) are up-to-date with security patches.
6. Network access control – Limit network access to only those who need it.
7. Limit remote access – Similar to the above; restrict who can remotely access your systems.
8. Use Anti-Virus – Keep your computers protected with reputable antivirus software.
9. Scan for vulnerabilities on your payment website – NA; QB manages and certifies the payment website for PCI compliance.
10. Use secure payment terminals – NA for online-only payments.
11. Avoid payment system accessibility from the Internet – NA; this applies to self-hosted payment systems, not QB.
12. Encrypt all card data – NA; QB takes care of encryption.
13.  

For those of us simply using QuickBooks Online invoicing, the bulk of PCI requirements are already handled by QB as a PCI-certified payment processor. Our responsibility lies in basic cybersecurity hygiene—strong passwords, updated systems, and secure access practices.

The aggressive emails seem like a ploy to upsell unnecessary services, preying on confusion. While PCI compliance is critical, understanding your specific requirements is the key to avoiding unnecessary costs and stress.