If the email you are getting is from Security Metrics, know that they are bullies and don't deserve anyone's business. The way I have had it explained is that QB is the one taking payment, therefore I do not need to be in compliance. QB does.
However, if you take cards for payment at your company, you need to be compliant. But it would benefit you and your company to use a company of your choosing. Not the one that Intuit/ QB has.
You will save money and sanity if you go with another company.
Let me share more details about the QuickBooks Payment Card Industry,@oliver19.
Becoming a PCI Compliant is required by Intuit for any company or organization that handles cardholder data, whether to process, store, or transmit. With this, QuickBooks has partnered with Security Metrics to help you meet the PCI compliance requirements accordingly.
Furthermore, there is no specific deadline for achieving PCI compliance, as it is an ongoing process that involves annual scans and resubmitting Self-Assessment Questionnaires (SAQ).
I'll be sharing these articles if you need resources and references that can help you with your concern: