Skip to main content

Get 50% OFF QuickBooks for 3 months*

Buy now
Switch to QuickBooks and 70% off for 3 Months
November 12, 2025
Question

PCI compliant and Security Metrics

  • November 12, 2025
  • 1 reply
  • 35 views

I understand the following: Even though I never see or store customer card numbers, I’m still classified as a merchant because I accept credit card payments. The Payment Card Industry Data Security Standard (PCI DSS) applies to any business that handles, processes, or transmits cardholder data  even indirectly through a third-party like QuickBooks (QB). QuickBooks is PCI compliant as a platform, but the merchant (me) must also validate my own compliance by confirming that:

 

  • I use secure systems (no handwritten card numbers, no unencrypted forms, etc.)
  • I don’t store card data locally or in any unapproved system
  • I follow best practices (password protection, secure Wi-Fi, etc.)

 

I also understand that Security Metrics is a third-party company Intuit uses to collect that self-validation (the Self-Assessment Questionnaire or SAQ). The $85–$375 annual fee covers that service and their documentation portal  it’s not an Intuit fee for processing payments.

 

In short, it’s about proving I’m following PCI rules, even if QB actually processes the payments.

 

BUT, in my case, I want to clarify that I do not collect, store, or directly process any customer credit or debit card information. ALL transactions are conducted through the QuickBooks Payments platform via a secure link I send to clients. QuickBooks handles the payment processing, including refunds, and at no point do I have access to my customers’ card data.

 

Given that QuickBooks is already PCI compliant and that I don’t handle cardholder data directly, can you please confirm why I’m required to pay the additional annual Security Metrics PCI fee on top of the existing QuickBooks fees?

 

If there’s a simplified self-assessment option for small merchants who exclusively use QuickBooks’ hosted payment links, I’d like to pursue that instead. Please advise if I can be marked as “SAQ-A” compliant, since this category is typically for merchants that fully outsource payment processing and do not store or handle card data.

 

Thank you for clarifying so I can ensure full compliance without incurring unnecessary costs.

 

Because quite frankly this is some BS. 

1 reply

QuickBooks Team
November 12, 2025

Thank you for raising this important point about PCI compliance, @Stacybephotography. While QuickBooks Payments provides a secure and compliant platform for transaction processing, it's important to understand that businesses are still responsible for maintaining their own PCI compliance. Let me break this down further to explain why additional steps may be required, even when using a secure third-party service like QuickBooks.

 

Using QuickBooks Payments services does not automatically make your business PCI compliant. While QuickBooks ensures its own systems are secure and PCI compliant, your overall compliance can still be affected by other applications or systems on your computer or network. Additional steps may be required on your part to ensure full compliance with PCI standards.


All merchants that accept credit or debit cards must comply with PCI DSS standards. Your payment methods and annual transaction volume determine your validation requirements. Every merchant must complete a Self-Assessment Questionnaire (SAQ), depending on how they handle card data.

 

Intuit has partnered with SecurityMetrics, a leading PCI compliance service provider, to help you meet the required standards. However, you also have the option to choose a third-party provider outside of QuickBooks to achieve compliance.

 

PCI compliance is essential for protecting your business and your customers’ payment data. QuickBooks and SecurityMetrics provide helpful tools to assist you, and you can explore additional options as needed. If you have any questions, feel free to leave a comment below

November 12, 2025

 

Just to clarify, I’ve already completed the self-assessment. However, I’m still being prompted to purchase one of the SecurityMetrics packages and honestly, I have no idea what these packages include or why I would need them if I’m not processing any payments directly. My understanding is that completing the self-assessment should confirm that I do not process or store client credit card information. If that’s the case, why am I being required to purchase any package from SecurityMetrics?