There’s been a ton of confusion lately among QuickBooks Online users due to a series of emails from Intuit about the importance of PCI compliance (that part’s true, it is important), which they follow up with a plug to encourage you work with their “partner,” SecurityMetrics. Problem is, they are surprisingly quiet about the fact that QB Payments… is already PCI compliant.

From Intuit:
It’s important to note that QuickBooks applications themselves maintain a high level of security. However, the security of your overall environment can be influenced by other applications used in conjunction with QuickBooks. As for the use of QuickBooks Payments services, it’s essential to understand that merely utilizing these services does not automatically make you PCI compliant. It’s also crucial to recognize that as a merchant, you hold the responsibility of safeguarding payment card information and adhering to PCI compliance requirements.

Short answer — chances are that you don’t need to pay their “partner” (aka Intuit is likely receiving referral fees) to confirm that you and your clients are probably already PCI compliant if you’re using QB Payments. But that doesn’t mean you shouldn’t review your workflows and integrations with other software to see if there’s a step in your process that doesn’t comply.

Here’s what my amazing colleague, the QB Rockstar herself, Alicia Katz-Pollock, had to say about it on facebook:

You know those emails Intuit is sending about PCI Compliance? QB Payments is already compliant. At issue is how you’re gathering those credit card numbers and bank account data.

If you’re using a workflow where the client enters the info, you’re fine. If you’re talking to the customer and manually entering it into QBO, you’re fine, though you also need to be on an isolated computer, not on a network, if you’re typing in the info.

But if you’re still using those old forms QBO used to provide, or have the information written down, or are saving it in your computer system, you’re NOT fine.

You do NOT need to hire the service in the email and pay $150/year. All you have to do is self-assess, and change your procedures if you’re out of compliance.

Here is the official document!
https://listings.pcisecuritystandards.org/documents/SAQ-InstrGuidelines-v3_2.pdf

A follow-up question she received:

Q: For old clients who completed an agreement years ago with those old QBO forms, how do you move to compliance for those? Just delete and get rid of their old forms?
A: Yes, delete any forms you have saved (and empty your trash)!

(Side note: Alicia’s company Royalwise is my #1 go-to for technical training in QuickBooks, whether for small business owners or bookkeepers, and I’ll be doing a class for her later this year! Here’s my affiliate link for her catalog — check it out.)

Another good friend in the QuickBooks world, Dan DeLong, of School of Bookkeeping (yes, that’s another affiliate link), wrote up a blog post where you’ll discover:

• Why you receive PCI compliance emails from QuickBooks and what they mean for your business.
• Steps to complete the Self-Assessment Questionnaire and ensure full compliance.
• How to review and improve your credit card handling practices.
• The costs involved with PCI services from SecurityMetrics.
• Resources like the Small Business Guide to Safe Payments to further guide you.

Check out Dan’s blog post here — https://www.schoolofbookkeeping.com/blog/pci-compliance-quickbooks-guide.

I’m recommending that you take a look at what these two leaders in our field have to say about PCI Compliance because I trust the heck out of them (not because I have affiliate links; in fact, the reason I requested affiliate links is due to the confidence I have in them both).

As much as I adore QuickBooks Online and can say so much good about it — in fact, we base our entire firm’s work on using QBO as an accounting platform — it’s important to remember that its parent company Intuit is a for-profit, publicly-traded company. They’ve built an incredible product, but their end goal is to increase shareholder wealth… so please take what they say with a grain of salt and do some research before plunking down additional dollars. Small businesses need to be careful to watch their budgets!

And I’ll end with another heads-up, which is that earlier this year there was in fact a phishing scam going around called “PCI DSS Compliance Verification” with the QuickBooks logo on it, that encouraged users to “verify compliance now” by clicking on a button. This was *not* an authorized email from Intuit. As always, you have to be careful whenever you’re encouraged to click on any button or link — whether it turns out to be phishing… or just misleading.

---