Did you get a Final Reminder: Become PCI Compliant Today email from Intuit QuickBooks?
Mine said I received this communication "because you (meaning, I) have an active Intuit QuickBooks Payments account."
I do? Last I knew, it was long ago (like 10 years) inactive. And last time I attempted to log-in to Intuit QuickBooks Merchant-Payment Services, it told me my account was inactive.
And how in the heck does Intuit know if I am or am not PCI Compliant?
I mean, my QuickBooks Online account had better be secure, right, especially since I don't use Payments.
And my QuickBooks 2023 Company had PCI turned-on.
Just for grins, I created a new 2023 Company file with essentially no data but my own. Then, I went over to Company > Customer Credit Care Protection...
You would expect to see the Enable QuickBooks Desktop Customer Credit Card Protection window appear (shown below).
Then, when you click Enable Protection, you would expect to see a Sensitive Data Protection Setup window appear (shown below), which requires you to use complex (seven character, one number and one upper-case-letter) passwords that must be changed every 90 days.
After entering a Password and confirming it, upon clicking Confirm, I must admit I was surprised to see a Working window saying it was encrypting sensitive data (shown below).
"What sensitive data, this file had no data other than the fake Company Tax ID I used to set it up?"
I guess I had a dummy address and bogus company name like sample companies do, but certainly no credit card numbers, no VIN/TIN or Social Security numbers, not even any names.
So, I'm wondering if FTC/IRS rules/regulations promulgated under the auspices of Gramm-Leach-Bliley Act also are being required under this supposed PCI compliance?
If so, then all this is premature in the case of this new file, because such compliance only has to do with information obtained as part of a financial transaction—and I had no such transactions.
Next comes the Sensitive Data Protection Enabled acknowledgement window (shown below), with "What to do next," "Follow these best practices" and "Additional tasks required for Customer Credit Card Protection Compliance." The latter is a link that opens QuickBooks Help, which only works if you click on it before responding OK.
If you click on the link to open "Additional tasks required for Customer Credit Card Protection Compliance," you get the Help window (shown below). It essentially is the same information as appears on the prior screen with a few more details.
There are two links near the very bottom of this Help information. The first is the Implementation Guide for details about PCI DSS requirements 1, 4, 5, 6, 8, 9, 10,11 and 12. You can click on the Implementation Guide (link) all day long and get absolutely nothing.
The second link is under See Also, "What happens if you don't comply?" which opens another Help window (shown below).
Read carefully: It says "you can choose not to enable customer credit card protection," but then it says if you store, process or transmit customer credit card information in QuickBooks, you are required to comply.
Further, since "QuickBooks is a payment application program that handles payment cards, it must comply... so you must enable the feature."
So what are they really saying?
- If you have payment services, are they going to turn off your QuickBooks subscription?
- Are they going to discontinue your Intuit Merchant/Payment services account?
- What about if you don't have payment services, must you still be PCI DSS compliant?
- Must you still enable customer credit card protection, even if you don't take credit cards, don't use Intuit for your payment service and don't store credit card information?
The most recent email (shown at the start of this article) makes it sound like you must partner with Intuit's new partner, SecurityMetrics, to have your entire company evaluated in order to comply.
Of course, that means paying another company an annual subscription to give you their seal of approval. Their link shows a very impressive looking 108 page guide (shown below) from 2021 as the basis for their analysis.
They can't even keep their guide current, this is 2023?
Near the bottom of that Intuit QuickBooks email, shown in the very first illustration, is a CLICK HERE for more information about PCI Compliance requirements.'
That URL takes you HERE.
Not far from the bottom of the QuickBooks Help information is a section that reads, "How can I become PCI compliant?" then reads, "How you handle and process payment cards and the number of transactions you process annually defines your validation requirements.
All merchants are required to complete a Self-Assessment Questionnaire (SAQ). The required SAQ depends on how you store, handle and process card data.
Then, at the bottom of the above Help Document, it also reads, Turn on PCI Service (in Merchant Services): "If PCI Services is unavailable on your account, upgrade your pricing plan or add it to your current plan. Create an account with SecurityMetrics and complete FastPass, then they’ll present different PCI packages to fit your financial and security needs."
So, apparently, if you are going to be PCI compliant, as far as Intuit QuickBooks is concerned, you must have a specific "pricing plan" at Intuit Merchant Services that affords PCI Services. And you must have an account (subscription) with SecurityMetrics to be able to use your QuickBooks product(s). Or, at least that's how all the 'jargon' reads.
Did you get a Final Reminder email from Intuit QuickBooks about PCI Compliance? If you did, please let us know by posting a "I got one, too" comment to this article.
At least half of the clients I still have on QuickBooks received the emails, and most use some other merchant service rather than Intuit Merchant Services, but received the email because they were reportedly active QuickBooks Payment account customers (even though they weren't).
Disclosure:
As used herein, QuickBooks® (Online & Desktop), Intuit Merchant Services and QuickBooks Payment Services refer to one or more registered trademarks of Intuit Inc., a publicly-traded corporation headquartered in Mountain View, California.
Feature content and logo graphic materials adapted from Intuit source content including QuickBooks resource materials. Source content and materials have been adapted and are furnished for educational purposes only by Insightful Accountant.
Other trade names used herein, including SecurityMetrics, may refer to names or products which are registered, trademarked or otherwise held by their respective owners; they are referenced for informational and educational purposes only.
This is an editorial feature, not sponsored content. No vendor within this article has paid Insightful Accountant or the author any form of remuneration to be included within this feature. The article is provided solely for informational and educational purposes.
Neither the publication of this article, nor inclusion of any product herein, represents any endorsement by either the author or Insightful Accountant.
Note: Registered Trademark ® symbols have been eliminated from the articles within this publication for brevity due to the frequency or abundance with which they would otherwise appear or be repeated. Every attempt is made to credit such trademarked products within our respective article footnotes and disclosures.
Like what you're reading?
Subscribe to our FREE newsletter and we'll deliver content like this directly to your inbox.