Complaints
Customer Complaints Summary
- 7 total complaints in the last 3 years.
- 4 complaints closed in the last 12 months.
If you've experienced an issue
Submit a ComplaintThe complaint text that is displayed might not represent all complaints filed with BBB. Some consumers may elect to not publish the details of their complaints, some complaints may not meet BBB's standards for publication, or BBB may display a portion of complaints when a high volume is received for a particular business.
Initial Complaint
Date:09/16/2025
Type:Status:AnsweredMore info
Complaint statuses
- Resolved:
- The complainant verified the issue was resolved to their satisfaction.
- Unresolved:
- The business responded to the dispute but failed to make a good faith effort to resolve it.
- Answered:
- The business addressed the issues within the complaint, but the consumer either a) did not accept the response, OR b) did not notify BBB as to their satisfaction.
- Unanswered:
- The business failed to respond to the dispute.
- Unpursuable:
- BBB is unable to locate the business.
I believe Intuit QuickBooks and their partner SecurityMetrics are misleading small business owners into paying unnecessary fees for PCI compliance services that may not apply to their situation.
Details:
I use QuickBooks to process payments, and recently I began receiving emails and notices stating that I was “non-compliant” and must use SecurityMetrics services or face penalties, additional fees, or potential suspension of payment processing. These communications were worded in a way that created fear and urgency.
After researching PCI DSS requirements, I learned that my business does not store or directly handle cardholder data in a way that would require the level of service being pushed. In many cases, businesses like mine can self-attest using a simple questionnaire. However, QuickBooks strongly implied that I had no choice but to use SecurityMetrics and pay additional fees.
I feel this practice is deceptive and takes advantage of small business owners who may not be familiar with PCI DSS rules. It appears QuickBooks and SecurityMetrics are working together to sell services that are not always necessary.
Resolution Sought:
I request that QuickBooks/Intuit and SecurityMetrics:
1. Stop using fear-based or misleading messaging about PCI compliance.
2. Clearly state what specific compliance requirements apply to each type of customer, instead of suggesting a one-size-fits-all paid solution.
3. Refund any unnecessary fees charged to me or other customers in similar situations.
Business Response
Date: 10/21/2025
SecurityMetrics provides PCI compliance services to merchants. SecurityMetrics emails to merchants marketing our services state that a merchant may face certain penalties up to and including fines, or potential suspension of the ability to process payments. This is not misleading as some merchants do face these types of penalties. The complainant is correct that many merchants may self-attest using a questionnaire, which is some of the services that SecurityMetrics offers. We do not offer a one-size-fits-all paid solution. We provide the merchant with services that fit their type of credit card processing needs. Other merchants require vulnerability scans based on their processing. Many merchants decide to purchase security policies, or credit card number discovery services to further help them comply with the PCI DSS. If the complainant wishes not to use SecurityMetrics, they can simply not respond. All merchants who process credit cards are required to comply with the PCI DSS and SecurityMetrics helps all types of merchants comply. The PCI DSS is a complicated that apply to 4 different levels of merchants, depending on how many cards the merchant processes. After determining what level a merchant is, then there are several self-assessment questionnaires, A, A-EP, B, B-IP, C, C-VT, and D. Explaining the specific requirements that apply to each type of customer who require a long and overwhelming amount of information. SecurityMetrics usually doesn't explain the approximately 250 questions in the SAQ D to a merchant who doesn't handle cardholder data.
In summary, our messages explain possible consequences for failing to comply with the PCI DSS, choose not to provide long and complicated explanations of the PCI DSS to merchants unfamiliar with its requirements, and offer our services to help merchants navigate these complicated compliance requirements.
Customer Answer
Date: 10/22/2025
Complaint: 23893901
I am rejecting this response because: I understand and agree with the response. What I am complaining about is the fact that I had to pay money to take the test to then find out I did not need the service. I felt as a small business owner it was unfair to fork over that fee for no reason ultimately. Intuit's rep called me the day after I filed this complaint and that person also agreed with me that the process for paying first to take the quiz is not very forthcoming.
Sincerely,
***** **********Initial Complaint
Date:02/18/2025
Type:Status:ResolvedMore info
Complaint statuses
- Resolved:
- The complainant verified the issue was resolved to their satisfaction.
- Unresolved:
- The business responded to the dispute but failed to make a good faith effort to resolve it.
- Answered:
- The business addressed the issues within the complaint, but the consumer either a) did not accept the response, OR b) did not notify BBB as to their satisfaction.
- Unanswered:
- The business failed to respond to the dispute.
- Unpursuable:
- BBB is unable to locate the business.
Security Metrics preys on small businesses that conduct credit card transactions threatening them to purchase their products or someone will come and audit our transactions and be charged up to $1200 dollars per transaction. This is a predatory arrangement from big business and a barrier to entry for small business.Business Response
Date: 03/11/2025
SecurityMetrics provides services to help businesses become compliant with the ************************** Security Standard. All merchants who accept credit cards are required to comply with the ************************** Security Standard. This is an industry requirement from the credit card brands, not SecurityMetrics. We do not have any power or control over the requirements. SecurityMetrics does not prey on small businesses. We inform businesses of the requirements, and the potential consequences from not complying and offer our services. Businesses are not required to use our services.Customer Answer
Date: 03/11/2025
Better Business Bureau:
I have reviewed the response made by the business in reference to complaint ID ********, and find that this resolution is satisfactory to me.
Sincerely,
***** ********Initial Complaint
Date:10/07/2023
Type:Status:ResolvedMore info
Complaint statuses
- Resolved:
- The complainant verified the issue was resolved to their satisfaction.
- Unresolved:
- The business responded to the dispute but failed to make a good faith effort to resolve it.
- Answered:
- The business addressed the issues within the complaint, but the consumer either a) did not accept the response, OR b) did not notify BBB as to their satisfaction.
- Unanswered:
- The business failed to respond to the dispute.
- Unpursuable:
- BBB is unable to locate the business.
We changed credit card processors on September 11. I renewed with security metrics in June for a year, so I called them and asked for a refund of the remaining 3 quarters of the services I no longer needed. They offered me a fraction of the amount I paid, which I feel is wrong. In addition their website says small business with **** employees is an amount a third of what they had charged me. Almost a month later I have not received any refund at all. I have a contract that says they will refund the unused portion.Business Response
Date: 10/18/2023
The refund has been submitted and should be sent to the customer in the next few days. We apologize for the delay.Customer Answer
Date: 10/20/2023
Better Business Bureau:
I have reviewed the response made by the business in reference to complaint ID ********, and find that this resolution is satisfactory to me.
Sincerely,
***********************
BBB Business Profiles may not be reproduced for sales or promotional purposes.
BBB Business Profiles are provided solely to assist you in exercising your own best judgment. BBB asks third parties who publish complaints, reviews and/or responses on this website to affirm that the information provided is accurate. However, BBB does not verify the accuracy of information provided by third parties, and does not guarantee the accuracy of any information in Business Profiles.
When considering complaint information, please take into account the company's size and volume of transactions, and understand that the nature of complaints and a firm's responses to them are often more important than the number of complaints.
BBB Business Profiles generally cover a three-year reporting period, except for customer reviews. Customer reviews posted prior to July 5, 2024, will no longer be published when they reach three years from their submission date. Customer reviews posted on/after July 5, 2024, will be published indefinitely unless otherwise voluntarily retracted by the user who submitted the content, or BBB no longer believes the review is authentic. BBB Business Profiles are subject to change at any time. If you choose to do business with this company, please let them know that you checked their record with BBB.
As a matter of policy, BBB does not endorse any product, service or business. Businesses are under no obligation to seek BBB accreditation, and some businesses are not accredited because they have not sought BBB accreditation. BBB charges a fee for BBB Accreditation. This fee supports BBB's efforts to fulfill its mission of advancing marketplace trust.