Intuit has sent out a notice for 2025 to their merchant’s about update to their PCI Compliance protocol

“Thank you for being a QuickBooks Payments customer. Keeping you updated on PCI changes and new requirements is our priority. Today, we’re emailing you to make you aware of two new PCI compliance requirements for merchants with a payments page on their website. These new requirements go into effect on April 1, 2025. Below is more information about what these requirements are and recommended steps to take to ensure you are compliant. You can read more about these new requirements on the PCI webpage.

What are the new requirements?

Requirement 6.4.3 and Requirement 11.6.1 impact businesses that enable online transactions on their websites. The requirements are designed to prevent eskimming and help maintain the security of a business’s payment pages. Eskimming is when bad actors steal customers’ payment information from a retailer’s website when making an online transaction.

•Requirement 6.4.3 requires e-commerce merchants to create an inventory of every script that runs on their payment pages. Maintaining an inventory of scripts allows merchants to see potential malicious scripts installed on their website without permission.

•Requirement 11.6.1 requires merchants to regularly monitor the scripts on their payment pages so they can more easily identify any new scripts added to the checkout experience that may be malicious.

Together, these requirements give businesses the ability to know when a skimmer has breached their payments page.

What are the steps to become compliant?

These new requirements go into effect on April 1, 2025. If you have already completed your PCI compliance certification for 2025 and have a payments page, you need to meet these new requirements by April 1 to ensure you’re PCI compliant.

For merchants with payments pages who haven’t finished their 2025 PCI compliance, these new requirements will be included in your PCI compliance certification once completed.

If you need help, Intuit has partnered with SecurityMetrics to help meet your PCI compliance needs.The SecurityMetrics PCI compliance process includes these new requirements and is designed to be as easy as possible. Go to www.securitymetrics.com/pcidss/intuit to get started online. You can also call SecurityMetrics at 800-557-4684.

Other PCI compliance vendors are available. However, Intuit has negotiated a discount for QuickBooks Payments customers and streamlined the process to make it as easy as possible to be PCI compliant and meet these new requirements. All that’s needed to get set up with SecurityMetrics is the URL of your payment page.

Thank you for choosing Intuit and being a QuickBooks Payments customer.

Sincerely,

The QuickBooks Team”

UltraCart Recommendations in regard to this notice

We recommend that you create an inventory of any additional conversion and tracking scripts that you are running on your checkout to fulfill this requirement for your self assessment question. This could include Google Tag Manager, Facebook, Pinterest, etc. depending upon what marketing trackers you have configured.

That being said, we collect all payment information within isolated IFRAMES on a different domain to prevent any script on your checkout from being able to observe the credit card input fields. This technique, often referred to as “hosted fields”, prevents scripts from doing malicious things like scraping credit cards. You will see all of this within the network table of the browser developer tools as token.ultracart.com which is our PCI vault.