QuickBooks & PCI compliance for wineries: what you really need to know

Written By Guest User

Have you gotten one of those QuickBooks emails about PCI compliance and wondered if you need to do anything? You’re not alone. Many winery owners have been asking the same question.

Let’s break it down in plain English so you can decide if action is needed (or if you can safely hit delete).

What is PCI compliance?

PCI (Payment Card Industry) compliance is a set of security rules for handling credit card data. It exists to protect customers from fraud and to keep businesses from facing fines or losing their ability to process cards.

Every year, businesses that accept credit cards need to validate PCI compliance. This means showing that you follow security rules for handling cardholder information. The rules apply whether you’re swiping a card in the tasting room, running a wine club, or sending an invoice.

There are different PCI compliance levels depending on how many card transactions you process each year and on the way you process credit cards. It can be confusing to navigate on your own. But the most important thing to remember is that the safest path is to let a third-party handle all payments and never touch credit card details yourself.

Why you don’t want to handle card data

The easiest way to make compliance simple is to never handle sensitive card data in the first place. That means you:

  • Don’t write down credit card numbers, expiration dates, or CVV codes — not on paper, not in spreadsheets, not anywhere.

  • Don’t take card numbers over the phone and type them into your own computer.

  • Let your guests enter their own payment details directly into a secure, PCI-compliant platform.

Platforms like Square, Commerce7, and OrderPort are designed to process payments and maintain PCI compliance for you. If you already send QuickBooks invoices, you can also keep things secure by using payment links — when customers click the link and enter their card details themselves, you never see the information.

PCI updates for 2025

The latest version of PCI DSS, called v4.0.1, updates the Self-Assessment Questionnaires (SAQs). For most small wineries, the biggest update is that you are explicitly forbidden to store CVV codes under any circumstances. that merchants fill out each year.

The other change is that every merchant still needs to complete an SAQ each year. The length and complexity of the questionnaire depends on how you collect and store card data. If you don’t handle any sensitive information, the SAQ is short and straightforward. If you do handle card data, the questionnaire can be close to 200 questions long.

Who is responsible for filling out the SAQ?

Who is the “merchant” here? Who is responsible for filling out the SAQ? In the case of platforms like Square or Shopify, they’re what PCI calls “merchant aggregators” or “service providers.”

Here’s what happens:

  • They hold the merchant account under their own name and you operate under their umbrella.

  • Because of that structure, they are the “merchant of record” with the card networks, not you directly.

  • They still require you to follow certain rules, but they complete the PCI validation and SAQ for their whole platform, so you don’t have to do an individual SAQ.

That’s a big reason why those systems are so appealing for small businesses — they dramatically reduce your PCI scope by keeping you out of direct contact with cardholder data and taking on the compliance burden themselves.

QuickBooks Payments is different because it isn’t set up as a true aggregator. You have your own merchant account, so you are the merchant of record, and you are responsible for filing your own SAQ each year.

The trouble with QuickBooks’ PCI emails

So do you need to to take action on those emails from QuickBooks? Maybe, maybe not.

The issue is that when QuickBooks emails you about PCI compliance, they’re often referring you to one of their partner companies that charges hundreds of dollars to “help” with the process. Sometimes those companies will simply fill out the SAQ with generic answers, without actually reviewing your setup.

That’s not money well spent, especially if your payment setup is simple and low-risk. If you don’t handle sensitive card information and your processor is PCI-compliant, you may be able to fill out the SAQ yourself or have an independent IT consultant review your situation for far less cost.

At Northwest Wine Accounting, we use an independent IT consultant to help us with everything security-related—including vetting this blog post! Thanks, Todd!

What happens if you’re not in compliance?

PCI compliance may feel optional because so many small businesses ignore it, but here’s what to keep in mind. PCI DSS in an industry standard, not a law. That means that you won’t get the police knocking on your door if you don’t complete it. That said, PCI is mandatory under contract with your payment processor. Every merchant agreement (including with QuickBooks) requires you to follow PCI DSS.

If you use QuickBooks Payments and don’t validate compliance by filling out an SAQ when they ask for it, there are a few possible outcomes. Here’s what may happen:

  1. You may be charged a “PCI non-compliance” fee
    Many processors tack on a monthly or annual fee if they don’t have a current SAQ on file for you. For QuickBooks Payments, this can be around $20–$30 a month until you complete it.

  2. You might face increased liability if there’s a breach
    If your account is compromised and you haven’t validated PCI compliance, the processor (and the card networks) could argue that you weren’t following the rules, which can mean higher fines or being on the hook for fraud losses.

  3. Your processor could suspend your ability to take cards
    This is rare for small businesses, but if they think your payment environment is risky and you won’t cooperate, they can freeze or terminate your merchant account.

So, even if your PCI “scope” is minimal because you only use QuickBooks payment links, QuickBooks still wants an SAQ on file . That’s why they send the emails. The key is that you don’t have to pay their $400 partner to do it if your setup is simple; you can often complete the right SAQ yourself or with an independent IT consultant for much less.

The smart, low-risk path for wineries

Here’s what we recommend:

  1. Use PCI-compliant providers like Square, Commerce7, or OrderPort whenever you can.

  2. Never collect or store card information yourself, especially CVVs.

  3. If you use QuickBooks for payments, complete the correct SAQ each year, ideally with help from an IT or security consultant who understands your winery’s setup.

PCI compliance can sound intimidating, but the reality is this: if you let a secure third party handle all credit card payments and you never touch the card data yourself, you keep your risks and responsibilities to a minimum.

That means less paperwork, fewer headaches, and more time to focus on what matters.

Disclaimer: This article is for informational purposes only and does not constitute legal or compliance advice. Always verify your requirements with your payment processor or a PCI compliance professional.

Guest User
Previous

Can wine club members volunteer at your winery?

Next

Why good winery accounting isn’t cheap—and why that’s okay.