Is Security Metrics a Legitimate Company? What Most People Get Wrong

By Frederick Flores Technology 6 min read
Is Security Metrics a Legitimate Company? What Most People Get Wrong

You just opened your inbox and there it is. Another "Urgent Notice" or a bill from a company called SecurityMetrics (often written as Security Metrics) telling you that your business is non-compliant. Maybe you use QuickBooks, or perhaps your bank sent you their way. It feels like a shakedown. You didn't ask for this, and honestly, the tone of the emails can be a bit... aggressive.

So, let's get the big question out of the way immediately. Is Security Metrics a legitimate company?

Yes. They are 100% legitimate. They aren't a "scam" in the legal sense, though I totally get why small business owners think they are. They are a real cybersecurity firm based in Orem, Utah, and they’ve been around since 2000. They have an A+ rating with the Better Business Bureau (BBB) and are one of the few companies globally certified to handle every major type of PCI (Payment Card Industry) validation.

But being legitimate doesn't always mean people like them. There's a lot of nuance here.

Why does everyone think they're a scam?

The confusion usually starts with a partnership. SecurityMetrics works with massive entities like Intuit (QuickBooks), various merchant banks, and payment processors. When you sign up to take credit cards, there is a mountain of fine print. Part of that fine print says you must be PCI DSS compliant.

If you don't do it yourself, your bank or processor often "assigns" you to a partner like SecurityMetrics to make sure you're following the rules.

👉 See also: Turn Off the Lights Extension: Why Your Browsing Experience Still Needs It

Then the emails start.

They tell you that you need to pay a fee—often around $100 to $200—to take a Self-Assessment Questionnaire (SAQ) or have your network scanned. If you ignore it, your bank might hit you with a "PCI Non-Compliance Fee" which can be $30 or $40 a month. People see these charges, see the emails, and think: Protection racket. It feels like someone is charging you money just for the right to keep doing what you’re already doing. But here is the kicker: the requirement for compliance is real. If you handle credit card data and you get breached, the fines from Visa and Mastercard can literally bankrupt a small business. SecurityMetrics is basically the "building inspector" of the digital world. You might hate paying for the inspection, but the inspector is real.

What they actually do (Beyond the emails)

SecurityMetrics isn't just an email machine. They are a heavy-hitter in the cybersecurity space. They do high-level stuff that most small mom-and-pop shops never see:

  • PFI (PCI Forensic Investigations): When a major company gets hacked and credit card numbers are stolen, SecurityMetrics is one of the elite firms hired to go in, find the "patient zero" computer, and figure out how it happened.
  • Penetration Testing: They hire ethical hackers to try and break into corporate networks to find holes before the bad guys do.
  • HIPAA Compliance: They help doctors and dentists make sure they aren't accidentally leaking patient records, which is a whole different level of legal headache.
  • Vulnerability Scanning: They have automated tools that poke and prod your website or office internet connection to see if you have any "open windows" for hackers.

I talked to a developer last year who was frustrated with a SecurityMetrics scan. The scan kept failing his site. He thought it was a bug in their system. Turns out, his server was running an outdated version of TLS (a security protocol) that had a known vulnerability. SecurityMetrics was right. He fixed it, and his site was actually safer.

The "QuickBooks" Connection

A huge chunk of the "is this legit" searches come from QuickBooks users.

QuickBooks partnered with SecurityMetrics to help their merchants stay compliant. If you use QuickBooks Payments, you’ve probably seen this. It's a "forced" relationship. You can technically use a different PCI provider, but it’s often such a massive pain to prove to QuickBooks that you’re using someone else that most people just give in and use SecurityMetrics.

One thing to watch out for: Scare tactics. Some users complain that the sales reps can be pushy. They might try to sell you "PCI Managed" packages or extra insurance that you might not strictly need if you’re a very small business with just one credit card terminal. You usually only need the basic compliance level.

Real talk: The Pros and Cons

Honestly, your experience with them will depend on who you are.

🔗 Read more: Where is the Quietest Room in the World? The Truth About the Silent Chamber at Microsoft

The Good:
If you are a mid-sized business, their support is actually decent. They have people who can walk you through the technical jargon of a 200-question security survey. They've helped over a million customers. They know the rules inside and out. If you’re genuinely worried about getting hacked, they provide real protection.

The Bad:
The pricing can feel "nickel-and-dimey." You might see a fee for the scan, a fee for the "support," and a fee for the "portal." For a small business that only does $50,000 a year in sales, $200 feels like a lot. Also, their automated emails can feel relentless.

Evidence of Legitimacy

  • Founded: 2000 by Brad Caldwell.
  • Certifications: QSA (Qualified Security Assessor), ASV (Approved Scanning Vendor), PFI (PCI Forensic Investigator).
  • Awards: They recently won "Data Leak Detection Solution of the Year" at the 2025 CyberSecurity Breakthrough Awards.
  • Headquarters: Orem, Utah (You can literally find their building on Google Maps).

Is there an alternative?

You don't have to use them, but you do have to be compliant.

If your bank is forcing you toward SecurityMetrics, you can call your bank and ask if they accept "Attestations of Compliance" (AOC) from other vendors. Some do, some don't. Companies like Trustwave or ControlScan do similar work. But honestly? If you're already integrated through your processor, switching often causes more paperwork than it's worth.

Actionable Steps for You

If you've received a notice from SecurityMetrics, don't just delete it. That's how you get hit with those $35 monthly "non-compliance" fees from your bank.

  1. Verify the Sender: Make sure the email is actually from securitymetrics.com. Phishing is real, and hackers love to pretend to be security companies.
  2. Check your Merchant Account: Log into your actual credit card processing portal (like QuickBooks or your bank). See if they list SecurityMetrics as their official partner.
  3. Do the "FastPass": If you're a small business, SecurityMetrics has a tool called FastPass. It tries to skip the technical questions that don't apply to you. It makes the 200-question nightmare much shorter.
  4. Check for "Default" Charges: Look at your bank statement. If you see a "PCI Fee" or "Monthly Non-Compliance Fee," you are literally throwing money away. Finishing the SecurityMetrics questionnaire usually makes that fee disappear.
  5. Don't buy what you don't need: If they try to upsell you on a $500 "managed" package and you only have one credit card swiper, ask for the "basic" or "standard" compliance package.

SecurityMetrics is a real, legitimate company. They aren't trying to steal your identity. They're just the "tax collectors" of the credit card world, making sure everyone follows the security rules so the whole system doesn't collapse from fraud.

It’s annoying, but it’s real. Fix your compliance, stop the fees, and get back to running your business.

Related Articles

Why 10 to the power of 7 Is the Weirdest Number in Science

Why the Apple Store Los Gatos Matters More Than Ever

Trig Identities Explained Simply: The Cheat Sheet Most Students Actually Need

Parts of a Phone Number: What Your Digits Actually Mean

YouTube TV Not Working? Here is What Is Actually Happening With Your Stream

Breville Joule Oven Air Fryer Pro: Why This Smart Oven is Actually Different