PCI Compliance for Law Firms: A Complete Guide

The card payment industry has been on a steady rise for years – and understandably so, considering the convenience and ease of use it offers. However, its development consequently triggered a lot of criminal activities related to identity theft.

For that reason, PCI security standards were introduced with one goal in mind: to reduce unauthorized use of a payment card.

If your law firm has seen a business opportunity in accepting credit cards for payment of legal fees (or if you’re a law firm’s customer, paying your legal fees with a payment card), we’ve gathered all the information that you need about PCI compliance in this comprehensive guide.

PCI Data Security Standards are mandatory

Is your law firm storing, processing or transmitting cardholder information? If the answer to this question is “Yes,” then it is mandatory that you comply with the PCI security standards. 

Depending on the card payment requirements and whether you’re a merchant or a service provider, you’ll be categorized in one of the four levels of PCI compliance and thus have to meet specific validation requirements. 

For example, Visa merchant compliance validation levels are related to the number of card transactions that you process within a year.

The majority of law firms process up to 20,000 card transactions annually, meaning that all they need to do is fill out a self-assessment questionnaire of varying complexity and adhere to the PCI-DSS requirements that apply to them.

Incidentally, businesses this small are usually the primary target of cyberattacks and are most vulnerable to them.

Note that you may opt for the assistance of a third party instead of filling out the previously mentioned self-assessment questionnaire yourself. External Security Assessors can help you assess your current compliance with the PCI DSS and draw your attention to gaps that you may need to work on.

Each payment network has its compliance program

Five payment networks are participating in the PCI Security Standard: Visa, MasterCard, Discover, JCB and American Express. 

Whether you’re accepting payments from a credit, debit or prepaid card from one of these five payment networks, you have to acquire a certification and report compliance to each payment network that you use.

The way your PCI compliance is validated depends on the level you’re categorized in. This may vary from having to undergo an audit and complete a Report on Compliance signed by a Qualified Security Assessor to filling out a relatively short and easy SAQ and signing your Attestation of Compliance.

You have to comply with the PCI-DSS requirements even if you’re only transmitting the transaction information

PCI-DDS has 12 requirements, and if some of them don’t apply to the way you’re dealing with card payment transactions, your law firm is not obliged to comply with them. 

This means that if you’re not storing the data of a cardholder (name, expiration date, service and PIN code) in any way, you wouldn’t have to comply with the requirement that relates to the protection of stored cardholder information. On the other hand, you’d have to comply with all the other relevant requirements.

Here are the 12 requirements of PCI:

  • Protect your card data with firewalls. A firewall will monitor your network traffic and shield it from malicious data incoming from an untrusted network.
  • Use configured passwords and settings instead of vendor-supplied defaults. Although no password is hack-proof, consider generating a strong, unique password that contains a mix of numbers, letters and symbols, isn’t related to your personal information and is lengthier.
  • Protect the stored cardholder data by encrypting your whole data and protecting your encryption keys, as well. Pay attention to whether the website through which you’re transmitting the data has “https” at the beginning, as this is an indication of a secure connection.
  • When transmitting cardholder data across open and public networks, make sure to encrypt the transmissions and have security policies in place.
  • Install and maintain anti-virus and anti-malware programs to your system. Real-time malware protection takes action the second malware hits your system, so make sure to have it enabled at all times.
  • Keep your software up to date.
  • Prevent access to sensitive cardholder data to those who aren’t authorized to see it. Cardholder data should only be accessed when necessary and by those who are given the login details for access. It would be good to keep track of your authorized personnel and perform occasional control checks.
  • Ensure that every person with access to your system has a unique ID and password and enable multi-factor authentication.
  • Limit the possibility of physically accessing areas with cardholder data by locking them in safes or other secure places.
  • Track and review network activity for suspicious activity inside the system.
  • Scan your system for vulnerabilities and perform penetration tests to check how easy it is to break into your network.
  • Keep documentation of your security policy and make it available to your employees and third-party vendors. Make sure that everyone working at the law firm is informed about it and understands its implications.

To learn more about these requirements straight from the legal experts and identify the ones your law firm or a law firm whose services you’re using must comply with. 

SSL certificates don’t provide enough protection against credit card fraud.

While a properly set up web server allows the use of SSL certificates for the protection of customer data while completing a transaction, it is necessary to take additional steps to ensure PCI compliance. Your law firm must use an encryption method (like AES) that protects the cardholder’s data to the highest standard.

Furthermore, you must ensure that a legally responsible person is running your website and taking care of its security matters.

If you’re using a third party to store payment card data for recurring billing, that third party must also be PCI compliant.

If you employ a third-party processor to receive cardholder data and route the transactions to relevant payment networks, the third-party processing company must also attain PCI compliance.

When would you find hiring a third-party processor helpful? An example would be when you’re storing card data for recurring billing. 

Instead of handling the risk of having stored payment card data stolen yourself, you’re engaging a third party that has the necessary security-related expertise to do it instead of you. 

This way, you’re removing the need for annual on-site audits whose purpose is to assess your compliance with the PCI requirements. Furthermore, you won’t have to think about technicalities such as:

  • Which cardholder data do you need to process
  • Which storage service you should use to store data
  • How to limit physical access to the data kept in your law firm’s premises

Penalties for not complying with the PCI Security Standards are substantial.

In case of non-compliance with the PCI security standards, payment networks may end up finding your law firm by disabling it from processing card payments in the future, which may, in return, affect your revenue and damage your reputation.

Alternatively, a payment brand can impose a monetary fine of up to $100,000 per month, which can be detrimental to law firms that have only recently started doing business or don’t have many clients yet. In fact, massive breaches of cardholder data can lead to up to $500,000 worth of fines.

Although the PCI Security Standards are not a legal document, your law firm may still face a lawsuit by a client whose privacy has been compromised.

You may consider a third-party provider to run security vulnerability monitoring for you.

Again, depending on what self-assessment questionnaire your law firm qualifies for, you may need to conduct vulnerability scanning every 90 days to ensure that your operating system doesn’t have vulnerabilities that could be exploited by hackers. 

Instead of installing software to your law firm’s system for this purpose and doing these scans on your own, these scans should be conducted by organizations that fall under Approved Scanning Vendors (ASVs).

Upon completing a vulnerability scan, you are obliged to correct any errors found and provide a report on your findings to the acquirers.

You may consider a third party to fully track and take care of your PCI compliance instead of you.

Ultimately, keeping up with the process of PCI compliance takes a toll on your precious resources – primarily time and money. 

The costs of doing the whole procedure yourself may add up to over $200,000 per year. If you’re a small business with low revenue, you are likely to find this unacceptable. 

If you’re wondering whether there is a better (and considerably less costly) solution – the answer is “Yes.” Your law firm might be better off employing an IT provider and integrating a software vendor, which ensures that your law firm is operating in compliance with the PCI-DSS.

Document all your findings and have them readily available for PCI audits.

Whenever you perform any sort of control to ensure that your system is operating in compliance with the PCI Security Standards, make sure to document your findings and store them for auditor’s review. 

You will need solid proof of using technology that is effective in combating payment card fraud. 

Moreover, you will need to maintain your system in a way that ensures it is always up to date, secure and adjusted to whatever changes you make from the moment your compliance is verified and onwards.

Author bio

Travis Dillard is a business consultant and an organizational psychologist based in Arlington, Texas. Passionate about marketing, social networks, and business in general. In his spare time, he writes a lot about new business strategies and digital marketing for DigitalStrategyOne.

Leave a Reply