PCI Compliance: What Lawyers Need to Know

This is a guest post by Justin Akimoff, a Certified Payments Professional and the head of LawPay’s Client Success Team.

It often feels like data breaches are happening to businesses every minute: In 2019 alone, Capital One, Facebook, First American Financial, and many more were breached. That’s why it’s all the more necessary for businesses to make concerted efforts in protecting their customers from hacks and leaks.

If you’ve already started accepting credit card payments into your firm, there’s a chance the phrase “PCI compliance” has entered your awareness at some point in time, but you may not fully understand what it means. That’s where we can help. We’ll provide you with an overview of PCI compliance, including why it exists and what you can do to keep your law firm compliant every year.

PCI Compliance 101

If your business accepts, processes, stores, or transmits credit card data, it must be compliant with the Payment Card Industry Security Standards Council (PCI SSC).

The PCI SSC was created by the biggest credit card brands (Visa, Mastercard, Discover, JCB International, and American Express) to address security concerns related to credit and debit cards, as well as prepaid cards. Each card brand has a list of requirements that businesses must adhere to in order to become compliant.

Although you aren’t required by law to be PCI compliant, adhering to its practices is an excellent way to keep your client’s (and your firm’s) payment data secured from hacking or other cyber threats. As long as you follow the standards mandated by the PCI SSC, your firm will be using the latest and greatest techniques in data security every year. It’s also worth noting that certain banks penalize merchants who aren’t PCI compliant, so adhering to these standards can save you from costly fines in the long run.

Four Levels of PCI Compliance

Between each credit card brand, three are at least four levels of PCI compliance that businesses can fall under, each corresponding to the amount of card transactions they process annually. The vast majority of law firms that accept card payments would be categorized at the lowest possible level—those that process as little as 20,000 transactions per year (up to 1 million). For these businesses, all that is usually required is to complete a Self-Assessment Questionnaire, or SAQ.

If you’ve completely rewired your firm to only use online payment processors, your SAQ will be the easiest of them all. It only has 22 questions and most people can finish it in under 15 minutes. The greatest online payment solutions will even help their customers maintain their compliance every year by offering assistance and answering any questions you may have.

PCI Data Security Standards

To get merchants started on the right track, the PCI SSC created the PCI Data Security Standard (PCI DSS). It contains six goals all businesses should aim towards to make their operations PCI compliant. We’ve summarized each goal below:

1. Build and maintain a secure network: Ensure that your systems have firewalls installed and regularly updated. Generate a strong, “hack-proof” password for your network, and make use of password managers. Never use the default password provided by your network.
   
   
2. Protect cardholder data: The best online payment solutions store and protect sensitive cardholder data for you. However, if you do have cardholder data stored on your computers, be sure to enable whole drive encryption. Whenever you transmit sensitive data online, make sure the website has “https” at the beginning, which indicates a secure connection. Never transmit sensitive data through websites that have issues with their security certificate (your browser should warn you if this is the case).
   
   
3. Maintain a vulnerability management program: This simply means using antivirus and anti-malware software, and keeping it up to date. Enable real-time monitoring to catch unauthorized access attempts when they occur. You also need to keep all your systems and applications up to date to avoid vulnerabilities. Watch for notifications on your machine about system updates and install them as soon as possible, or enable auto-updating features.
   
   
4. Implement strong access-control measures: This involves limiting access to sensitive cardholder data to only those with a business need to access it. Create unique logins for every member of your team, with restrictions placed to ensure they only have access to what they need to perform their tasks. Any physical card data in your office should also be protected in a locked cabinet or safe.
   
   
5. Regularly monitor and test networks: This involves documenting who can access what and making sure these practices are working correctly. Test these security measures regularly by trying to access sensitive data on your systems through unauthorized users. If you have surveillance cameras onsite monitoring servers or access to physical card data, make sure they’re turned on and functioning as expected.
   
   
6. Maintain an information security policy: Draft a security policy that outlines how your business uses technology and handles sensitive data. Go over your security standards with each member of your team and anyone you do business with.
   

If you make these standards a habit within your firm (and keep up with your annual SAQ, of course), you can assure your clients that their credit card information is in good hands.

LawPay was specifically designed with the needs of legal professionals in mind. Learn more about how LawPay can protect your firm by visiting our Features Page.