Credit Card Security in Your Law Firm
by Amy Airhart
The term “PCI Compliance” generally elicits one of three responses—complete confusion, vague recognition, or mild panic. You are not alone. From the moment the Payment Card Industry Security Standards Council rolled out these credit card regulations, attorneys have been struggling with how to understand their meaning and adhere to them.
What is PCI Compliance?
In 2006, the major credit card brands (Visa, Mastercard, Discover, American Express and JCB) formed a security council. The goals of the Security Council were to ensure the safety of cardholder data at all times and reduce credit card fraud by developing standardized regulations (Payment Card Data Security Standards or PCI-DSS), the entire credit card processing industry must follow. It applies to any business that processes, transmits, or stores credit card data. (https://www.pcisecuritystandards.org/) The bottom line is if you accept credit card payments, you also accept the responsibility to protect sensitive card holder information.
How Does it Apply to My Law Firm?
Your day is already filled with mission critical tasks, so taking on compliance is not something you want to think about. It’s understandable. Perhaps your law firm only processes a few credit card transactions a month, you have a trusted staff, and you use a compliant gateway for your transactions. You’re credit card data is safe….right?
PCI Compliance is actually comprised of several key pieces—how credit cards are processed, who you use as service providers and how you handle credit card information within the walls of your office.
Think for a moment about how credit card data flows through your law firm. Do your clients pay online? Do they fax credit card authorization forms to your office? Are there copies of credit card numbers in client files? Those are just a few practical security points addressed by the Security Standards.
The good news is that implementing small changes can have a major impact on your security. There are guidelines in the PCI-DSS that address internet security and payment applications, and also ones that address how businesses handle credit card data on a physical level. Assessing your vulnerabilities is a great way to fix potential issues and educate your staff. According to the 2011 Data Breach Investigations Report by Verizon Business, 96 percent of breaches could have been prevented by fairly simple measures. Office security policies that define procedures for changing passwords, storing information, and disposing of credit card data can make the difference between compliance and non-compliance.
Until recently, most of the focus has been on major retailers that process in excess of 6 million Visa transactions per year. All merchants, regardless of credit card processing volume, must now comply with the regulations. Failure to meet requirements can result in security breaches, costly fines, and forensic audits.
Accepting credit cards is a great way to offer a flexible payment option for your clients and improve your cash flow; consequently, this means handling sensitive information that is very desirable to criminals. By following the Payment Card Industry Data Security Standards (PCI-DSS) guidelines, you greatly reduce your vulnerability to a security breach. Most firms have found taking steps to become PCI Compliant is a productive, beneficial “house-keeping” exercise for their office.
Becoming PCI Compliant sends a strong message to your clients that you are doing due diligence in protecting their sensitive information. The PCI process can also create a greater level of awareness with your staff when they handle credit card information, limiting the potential for a security breach and ultimately reducing the overall liability to your law firm.
How Do I Become Compliant?
There are several steps every merchant must complete to validate PCI Compliance:
- Identify Validation Type (this is based on how credit card transactions are processed)
- Complete the SAQ (Self Assessment Questionnaire)
- Provide evidence of a passing vulnerability scan, if necessary, from an approved vender on a quarterly basis.
- Complete the Attestation of Compliance
- Submit the SAQ/ Attestation of Compliance and evidence of a passing scan (if required) to acquirer.
- Create comprehensive Security Policies and Procedures
My Law Firm is Compliant. Now What?
One of the biggest challenges attorneys face is moving beyond a “check-box” mentality when it comes to compliance. (“I have a Security Policy, check! I shred documents, check!”) To be truly PCI Compliant, you need to not only be able to answer questions truthfully and accurately on your SAQ, but also be diligent in monitoring your procedures every day. If you have rock-solid policies and procedures in place, but only follow them four out of five days, it’s like having burglar bars on your windows and leaving the front door wide open.
Regardless of how you choose to comply with PCI regulations, it is important to keep the ultimate goal in mind—protecting your clients and your law firm. By taking the time to evaluate the flow of cardholder data through your office and addressing security issues, you can achieve that goal.
Amy Airhart is the Director of PCI Compliance for LawPay (www.lawpay.com), a member benefit provided through the Dallas Bar Association.*Check with your merchant bank for additional deadlines.