Stay on Top of Credit Card Security in Your Law Firm
by Amy Porter
The term “PCI Compliance” generally elicits one of three responses: complete confusion, vague recognition, or mild panic. You are not alone. From the moment the Payment Card Industry Security Standards Council rolled out these credit card regulations, attorneys have been struggling with how to understand their meaning and adhere to them.
What is PCI Compliance?
In 2006, the major credit card brands (Visa, MasterCard, Discover, American Express, and JCB) formed a security council. The goals of the Security Council were to ensure the safety of cardholder data at all times and reduce credit card fraud by developing standardized regulations (Payment Card Data Security Standards or PCI-DSS) the entire credit card processing industry must follow. It applies to any business that processes, transmits, or stores credit card data (see www.pcisecuritystandards.org). The bottom line is if you accept credit card payments, you also accept the responsibility to protect sensitive card holder information.
How Does It Apply to My Law Firm?
Your day is already filled with mission critical tasks, so taking on compliance is not something you want to think about. It’s understandable. Perhaps your law firm only processes a few credit card transactions a month, you have a trusted staff, and you use a compliant gateway for your transactions. Your credit card data is safe, right?
PCI Compliance is actually comprised of several key pieces—how credit cards are processed, who you use as service providers, and how you handle credit card information within the walls of your office.
Think for a moment about how credit card data flows through your law firm. Do your clients pay online? Do they fax credit card authorization forms to your office? Are there copies of credit card numbers in client files? Those are just a few practical security points addressed by the security standards.
The good news is that implementing small changes can have a major impact on your security. There are guidelines in the PCI-DSS that address Internet security and payment applications and also ones that address how businesses handle credit card data on a physical level. Assessing your vulnerabilities is a great way to fix potential issues and educate your staff. According to the 2012 Data Breach Investigations Report by Verizon Business, 97 percent of breaches could have been prevented by fairly simple measures. Office security policies that define procedures for changing passwords, storing information, and disposing of credit card data can make the difference between compliance and non-compliance
Until recently, most of the focus has been on major retailers that process in excess of 6 million Visa transactions per year. All merchants, regardless of credit card processing volume, must now comply with the regulations. Failure to meet requirements can result in security breaches, costly fines, and forensic audits.
Accepting credit cards is a great way to offer a flexible payment option for your clients and improve your cash flow; consequently, this means handling sensitive information that is very desirable to criminals. By following the PCI-DSS guidelines, you greatly reduce your vulnerability to a security breach. Most firms have found taking steps to become PCI Compliant is a productive, beneficial “house-keeping” exercise for their office.
Becoming PCI compliant sends a strong message to your clients that you are doing your due diligence in protecting their sensitive information. The PCI process can also create a greater level of awareness with your staff when they handle credit card information, limiting the potential for a security breach and ultimately reducing the overall liability to your law firm.
How Do I Become Compliant?
There are several steps every merchant must complete to validate PCI compliance:
· Identify validation type (this is based on how credit card transactions are processed).
· Complete the self-assessment questionnaire.
· Provide evidence of a passing vulnerability scan, if necessary, from an approved vendor on a quarterly basis.
· Complete the attestation of compliance.
· Submit the self-assessment questionnaire, attestation of compliance, and evidence of a passing scan (if required) to acquirer.
· Create comprehensive Security Policies and Procedures
· Find out more at www.pcisecuritystandards.org/merchants/how_to_be_compliant.php.
Amy Porter is CEO of LawPay, a full-service bankcard processing company specializing in the legal industry.