PCI Compliance For Law Firms: Ultimate Guide
May 5, 2023
If your law firm accepts credit card payments, you must comply with the Payment Card Industry Data Security Standard or PCI DSS. This standard governs how your firm collects, handles, and transmits credit card data, with the goal of preventing theft and fraud.
In this article, we’ll cover PCI compliance, including how it applies to your law firm, what the requirements are, and how to achieve and maintain compliance.
What Is PCI Compliance?
PCI compliance is adherence to the security protocols outlined in the PCI DSS. The Payment Card Industry Security Standards Council defined these safety protocols in 2006 and updates them regularly. The council consists of members from the five major credit card companies, which formerly had separate security guidelines.
PCI DSS v4.0 outlines six business goals, 12 security requirements, and more than 300 sub-requirements. The document also outlines best practices for collecting credit card information safely, encrypting stored card data, and implementing other security measures to deter hackers.
Does PCI Compliance Apply to Law Firms?
PCI law applies to any business that accepts credit card payments, including law firms. There are two levels of compliance for service providers:
- Level 1 service providers process more than 300,000 transactions annually. These providers must pass annual audits conducted by an independent Qualified Security Assessor or QSA.
- Level 2 service providers process between one and 300,000 transactions per year. If you are in this group, you must self-evaluate your security protocols annually by completing Self-Assessment Questionnaire SAQ-D. You can access the SAQ D Service Provider v4.0 at org.
Law firm owners commonly ask, is PCI compliance required by law? The answer is no. Compliance is required by the card companies. The distinction is not significant, however. As you’ll learn in the next section, noncompliance can lead to steep fines and serious legal trouble.
Why is PCI Compliance Important for Law Firms?
Achieving and maintaining PCI compliance prevents fraud, safeguards customer data, and protects your firm from fines and penalties.
Statista estimates the total value of fraudulent card transactions in 2023 will be near $33 billion. Credit card fraud happens when an unauthorized person uses card numbers, leaving the cardholder or merchant stuck with the bill.
The core goal of PCI law is to prevent those fraudulent transactions. By following PCI compliance laws, your firm can do its part to stem the unauthorized use of credit card data around the world.
Safeguarding Customer Data
Your law firm’s PCI compliance specifically protects your customers’ data from fraud. That has real business value. A data breach exposing customer card data generates negative publicity and can ruin your firm’s reputation.
If you do experience a data breach, you can’t keep it quiet. You must notify all clients in writing who may be impacted. Clients are less likely to trust you with their sensitive legal issues if you’ve shown an inability to protect their sensitive financial information.
Susceptible to Fines
In 2013, a data breach at Target exposed the card data of 41 million customers. The mass retailer subsequently faced a series of lawsuits from card companies, state attorneys general, and the FTC. In 2015, Target acknowledged that it had spent $290 million resolving these issues.
Your law firm likely doesn’t have millions of customers. Still, the fines for noncompliance among smaller companies can be $5,000 or more monthly. If noncompliance leads to a data breach, legal fees and settlements will add to your expense. Your firm will likely also lose customers and have difficulty gaining new ones.
Requirements for PCI Compliance
As noted, PCI compliance laws define 12 security requirements, organized by six business goals. Below is an overview of these goals and requirements.
- Build and Maintain a Secure Network
A secure network has a current firewall installed to prevent unauthorized, external access. You should also require regularly updated, complex passwords for users who have access to your systems. Hackers notoriously exploit default passwords.
Outdated software applications can also create vulnerabilities. You will want to remove unused software and services as another defensive tactic.
There are two specific requirements under this goal:
- Install a firewall and other network security measures
- Require secure, unique passwords
- Protect Account Data
Even if you’ve protected your systems with a firewall, there’s still a chance for unauthorized access. For that reason, it’s critical to add another layer of security to the data itself. Stored and transmitted card data should be masked through encryption, hashing, or truncation.
The two requirements under this goal are:
- Encrypt, mask, truncate, or hash stored data
- Encrypt transmitted data
- Maintain a Vulnerability Management Program
Vulnerability in this sense refers to your network’s exposure to malicious code. Viruses, worms, spyware, and keyloggers are examples of malicious code. These are designed to copy or transmit sensitive data from your systems, without alerting you or your systems administrator.
Your law firm’s vulnerability management program should involve, at a minimum:
- Installing and using reputable anti-malware software
- Keeping all software current. Hackers often access systems by way of older, unpatched versions of popular software.
- Implement Access Control
Customer data should be accessible only to the employees who need it. If you have a part-time clerk whose job is research only, for example, then that person should not be able to retrieve customer card data, either in digital or physical form.
To confirm that access is limited appropriately, you must also establish unique logins to track each user’s activity.
The PCI requirements for access control are:
- Limit staff access to cardholder data
- Track system access by user and verify user identity with multifactor authentication
- Restrict physical access to cardholder data
- Monitor and Test Regularly
Establishing unique logins for your team is only useful if someone is monitoring the activity. The PCI DSS requires businesses to log all activity on the network. If there is a data breach, having an audit log will be critical in understanding what went wrong. Those logs should also be reviewed periodically to identify risks proactively.
Additionally, you should be testing your network regularly to ensure the security in place is still effective. Hackers routinely find new ways to access and compromise data. Without regular testing, you may not know your system is vulnerable until it’s too late.
- Maintain an Information Security Policy
The final section of PCI law involves documenting your information security policy. The document should socialize your commitment to data security throughout the firm. Every member of your team should share that commitment, and fulfill it by awareness of threats, adherence to security policies, and immediate reporting of any suspicious activity.
How to Make Sure Your Firm Is PCI Compliant
You can ensure PCI compliance by walking through each of the 12 requirements and confirming that you are fulfilling them. The checklist below can help you organize that process and record your notes and next steps.
|Install a firewall and other network security measures.
|Require secure, unique passwords and login procedures.
|Encrypt, mask, truncate, and hash stored data.
|Encrypt transmitted data.
|Install and use anti-malware software.
|Keep all software current.
|Limit staff access to cardholder data.
|Track system access by user and verify user identity with multifactor authentication.
|Restrict physical access to stored cardholder data.
|Log and monitor systems access.
|Test system and network security regularly.
|Create and maintain an information security policy.
Table data source: PCISecurityStandards.org.
You may also find it helpful to review LawPay’s guide to cybersecurity for law firms.
How a Payment Processing Software Can Help Your Firm Become PCI Compliant
Using a third-party payment processor can reduce the burden of PCI compliance for law firms. Ideally, a PCI DSS-certified processor should collect customer card data directly on secure, encrypted payment pages. With that process, your firm sidesteps the added compliance requirements associated with storing card data on your own network.
As an example, LawPay includes secure information storage, called Card Vault, as a core feature. Card Vault collects and stores card data securely so it can be charged later. To populate card data initially, you can send your clients a “request card” notification. Clients receive a link to a secure page where they can enter their own card information in LawPay’s secure online form.
LawPay encrypts and stores the card data, but you and your team can still process charges to those stored payment methods. The result is a streamlined payment process that doesn’t create unworkable compliance requirements.
Is PCI compliance required by law? No, but even so, your law firm must be PCI-compliant if you accept payments by credit card. Failure to do so could result in bad press, big fines, and loss of your reputation.
Working with the right payment processor can minimize your compliance burden while making your payment process more convenient and efficient on both sides. Make sure you choose a PCI DSS-certified processor such as LawPay. With LawPay’s advanced security features, your firm can safely collect, store, and use client card data.
Using a payment processor doesn’t fulfill all your firm’s PCI compliance requirements, however. This is why LawPay created an easy PCI compliance program for its customers. The program is included at no charge and is accessible from within your LawPay account. You can also reach out to LawPay support specialists at any time for answers to compliance questions and for help achieving compliance.
To learn more about how LawPay supports your firm’s PCI compliance, schedule a demo today.