Denver Bar Association
June 2013
© 2013 The Docket and Denver Bar Association. All Rights Reserved.
All material from The Docket provided via this World Wide Web server is copyrighted by the Denver Bar Association. Before accessing any specific article, click here for disclaimer information.

Stay on Top of Credit Card Security in Your Law Firm

by Amy Porter


he term "PCI Compliance" generally elicits one of three responses: complete confusion, vague recognition, or mild panic. You are not alone. From the moment the Payment Card Industry Security Standards Council rolled out these credit card regulations, attorneys have been struggling with how to understand their meaning and adhere to them.


What is PCI Compliance?

In 2006, the major credit card brands (Visa, MasterCard, Discover, American Express, and JCB) formed a security council; its goals were to ensure the safety of cardholder data at all times and reduce credit card fraud by developing standardized regulations (Payment Card Data Security Standards or PCI-DSS) the entire credit card processing industry must follow. These regulations apply to any business that processes, transmits, or stores credit card data (see The bottom line is if you accept credit card payments, you also accept the responsibility of protecting sensitive card holder information.


How Does It Apply to My Law Firm?

Your day is already filled with mission-critical tasks, so taking on compliance is not something you want to think about. It’s understandable. Perhaps your law firm only processes a few credit card transactions a month, you have a trusted staff, and you use a compliant gateway for your transactions. Your credit card data is safe, right?

PCI Compliance is actually comprised of several key pieces — how credit cards are processed, who you use as service providers, and how you handle credit card information within the walls of your office.

Think for a moment about how credit card data flows through your law firm. Do your clients pay online? Do they fax credit card authorization forms to your office? Are there copies of credit card numbers in client files? Those are just a few practical security points addressed by the security standards.

The good news is that implementing small changes can have a major impact on your security. There are guidelines in the PCI-DSS that address Internet security and payment applications, as well as how businesses should handle credit card data on a physical level. Assessing your vulnerabilities is a great way to fix potential issues and educate your staff. According to the 2012 Data Breach Investigations Report by Verizon Business, 97 percent of breaches could have been prevented by fairly simple measures. Office security policies that define procedures for changing passwords, storing information, and disposing of credit card data can make the difference between compliance and non-compliance


Why Now?

Until recently, most of the focus has been on major retailers that process in excess of 6 million Visa transactions per year. All merchants, regardless of credit card processing volume, must now comply with the regulations. Failure to meet requirements can result in security breaches, costly fines, and forensic audits.

Accepting credit cards is a great way to offer a flexible payment option for your clients and improve your cash flow; however, this means handling sensitive information that is very desirable to criminals. By following the PCI-DSS guidelines, you greatly reduce your vulnerability to a security breach. Most firms have found taking steps to become PCI Compliant is a productive, beneficial "house-keeping" exercise for their office.

Becoming PCI compliant sends a strong message to your clients that you are doing your due diligence in protecting their sensitive information. The PCI process also can create a greater level of awareness with your staff when they handle credit card information, limiting the potential for a security breach and ultimately reducing the overall liability to your law firm.


How Do I Become Compliant?

There are several steps every merchant must complete to validate PCI compliance:

• Identify validation type (this is based on how credit card transactions are processed).

• Complete the self-assessment questionnaire.

• Provide evidence of a passing vulnerability scan, if necessary, from an approved vendor on a quarterly basis.

• Complete the attestation of compliance.

• Submit the self-assessment questionnaire, attestation of compliance, and evidence of a passing scan (if required) to the acquirer.

• Create comprehensive security policies and procedures. Find out more at


My Law Firm is Compliant. Now What?

One of the biggest challenges attorneys face is moving beyond a "checkbox" mentality when it comes to compliance. ("I have a security policy, check! I shred documents, check!") To be truly PCI compliant, you need not only to be able to answer questions truthfully and accurately on your self-assessment questionnaire but also to be diligent in monitoring your procedures every day. If you have rock-solid policies and procedures in place but only follow them four out of five days of the work week, it’s like having bars on your windows and leaving the front door wide open.

Regardless of how you choose to comply with PCI regulations, it is important to keep the ultimate goal in mind: protecting your clients and your law firm. By taking the time to evaluate the flow of cardholder data through your office and addressing security issues, you can achieve that goal. D


Amy Porter is CEO of LawPay, a full-service bankcard processing company specializing in the legal industry. She may be reached at

LawPay is a member benefit provider of the Colorado Bar Association. For more information on member benefits, please visit

Member Benefits DBA Governance Committees Public Interest The Docket Metro Volunteer Lawyers DBA Young Lawyers Division Legal Resource Directory DBA Staff The Docket