Question of the Week: Does my law firm need to be PCI compliant?


To help with cash flow and meet customer expectations for accepted payment methods, more and more law firms are accepting credit cards. With the use of credit cards comes compliance requirements, including those set by the American Bar Association and local and state bar associations. With all of these requirements, many firms often question if they also need to be PCI compliant as part of their professional and ethical obligations.

What is PCI Compliance?

Payment Card Industry (PCI) compliance was created to provide guidelines for businesses in order to protect consumer credit card information. The point of these rules is to prevent data breaches and fraud where possible through preventative measures. Meant for businesses of all sizes, the majority of these procedures are relatively easy to implement. 

Some examples of the requirements for compliance include:

  • Installing and maintaining a firewall to protect client data
  • Encrypt the transmission of cardholder information
  • Monitor and keep track of all access to the network and data
  • Implement anti-virus software and keep it updated
  • Update and patch systems regularly, including firewalls, databases, and operating systems

Law firm application

So, does your firm need to be PCI compliant? If you plan on accepting credit cards, the answer is: absolutely. However, if your firm is sticking with checks, then you don’t need to worry about this compliance piece (although reasonable measures to protect client data is always a good idea). 

Even if you only accept a few credit cards, your firm still needs to be PC compliant to avoid hefty fines in the event of a data breach. The good news is that there are four levels of compliance depending on the volume of credit cards transactions you process, so if your firm only handles a minimal amount the compliance requirements will be less than it would be for a more transaction heavy firm. 


Being PCI compliant means complying with a large number of technical regulations. For firms who don’t want to shoulder that burden, they can work with a merchant who bears the responsibility for being PCI compliant. This means the provider processes all payments, without any transaction taking place on your website. These types of payment gateways are common in the legal industry, with legal-specific providers such as LawPay offering the ability to handle both PCI compliance and the unique requirements of law firms and trust accounts. 

Firms using such a provider are still required to complete an annual compliance questionnaire but as long as no credit information is being electronically stored, maintaining compliance is minimal in comparison to processing payments internally. 

Maintaining Compliance

Paying by credit card is becoming an expectation of today’s consumers and more and more law firms are adding this payment option on to keep their client’s happy. With the added benefit of getting paid more quickly, there’s a number of reasons for firms to accept credit cards but they should keep in mind their compliance requirements while doing so. If processing these payments themselves, firms should take care they are completely PCI compliant. 

Interested in becoming PCI compliant? Check out How do I become PCI compliant?


No Fields Found.

Ready to make the switch?

Start a 10-day Free Trial of CosmoLex

Try For Free

See CosmoLex in action!

Schedule a Personalized Demo Now

Try For Free