In 2006, due to the increase in credit card fraud, the major credit card companies (VISA, MasterCard, Discover, and American Express) decided to develop uniform standards that merchants must follow if they accept credit cards from clients. These Payment Card Industry Data Security Standards (PCI-DSS) are designed to ensure the security of your client’s payment card information, before, during, and after you process the credit card payment. PCI compliance refers to your law firm’s duty to follow these standards and to perform the required annual testing to verify how well you follow them.
PCI compliance requires merchants (no matter how big or small, and no matter the industry) to review their computer systems, and their internal credit card processing procedures in order to ensure the security of their client’s payment card information. The number of standards with which your law firm must comply can increase significantly depending on:
- The number of transactions you process every year;
- Whether you store physical copies of documents containing the client’s credit card information;
- Whether you store electronic documents containing a client’s credit card information;
- Whether you process cards through a physical card reader;
- Whether you process cards through a third-party payment portal; and
- The reputation of your credit card processing company or third-party payment portal (e.g. Square, LawPay, Intuit, etc.).
PCI standards are not criminal statutes, so it is not a crime if your firm fails to be PCI compliant. But payment card companies can impose significant financial penalties (as much as $5,000 to $10,0000 per month) if a client’s credit card data is breached due to your firm’s failure to comply with the PCI standards. So, it is in your best interests to perform annual PCI compliance testing and fix any security risks exposed during the process.