How do I become PCI Compliant?

To become Payment Card Industry Data Security Standard (PCI-DSS) compliant your firm must determine which DSS apply, and then perform the required tests to determine if your firm meets those standards.^[1][2] This process is complicated because there are eight different PCI-DSS A self-assessment questionaires (SAQs) available for you to use to verify your firm’s compliance.^[2]

Which SAQ applies to your law firm depends on whether your store credit card data on you computer system, whether you store paper copies of credit card information, and whether you use a point of sale credit card terminal.^[2] If you use the wrong SAQ, you risk having a credit card processing company find you to be PCI-DSS non-compliant.^[2]

The steps for performing a PCI-DSS compliance test are as follows:

1. Determine which SAQ applies to your firm;
2. Answer the questions found on the SAQ;
3. Perform the appropriate scan of your computer systems, if required;
4. Identify any security risks involved from your physical handling and storage of payment card information;
5. Determine how to fix the security risks you found; and
6. Carry out the fixes.

You must repeat steps 1-6 above annually, and in some cases perform a computer system scan quarterly, in order to ensure your ongoing compliance with PCI-DSS.^[2][3] Annual testing is very technical so many businesses use PCI security companies to help them complete the questionnaire and Authorized Scanning Vendors (ASVs) to perform the required computer system scans.^[2][3]

Credit card companies can impose significant fines or terminate their agreement to process your clients’ credit cards if payment card information is breached through your credit card processing system.^[2] So, it is in your law firm’s best interest to perform all required testing and make the changes needed to bring your firm into compliance with the PCI-DSS.

References

1. PCI Compliance
2. PCI FAQs
3. The PCI Basics & Quick Guide