Payment Card Industry Standards
Most major credit card companies include payment card industry (PCI) standards in their terms of service (ToS). These ensure that businesses are employing process-based security measures regarding the handling of credit card information. The PCI Security Standards Council put forth the following PCI data security requirements:
1. Install and Maintain Network Security Controls
2. Apply Secure Configurations to All System Components
3. Protect Stored Account Data
4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
5. Protect All Systems and Networks from Malicious Software
6. Develop and Maintain Secure Systems and Software
7. Restrict Access to System Components and Cardholder Data by Business Need to Know
8. Identify Users and Authenticate Access to System Components
9. Restrict Physical Access to Cardholder Data
10. Log and Monitor All Access to System Components and Cardholder Data
11. Test Security of Systems and Networks Regularly
12. Support Information Security with Organizational Policies and Programs
Although payment brands won’t impose fines directly onto your firm in the event of a data breach due to non-compliance, they will fine your bank, who will then, in turn, fine you. These fines can range from $5,000.00 to $500,000.00. If your non-compliance is particularly egregious, payment brands may simply refuse to work with your firm.
There are two ways for your firm to adhere to PCI standards. Your first option is to store client payment information within your firm’s system. This carries far more stringent security requirements than those of the C.R.P.C and applicable Colorado law. It also heightens the consequences of a data breach. In addition to the standard risks of data loss and liability, you also face bank fines and loss of access to payment brands. For these reasons, we don’t recommend storing client payment information on your firm’s network.
The second option is to take payments through a secure third party. There are a number of brands that cater to law firms including Clio and LawPay. This outsources the burden of meeting PCI standards to that third party. Your only obligation is to ensure that the third party is reputable.
More information:
Maintaining payment security, PCI Security Standards Council (2023), https://www.pcisecuritystandards.org/merchants/process/.
Leonard Wills, The Payment Card Industry Data Security Standard Americanbar.org (2019), https://www.americanbar.org/groups/litigation/committees/minority-trial-lawyer/practice/2019/the-payment-card-industry-data-security-standard/.