When attorneys accepts credit card payments, there is an obligation to keep the client’s information secure. They are expected to have safety measures and policies in place to help prevent the card information from being compromised. Like any other business that processes, stores or transmits credit card data, a solo practicing attorney is expected to be PCI compliant.
To be PCI compliant, an attorney must follow strict Payment Card Industry security standards. These requirements apply no matter the size of the company, the number of transactions or the amount of those transactions. Maintaining this compliance, however, can be an issue for some businesses, and fewer than a third of companies included in a 2015 Verizon PCI compliance report were found to still be fully compliant less than a year after successful validation.
Businesses can fall out of compliance for a plethora of reasons. Often, this can be attributed to them failing to implement in-depth procedures designed to help manage and maintain compliance. Other times, it could be because the requirements changed. There are several steps solo practitioners can take to work toward maintaining PCI compliance including:
1. Implement Strict Policies for Storing Card Data
If possible, you should refrain from storing credit card data, especially authentication information. The longer a business holds on to sensitive information, the more chances there could be for a breach. If an attorney can process a credit card payment without actually keeping the information on file, he or she would be less liable in the instance of a data breach.
If, however, you decide you must keep certain credit card data, you should implement strict policies for storing the information. If you share office space with someone, how you store physical data is very important. You want to limit who can have access to the information, including third-party companies. How you store electronic card information also is critical, considering this is how the information is accessed most often.
Electronic storage should be kept to a minimum, and additional controls should be added for security measures and to prevent access to the data. According to the PCI Security Standards Council, encryption must be applied to the primary account number, or PAN. All other PCI controls would apply to the environment where cardholder data is stored. This includes appropriate access control, network security parameters, physical security parameters and periodic security testing.
2. Perform Regular Internal and External Audits for Compliance
To make sure you are on the right track to steady compliance, you can perform regular internal audits. This could allow you to determine if your current policies and methods are working, which can help protect you and your customers. If you do not have time to do it yourself, or you want someone with extended knowledge and experience of PCI compliance, you can enlist the help of an external auditor.
It is important you find a qualified security assessor, or a QSA, who is approved by the PCI Security Standards Council to conduct the audit. He or she will begin by evaluating your security infrastructure and procedures, policies, networks and systems. Once the evaluation is complete, a risk assessment will be submitted. If the auditor finds any issues or potential risks, they should be resolved immediately.
This assessment will be the foundation you need to ensure you are PCI compliant and that your clients’ information is safe and secure. Knowing what potential issues lurk in your systems and networks is vital to preventing your information from being compromised.
3. Simplify Process to Maintain Compliance
Once PCI compliance is reached, the process to maintain it can be simplified. As a solo attorney, you do not have to make things harder on yourself. You already have to juggle working with clients with managing and running a business. You should know from the moment of validation what processes work and how you can keep those systems in place to make sure you stay compliant. You should, however, look for ways to streamline some of those effective ideas.
Attorneys also could make the process easier by looking more toward making existing systems work better for the them. This could include their storage systems, security measures and even policies. They could spend time tweaking their current systems to make them work as needed, rather than spending time and money on a new system. This can help them maintain compliance with less effort.
4. Keep Up With New Requirements and Make Your Plan Sustainable
If you plan to remain PCI compliant, you need to be aware of any changes to what is considered PCI compliant. PCI DSS 3.0, which has been mandatory for more than a year, is significantly different from the previous requirements. This could cause some companies to no longer be considered compliant. Attorneys should research this information regularly to ensure they are meeting the standards set by the council.
Additionally, they should be sure whatever plans they have in place to maintain compliance are sustainable. Attorneys should understand this is a complex and lengthy process, rather than a short-term goal. One simple step cannot ensure you will be able to maintain your compliance. This is something that should become part of your everyday business.
Maintaining PCI compliance requires dedication and diligent research, but these above steps can help you get started on implementing and continuing effective plans. Compliance is critical because it not only affects whether or not your information is protected, it affects your reputation as a business. Maintaining compliance can increase client confidence in your business and ensure you are not exposed to security breaches that could have been avoided.