Janet Rubel, Attorney, Northbrook
(847) 480-1020 | Email Janet Rubel
The good old days of receiving payments directly from clients have changed. I remember fondly the bounced checks, the promises that the check was in the mail (back when people really sent pieces of paper with postage affixed), and, yes, rushing to the bank to “starch” the check. As a wise old sole practitioner explained to me when I first started my practice, starching means you make sure the check is “good” by taking it to the bank before beginning any work on that client’s behalf. This is true particularly for the client who needs a lawyer the next morning for a contested hearing.
We still take payment the old fashioned way, but the quaint practice of taking checks from clients has been superseded by electronic transactions such as credit cards, PayPal, and online payments directly from the client’s bank account to yours.
If you take credit cards online, you have solved one problem — namely, receiving payments that don’t bounce. But you have a new problem: computer security. There are new requirements for you to satisfy.
The major credit card companies formed a trade group in 2006 to create a policy regarding credit card security. This organization is known as the “Payment Card Industry” (PCI). The standard it has created to insure the integrity of credit card transactions is PCI DSS. This is the data security standard that has been accepted in the United States. The council’s website, PCI Security Standards, details this required industry standard for anyone who collects, processes, or stores credit card information and its users.
Best practices for credit card participants have been listed by the PCI. It has determined that there are 12 requirements that comprise the best practices for security of the data. Among these are: antivirus software protection, restricting access to credit card transactions among office personnel, maintaining security of the data network, and encrypting the credit card transactions.
There are additional requirements if you use a third party to process these transactions, including storage and transmission. The type of security action required depends on the volume of transactions.
The various credit card imprints such as Visa, MasterCard, American Express, and Discover cards monitor compliance with these rules. The penalty for noncompliance is draconian: as much as $500,000 and an additional $25 per credit card holder whose account has been breached.
Compliance with these rules has been required since July 2010. This means you! My credit card third party, Affiniscape Law Firm Merchant Accounts, has sent me a self-assessment questionnaire and an attestation of compliance that is due soon. Affiniscape provides assistance in complying with and reporting data security.
I am planning to complete the forms early because I do not want to spend money on fines. Wasting money should be done by retail therapy, not penalties for credit card data breaches!