Tips for complying with credit card security rules

By Nora Tooher

Dolan Media Newswires

BOSTON, MA--Agreeing to accept credit cards can be good for your practice. But lawyers who take this step need to comply with the industry's data security standards.

Many major credit card companies, including American Express, Discover, MasterCard and Visa, have adopted standards aimed at safeguarding cardholder data and reducing credit card fraud.

These standards address how merchants process credit cards and handle credit card information. All merchants, including law firms, were required to comply with the rules as of July 31, or face non-compliance fees from their credit card companies or merchant banks.

There are several steps firms have to complete to become compliant with Payment Card Industry (PCI) data security rules, including developing security policies and procedures for handling credit card data. Each ''merchant'' also has to complete a self-assessment questionnaire and an attestation of compliance.

Although compliance with the standards is not required by federal law, several states - Massachusetts, Minnesota, Nevada and Washington - have enacted state laws incorporating all or part of the standards.

One of the biggest benefits of the standards ''is simple awareness'' of potential data security problems, said Amy Airhart, PCI manager for Affiniscape's Law Firm Merchant Account.

The Law Firm Merchant Account, which is available through more than 50 state and local bar associations, processes credit card transactions for attorneys. According to Airhart, the product immediately separates funds into trust and operating accounts. All processing fees are deducted from the attorney's operating account, keeping the trust account balance intact.

Airhart noted that the credit card industry data security standards also address the issue of protecting their clients' credit card information.

''Oftentimes, attorneys think they're doing everything compliantly when, in fact, they are jeopardizing credit card data,'' she said.

Common mistakes include communicating credit card data via e-mail and storing credit card security codes on law firm computers, according to Airhart.

Erik Mazzone, director of the Center for Practice Management for the North Carolina Bar Association, suggested the following steps for keeping clients' credit card data secure:

* Use strong passwords with letters, numbers and symbols.

* Install software and hardware firewalls.

* Keep anti-virus software up to date.

* Make sure all employees have individual computer IDs, rather than a pooled ID.

Mazzone suggested that solo lawyers and small firms ask an information technology consultant to help them with data security issues. Lawyers who don't yet accept credit cards can check with their bar association or practice management organization for advice on how to process transactions.

Additional information on credit card data security standards is available at www.pcicentral.com

Entire contents copyrighted © 2010 by Dolan Media Company. All rights reserved. Reproduction in whole or in part without written permission is expressly forbidden.

Published: Thu, Sep 9, 2010