Does your firm accept and process credit cards? If not, you probably should. Clients are more apt to pay their retainers or your invoices if they can use a credit card instead of writing a check. The way credit cards are processed has changed in a big way (for all businesses), but let’s start at the beginning.

Merchant Account

The first step in processing credit cards is getting a merchant account. A merchant account is essentially a contract with a “processor” that takes transactions and processes them with the credit card companies (MasterCard, VISA, American Express, Discover, and so on). When a merchant works with a processor, it must pay a variety of fees (for example, discount percentage, transaction fee) for each credit card transaction. Typically, the discount percentage will go down as the merchant gathers more and more information to validate the transactions. As an example, the discount rate will be lower if the merchant has the cardholder’s complete address (including zip code) and CVV (card verification value) versus only having the billing zip code. Companies such as LawPay, Sage Payment Solutions, Square, and Authorize.net are credit card processors.

Credit Card Processing Rules

There are certain “rules” you must follow to process credit cards. The Payment Card Industry Data Security Standard (PCI-DSS) includes the rules that govern the methods and requirements for processing credit card transactions. If a merchant fails to comply with PCI-DSS, it may be liable for fraudulent charges and even subject to fines from the credit card company or card processor.

Self-assessment Questionnaire

How do you know if your firm is compliant with the current PCI-DSS for processing credit card transactions? The self-assessment questionnaire (SAQ) contains various questions concerning infrastructure, procedures, technology, record keeping, security, and so on. There are five types of questions, which break down into nine different questionnaires depending on whether a merchant uses its own systems to process payments, store cardholder data, and accept credit cards in person or electronically, among other things.

• SAQ A – Card-not-present merchants: all payment processing functions fully outsourced: no electronic cardholder data storage.

• SAQ A-EP – E-commerce merchants redirecting to a third-party, PCI-compliant service provider for payment processing: no electronic cardholder data storage.

• SAQ B – Merchants with only imprint machines or only stand-alone dial-out payment terminals: no e-commerce or electronic cardholder data storage.

• SAQ B-IP – Merchants with stand-alone IP (internet) connected payment terminals: no e-commerce or electronic cardholder data storage.

• SAQ C – Merchants with payment application systems connected to the internet: no e-commerce or electronic cardholder data storage.

• SAQ C-VT – Merchants with web-based virtual payment terminals: no e-commerce or electronic cardholder data storage.

• SAQ D-Merchant – All other SAQ-eligible merchants or those that electronically store cardholder data.

• SAQ D-Service Provider – SAQ-eligible service providers.

• SAQ P2PE – Hardware payment terminals in a validated PCI P2PE solution only: no e-commerce or electronic cardholder data storage.

The good news is that most credit card processors don’t require deciding upfront which SAQ must be completed. Typically, you log in to a website and begin answering questions that will automatically walk you through the appropriate PCI-DSS SAQ questions that would apply. Think of it as a dynamic survey that presents a sort of decision-tree path depending on the answers to previous questions.

Current Guidelines

Why is all this PCI-DSS stuff important to lawyers? The former version of PCI-DSS was 3.2 and was listed as a “best practices” guideline. However, it became a required (by the terms of the merchant account contract) standard on Feb. 1, 2018.

There are some major changes to the standard that everyone should be aware of. The 3.2 requirements are focused on more protections of the cardholder data. If you have already completed your SAQ for 2016, you’ve seen some of the differences when completing the questionnaire.

Effects on Businesses

Many lawyers process credit card transactions from a computer that runs a virtual terminal to access their processor’s system. Typically, a merchant uses a web browser to log in to the processor’s website and enter the credit card information. If you use a computer that shares the same network as all your other office computers, you must implement much more stringent security controls.

The actual SAQ statement reads, “Merchant accesses the PCI DSS-compliant virtual terminal solution via a computer that is isolated in a single location and is not connected to other locations or systems within the merchant environment.” If you answer no, other questions will appear asking about how you prevent the other computers from affecting the credit card process. The concern is to minimize risk of compromise of cardholder data.

If you use a computer that shares the same network as all your other office computers, you must implement much more stringent security controls.

Connecting to the same network will require you to prevent the possibilities of other computers accessing the virtual terminal computer. This means turning off file sharing, configuring tighter internal-firewall restrictions, blocking network access from local resources, and preventing remote user access, among others. In other words, the goal is to prevent a potential malware infection of a user computer from accessing the virtual terminal computer by “crawling” through the network. All these requirements mean more cost and complexity for your environment.

Recommended Solution

While it is possible to implement the security controls to comply with PCI-DSS 3.2 for every computer on a network, it means implementing much tighter controls on all the computers. A better, easier, and more cost-effective solution is to install an isolated, dedicated credit card and online banking computer. You can create an isolated computer network by implementing a virtual local area network (VLAN) or a physically separate network. The stand-alone computer should be used only to process credit card transactions and perform online banking activities.

A single computer simplifies the security requirements for the device. Install security software and configure the computer to automatically install updates. Only one local user ID is needed because the isolated computer will not access any files or other data on your firm network. Because the computer is only using a browser to access the processor’s system, you won’t need a very powerful machine. Most law firms probably have an older computer that can be redeployed for this purpose. Just make sure it is running a currently supported operating system so that it gets security updates.

Chances are, many IT support folks are unaware of this change. Make sure you bring the incoming new standard to their attention. We have seen many law firms moving to the solution recommended above – and they are far more secure after implementing it.