Data security: Credit card process changes to avoid compliance, obligations and risk

As part of your firm’s application for a merchant facility it would have contracted with the bank to comply with the Payment Card Industry Data Security Standards (PCI DSS),[1] and most likely agreed to other security requirements. In many instances, the firm will indemnify the bank for loss arising from fraudulent transactions arising from non-compliance.

PCI DSS requires a firm to follow mandatory processes every time it:

  • takes a credit card payment online
  • takes payment through an electronic payment terminal
  • handles a card number read over the phone, or
  • handles a card number received in a letter or email.

This applies irrespective of turnover and the number of transactions completed each year, although these factors do alter the level of certification and audit required.

If a law firm captures and stores payment card data–even a small amount–PCI compliance obligations then apply to the entire network. Improving network and information security is a worthy objective for any law firm, but the PCI requirements are complex.

The best and easiest approach is to ensure that the card information is not recorded on your system in the first place. Card information which is provided should be processed immediately and securely destroyed. 

This not only keeps your firm and clients safer but dramatically reduces[2] the PCI compliance burden.


How do we process credit cards without capturing or retaining credit card data?

Many banks and third party merchant facilities offer payment portals that ensure regulated data is never captured by your website. As an example, the Commonwealth Bank offers three payment processing options. An explanation of the differences between the different systems is found here.

If integration with management software or third party payment systems requires the credit card data to be captured then fed through to the bank via an API, you should be aware and ensure that the data is only processed by a compliant system. A list of the questions for your software/payment provider should be provided.

Safe processes do not happen in a vacuum. Firm management will need to look at each way credit card payments are received and ensure:

  • the process does not capture payment card information
  • staff are trained and consistently apply that process, and
  • periodic checks are in place to ensure bad habits have not crept in. 

For example, if a client wishes to pay a bill by phone, rather than writing the number on a notepad, staff should enter the data directly into the payment portal. For further information on phone payments, see the guidance from the PCI standards body.

Credit card payments and trust accounting

The information regulated by PCI DSS is not generally required as part of the trust ledger. Card numbers, CVV[3] and expiry dates are not needed to comply with trust accounting obligations. For further information, see QLS guidelines for receiving Credit Card payments.

If your process captures trust information and PCI DSS regulated information together, you should enable redaction of the regulated component that is not required for the trust records. 


For example, if a client can pay a bill by (1) authorising a trust transfer and (2) paying the balance by filling in credit card details on a form, then the credit card information should be subsequently removed and shredded as soon as it is processed. Forms supplied electronically should be ‘double deleted’ and removed from email storage.

Even better, if the bill is sent electronically, a seamless payment option to pay the balance direct to your bank avoids cumbersome double-handling.

Ok, so I don’t think we collect credit card information. Is that job done?

Not quite.

Other basic network protections may be required. The good news? Every single one of them is important for a law firm to protect client data, and should be done anyway.

To assess what is required, see the PCI DSS self-assessment portal for small business. If you are not sure exactly what kind of payment systems you operate your bank should be able to clarify.

[2] But does not eliminate it completely. Your bank is a good source of information as to your residual obligations.
[3] The verification number on the back of the card.

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by keyword