Understanding PCI

All businesses that handle payment card details must comply with the Payment Card Industry Data Security Standards (PCI DSS), set by the PCI Security Standards Council (PCI SSC). That includes law firms accepting card payments from their clients, and us, enabling you to do so. Even though PCI SSC doesn't enforce compliance, we and our payment partners view PCI compliance as an essential security requirement. Consequently, we require you to affirm adherence to these data security standards to safeguard cardholder data and their owners, which are your clients.

Legl is an integral part in the payments processing chain between you, your client and our payment service partners Adyen and Stripe. We are attesting to our compliance with PCI DSS. That means we also adhere to necessary industry standards to safeguard card payments related data for you and your clients.

PCI distinguishes Card Data / Customer Card Data from Sensitive Authentication Data (SAD) / sensitive data.

  • Cardholder data includes  Primary Account Number (PAN) of a card, as well as cardholder name, expiry dates, and other respective data used to process a payment. We will present to you cardholder data that is useful to understand the payment, but truncate the PAN to only display a maximum of first 6 last 4 digits of a card.
  • Sensitive data includes the CVV security code of card as well as any PINs or passwords for 3D Secure payments. This information is never presented to you or stored after the payment.

The goal of the PCI data security standards and processes are to prevent a Data Breach. A Data Breach in the context of PCI is an incident in which any cardholder data and/or sensitive data may have potentially been viewed, stolen, or used by an unauthorised party.

Understanding your role & compliance

As a law firm using the Legl platform for processing card payments, your interaction with cardholder data is significantly reduced. This is because we, in conjunction with Adyen and Stripe, handle the majority of the compliance requirements, especially those related to the direct handling of cardholder data.

  1. Data Encryption and Processing: All PCI DSS data is encrypted and processed by Adyen and Stripe, both are Level 1 PCI DSS compliant service providers. Level 1 is the highest level of PCI compliance. This means your firm’s direct responsibility is reduced. The critical aspect of data security is instead managed by experts who are subject to stringent security controls and regular audits by a PCI SSC approved security assessor.
  2. Tokenisation and Truncation of Data: Instead of handling Card Data directly, you will only encounter tokenised and truncated data. Tokens replace sensitive information with unique identification symbols, retaining all the essential information without compromising its security. Truncation means the middle of the PAN is not available to you, only a maximum of first 6 and last 4 digits.
  3. Recurring Payments and Online Transactions: Whether it's a one-time payment or recurring billing, the security measures remain consistent and robust, ensuring continuous compliance. This includes clients making payments via Legl from your website, via Payment Links or as part of a Payment Plan.
  4. Telephone Payments: When your staff take payments by logging in to your Legl account online, we use the same technology and processes that keep payment data safe when your client makes a payment. To help control access to payments data, we also provide unique logins for each user and store their activity logs.

Your responsibilities

Despite the major compliance aspects being handled by our platform in partnership with Adyen and Stripe, there are still certain responsibilities that fall on your firm, especially when it comes to integrating our payment solutions into your operations.

Website Security

It is crucial to ensure your website’s security. In the context of PCI, that means no unwanted third party can trick your clients into handing over the payment information by changing the flow of payments or card data away from the approved solutions you offer via Legl. This means regularly updating your website, using secure and updated software, and ensuring that the website itself doesn't become a weak link in the security chain before your client arrives on the Legl payment page.

Physical and Digital Security Measures

While handling cardholder data isn’t your primary responsibility, maintaining a secure environment for your systems is crucial. This includes physical security of your offices and digital security of your internal networks to prevent unauthorised physical access.

User Access Management

Ensure that every user in your firm has unique login credentials, especially for systems that interact in any way with Legl or other payment processing systems. This includes following best practices for password creation and user authentication.

Operational Processes

Ensure you do not view or record any other cardholder data outside the Legl system or another PCI compliant provider. Common areas to check include:

  1. Your staff should never take card details down digitally (e.g. email or spreadsheets) or physically (e.g. paper notes or copies). One exception here is being handed the physical card by your client to take a card payment on a physical card terminal with your client present.
  2. If you record phone calls on lines that accept payments, do not request card details while recording is in process. One exception here is to refer to card details in tokenised form, such as your staff referring to “Visa card ending 4321” which is fine.
  3. Never ask for Sensitive Authentication Data such as security code, 3D Secure passwords or pins.

Regular Compliance Checks and Training

Stay informed about PCI DSS requirements and regularly train your staff about data security and compliance. This is essential to maintain a culture of security awareness within your organisation.

Incident Response Plan

Have a clear plan in case of a security breach. This should include steps to contain and assess the breach, and communication with all relevant parties, including us and our payment partners Adyen and Stripe.

Conclusion

By using our platform in conjunction with Adyen and/or Stripe, your law firm is largely shielded from the direct responsibilities of PCI DSS compliance concerning the processing of card payments data. However, maintaining the security of your systems, user access management, and continuous education about data security remains crucial for overall compliance.

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Preferences
DenyAccept