Last October, President Obama signed an executive order that will change how the U.S. processes credit cards effective October 2015.
EMV technology: Most retail U.S. businesses must adopt EuroPay-MasterCard-Visa type (chip and pin) terminals to process credit cards or risk a major shift in liability should fraud take place. Businesses that don’t process cards via chip-pin terminals are
on the hook for any fraud. Formerly the banks were liable, but as of 10/1/15, retailers themselves are liable if they don’t adopt EMV technology.
You may have noticed changes to credit card terminals at big stores like Home Depot, Target, Publix and Kroger among many. And you may notice that new credit cards are being sent to your home with a secure “chip” embedded on the front left hand side of your credit card.
As consumers, this executive order is meant to protect us from hackers, fraud and the like. This technology has been in place in most of the rest of the world for the last five years or so and the U.S. is finally catching up.
Your firm may have business class credit cards for legitimate business expenses. You should ensure that any authorized staff members at your firm are issued cards with chip and pin technology embedded or you may find that certain merchants will not accept the card after October 1.
But what does this mean for your law firm and the way YOUR FIRM is accepting credit cards now?
PCI Compliance: Back in 2006, the payment card industry set forth a series of standards enforced by most major banks requiring that businesses that process credit cards complete a Self-Assessment questionnaire to ensure compliance with PCI standards.
EMV and Your Law Firm: However, most law firms key in credit card numbers into their time, billing and accounting software. This is known as a CNP (card not present) transaction. To the best of this writer’s knowledge, there are no changes in CNP responsibilities for small businesses. However, common sense basic precautions should be taken to ensure that the party calling in a credit card number to you in payment of an invoice, is truly authorized to do so. And, that is easier said than done.
Some basic suggestions:
1. Don’t keep or store your client’s credit card numbers in your office including in a digital format;
2. Get a credit card authorization form signed EACH TIME a client authorizes a payment, even if historically it’s not been a problem;
3. Create an internal policy in your firm where only one or two people are authorized to accept credit card information by phone;
4. Talk with your liability carrier about additional coverages or protections should some sort of fraud come to fruition at your firm.
Alternatively, you may want to talk with your merchant about all of this and simply ask them for their advice. Perhaps instead of allowing your customers to “call in” a credit card number to a member of your staff, consider setting up a page on your website where your customers would initiate the credit card transaction themselves. Ask your merchant about “tokenization” on that web page. Tokenization requires that the user enter a Token or PIN when paying your bill “on line”. It’s similar to two-factor authentication that you may have heard about. Then, when a client processes his/her credit card on line, you’re staff is notified and manually updates your software (or depending on your software package…perhaps downloads and imports the transaction) without any credit card information entered into your system.
To make inquiries about the contents of this article and how it affects your firm, and if you currently accept credit cards within PCLaw, contact OpenEdge (formerly PayPros) at (800) 774-6462. If you accept credit cards within Tabs3, contact TSYS Merchant Solutions at (800) 354-3988. Other software products … please check with your bank or with your software vendor directly. If you have questions about any of this, don’t hesitate to call a member of our time billing and accounting team at (877) 676-5492.