Law firm payment processing differs from that of other professional services firms because law firms receive client fees that must be handled separately from their business operations.
As a result, law firms need a merchant account that can handle these tasks and meet the requirements for their payments.
Due to the introduction of PCI DSS v4.0.1 and specific requirements for online ACH and embedded payments, law firms will need to ensure that their payment solutions meet these new standards to continue processing cards and maintaining the security of those payments.
Why Law Firm Payment Processing Is Different
The most important distinction is between earned and unearned funds. Model Rule 1.15 requires that any legal fees or expenses paid in advance to a lawyer be held in a client trust account and may be withdrawn only upon the earning of those legal fees or the incurrence of those expenses. Formal Opinion 505 makes clear that legal fees paid in advance for work to be performed in the future must be placed into trust until such time as the lawyer earns those fees; the label of “nonrefundable” does not necessarily control this requirement alone.
The fact that fees must be placed into trust accounts raises the question of the workflow needed to manage these different types of payments. Law firms may need to establish separate workflows for earned legal fees, advance legal retainers, and ACH and card payments. Firms must also consider the rules specific to their state; while both Model Rule 8.5 and the ABA’s recordkeeping requirements for trust accounts indicate that the rules may differ in various states for ethical lawyers, those specific rules must be reviewed.
How Firms Should Evaluate Providers
The first question firms should ask of potential providers of payment processing solutions for law firms is not the rate at which those providers will charge for their services. The initial questions should be whether those providers understand how legal firms’ money moves, whether they can support the payment methods (cards and ACH) that those firms receive, and whether their system can accommodate the way law firms bill for their services.
The second question law firms should ask potential providers is how the provider will affect the security of the law firm’s systems and its computers online. While PCI DSS v4.0.1 did not introduce any new requirements, the Payment Card Industry Security Council (PCI SSC) has published a report explaining its intent behind the standards, leaving the March 31, 2025, compliance effective date unchanged. Furthermore, PCI also published a 2025 report detailing changes to its recommendations for e-commerce websites, specifically regarding the scripts that run on payment pages for those websites. For law firms that accept payments on their intake pages or client portals, this could affect the security of those systems.
Law Firm Payment Trends in 2026
What is getting harder is the handling of informal payments. It is harder to justify having retainers, earned invoices, ACH debits, and card payments all go through the same informal payment handling process. It is also harder to ignore the architectural elements of a website that processes payments, as the PCI security standards for embedded payments are much clearer than they were a few years ago.
What is getting easier is clarity. The ABA has recently published guidelines on trust fees that are much clearer than before; Nacha has published guidelines on online ACH validations that are much clearer; and the PCI Security Standards Council has published guidelines on embedded versus redirected payment implementations that are much clearer. Each of these guidelines allows firms to more easily determine the steps required to handle funds separately, properly document the authorization of those funds, and understand which payment model better fits their firm and its trust account structure.
What to Look for in a Law Firm Merchant Account
Earned And Unearned Funds
The legal payments system needs to be able to identify the difference between money that the law firm has earned and money that it has unearned funds. If the law firm is not clear about its earned versus unearned funds, the merchant account system is a starting point for the law firm to be misaligned with its actual obligations.
Trust And Operating Account Separation
Law firm merchant accounts should allow for the separation of receipts that originate from trust accounts from those that are collected from the firm’s operating accounts. The ABA Model Rule 1.15 states that a lawyer can only place a limited amount of their own funds into a trust to cover bank charges. Furthermore, Florida Bar Opinion 21-2 states that lawyers who utilize web-based payment processors must ensure that fees are collected from the lawyer themselves and that chargebacks are not placed into the lawyer’s trust funds.
Card And ACH Authorizations
Many law firms require the ability to accept both credit card and ACH payments. ACH payments are often used to collect evergreen retainers and payment plans from clients. For ACH payments to be initiated, Nacha requires that the authorization include language that allows for the revocation of those ACH payments, as well as requiring that any ACH payments that are initiated online must validate the consumer’s account information upon initial establishment of that relationship.
Online Checkout And PCI Scope
Many law firms have established online portals for clients to input their payment information. Additionally, law firms have created links that can be sent to clients via e-mail to their online portals, or have implemented forms on their website that allow clients to make payments online. In these cases, the lawyer has to use a PCI SSC solution that confirms with the merchant that the solution will protect their website from script attacks when implemented into their website.
Chargebacks, Refunds, And Charge Allocation
As with the trust and operating accounts, chargebacks are an issue for law firms because those chargebacks may relate to trust funds or earned funds from legal clients. Florida Bar Opinion 21-2 states that law firms using web-based processors to collect payments must ensure that chargebacks are not out of their trust funds and that the processor will not freeze their operating accounts due to chargebacks and payment disputes. Thus, law firms must be aware of which account will be charged for these scenarios prior to implementing an online payment system.
Reconciliation And Recordkeeping
The payments that are collected must reconcile to the legal clients to which they were provided. The ABA recommends that law firms maintain trust account records for five years after the lawyer’s relationship with the client has ended. Thus, any payments system that law firms create must be able to show which payments were made to which clients, when they were earned, into which accounts they were deposited, and when they were subsequently transferred to other designated funds of those law firms.
FAQs
Q: What is law firm payment processing?
A: Law firm payment processing is the payment infrastructure that a law firm uses to take payments from clients via cards, ACH, and online methods—while properly separating the fees that a law firm earns from the funds that are held in trust for each client. Unlike ordinary businesses, law firms often have to take in advance fees and other trust funds from clients that must be separately managed and transferred to the firm only when earned or incurred.
Q: What should a law firm’s merchant account be able to do?
A: A law firm’s merchant account should be able to handle trust and operating accounts separately, authorizations for both cards and ACH payments, take payments online from clients, and properly manage and reflect fees and returns on those accounts to ensure that the funds that are held in trust for clients are not reduced in value due to payment processing.
Q: Can law firms accept ACH payments as well as take cards from clients?
A: Law firms can—and should—accept ACH payments in addition to cards from clients. However, Nacha’s regulations require that ACH payments include certain language that revokes any recurring or scheduled WEB debits from the account, and that the account holder provide their consumer account information during initial account creation to validate the account. These requirements ensure that ACH accounts can be properly established to receive payments from clients for retainers and payment plans, though.
Q: Why does PCI matter for law firms that take payments online?
A: Law firms that take payments online through a website, portal, or other embedded form for clients must follow the same security requirements as other organizations that manage and protect the data of their customers. However, the PCI Security Standards Council has published new information regarding its 2025 security requirements that state that embedded payments and redirected payments do not require the same level of security as other online websites, though the law firm must consider both options.
Conclusion
The best way to think about law firm payment processing is not as a convenience feature. However, it’s more about accounting and compliance. While the goal with any payment processing company is to collect the law firm’s money as quickly as possible, there are compliance requirements regarding trust funds versus earned fees, as well as ways to reduce unnecessary PCI and ACH compliance requirements for the law firm.
Choosing the right law firm merchant account is about fit. For law firms and attorneys who provide legal services, the payment processing company should align with how the law firm bills and tracks its finances. This is more important than almost anything else for these types of companies.
Sources
- American Bar Association. “Model Rule 1.15: Safekeeping Property.” Accessed March 2026.
- American Bar Association. “Standing Committee on Ethics and Professional Responsibility.” Accessed March 2026.
- American Bar Association. “Model Rule 8.5: Disciplinary Authority; Choice of Law.” Accessed March 2026.
- American Bar Association. “ABA Model Rules on Client Trust Account Records.” Accessed March 2026.
- The Florida Bar. “Opinion 21-2.” Accessed March 2026.
- Nacha. “WEB Proof of Authorization Industry Practices.” Accessed March 2026.
- Nacha. “Account Validation Resource Center.” Accessed March 2026.
- Nacha. “Supplementing Fraud Detection Standards for WEB Debits.” Accessed March 2026.
- PCI Security Standards Council. “Just Published: PCI DSS v4.0.1.” Accessed March 2026.
- PCI Security Standards Council. “FAQ Clarifies New SAQ A Eligibility Criteria for E-Commerce Merchants.” Accessed March 2026.
