PCI Standards and Cardholder Data Security

Overview

Visa®, Mastercard®, Discover®, and American Express have instituted mandatory compliance programs that require merchants and others who store or transmit cardholder data on behalf of the merchant to adhere to the Payment Card Industry (PCI) Data Security Standards. These PCI data security standards are internationally recognized best practices for cardholder data security and are intended to ensure that cardholder data is appropriately protected at all points within the course of a transaction. For example, many e-commerce merchants use a gateway and a shopping cart, and some merchants may outsource fulfillment services or customer service functions. Any of these entities that store or transmit cardholder data must ensure that this cardholder data is protected in a manner that is consistent with the PCI Data Protection Standards. These PCI data security standards apply to merchants that accept cards in physical stores (card present transactions) as well as those, which maintain a web site or accept payment where the card is not physically presented (card-not-present transactions).

Wells Fargo requires all of its merchant customers and service providers to comply with the PCI Data Protection Standards and Visa, Mastercard, Discover and American Express’s Information Security Programs. Although the programs are based on the PCI Data Security Standards, each payment network maintains its own PCI data security compliance program and reserves the right to take independent action for non-compliance with these standards. Protecting cardholders also protects merchants against fraud that has been committed with cardholder data obtained illegally, as well as protecting merchants against fines being passed through by the acquirer that may be levied by Visa, Mastercard, Discover or American Express for not properly protecting cardholder data.

Payment Card Industry (PCI) Data Security Standard Compliance Requirements

Annual self-assessment and quarterly system perimeter scan

Most merchants are only required to complete an Annual Self-Assessment to measure compliance with the PCI Data Security Standards and perform a Quarterly System Perimeter Scan by an Approved Scanning Vendor (ASV). Larger merchants (with over 1 million transactions of a specific payment network annually) will be contacted individually by Wells Fargo to discuss requirements that apply specifically to them.

  1. Annual self-assessment
    The Annual Self-Assessment is designed to ensure that merchants have considered and addressed the most critical aspects of protecting cardholder data. Please visit the PCI website to download the PCI Self-Assessment Questionnaire.
  2. Quarterly system perimeter scan
    In order to be certified as compliant and/or to maintain compliant status, merchants and service providers must conduct and pass quarterly perimeter scans performed by an Approved Scanning Vendor (ASV) listed by the PCI Security Standards Council. The system perimeter scan must be performed on a merchant's external-facing IP addresses.

    Scanning provides a real-time snapshot of a web site to help find vulnerabilities and recommend improvements. The report generated will help determine if the online merchant or Member Service Provider is in compliance with the PCI Data Security Standards. Visit our list of approved vendors.
  3. Next steps
    It is important for merchants to become compliant with the PCI -DSS as soon as possible. Below is a list of steps to get started:
    • Identify the appropriate individuals in your organization. This is critical to ensure that cardholder data is protected. Be sure to include:
      • Chief Technology Officer
      • Human Resource Executive
      • Procurement Officer (Someone who outsources functions that require access to cardholder data)
      • Service Providers such as gateways and shopping carts
    • Complete a PCI Data Security Standard Self-Assessment questionnaire. Be sure that the appropriate areas in your organization contribute to the assessment of your cardholder data protection practices.
    • Add the annual Self-Assessments to your internal audit program. Institutionalize information security.
    • Make sure that your organization has an Information Security Policy and that employees observe it.
    • Engage a qualified vendor to perform the required Network/Perimeter Scans. Look for an Approved Scanning Vendor (ASV).
    • Complete the quarterly Scans and immediately address any significant deficiencies.
    • Retain a record of all Self-Assessments, Scan results, and follow-up activities. Be prepared to provide these documents to Wells Fargo upon request.

Fines and penalties

Fines and penalties or assessments may be imposed upon merchants that do not comply with the PCI Data Security Standards, by the payment networks. Failure to comply with these standards and/or programs may also result in a violation of applicable federal or state law. Additionally, fines and penalties may be passed through to the merchant if assessed against the acquirer by the card associations.

If you have questions regarding information security requirements and best practices, please call your Relationship Manager or a Customer Service representative at the number provided on your statement.

Existing merchant customers: Call us at 1-800-451-5817, 24 hours a day, 7 days a week. Or contact your account manager.