Print this page

Data Security / PCI Mandatory Compliance Programs

Overview

Visa®, MasterCard®, Discover® Network, and most major card companies have instituted mandatory compliance programs that require merchants and others who store or transmit cardholder data on behalf of the merchant to adhere to the Payment Card Industry (PCI) Data Security Standards. These standards are internationally recognized best practices for cardholder data security and are intended to ensure that cardholder data is appropriately protected at all points within the course of a transaction. For example, many e-commerce merchants use a gateway and a shopping cart, and some merchants may outsource fulfillment services or customer service functions. Any of these entities that store or transmit cardholder data must ensure that this cardholder data is protected in a manner that is consistent with the PCI Data Protection Standards. These security standards apply to merchants that accept cards in physical stores (card present transactions) as well as those, which maintain a web site or accept payment where the card is not physically presented (card-not-present transactions).
Wells Fargo requires all of its merchants and their service providers to comply with the PCI Data Protection Standards and Visa, MasterCard, and Discover Network's Information Security Programs. Although Visa's program, Cardholder Information Security (CISP), MasterCard's program, Site Data Protection (SDP) and Discover Network's program, Discover Information Security and Compliance program (DISC) are based on the PCI Data Security Standards, each card association and company maintains its own compliance program and reserves the right to take independent action for non-compliance with these standards.
Protecting cardholders also protects merchants against fraud that has been committed with cardholder data obtained illegally, as well as protecting merchants against fines being passed through by the acquirer that may be levied by Visa, MasterCard or Discover Network for not properly protecting cardholder data.

Payment Card Industry (PCI) Data Security Standard Compliance Requirements

Annual Self-Assessment and Quarterly System Perimeter Scan

Most merchants are only required to complete an Annual Self-Assessment to measure compliance with the PCI Data Security Standards and perform a Quarterly System Perimeter Scan by a Visa/ MasterCard /Discover Network certified vendor. Larger merchants (with over 6 million Visa, MasterCard or Discover Network transactions annually) will be contacted individually by Wells Fargo to discuss requirements that apply specifically to them.
1. Annual Self-Assessment
The Annual Self-Assessment is designed to ensure that merchants have considered and addressed the most critical aspects of protecting cardholder data. Please visit the PCI website to download the PCI Self-Assessment Questionnaire.

Note: Generally, Wells Fargo, Visa, MasterCard, and Discover Network do not require that you submit the completed annual PCI Self-Assessments Questionnaire to them. However, it is recommended that you include the Annual Self-Assessment as part of your company's on-going audit process and retain a record of having performed the Assessment and addressing areas that need improvement. In the event that cardholder data is possibly comprised, Wells Fargo will require that you provide evidence of Annual Self-Assessments as well as the results of all System Perimeter Scans.

Payment Application Best Practices
Below is a list of 13 basic security requirements with which all Visa, MasterCard, and Discover Network payment system constituents need to comply. These requirements, as well as the detailed criteria and requirements, are covered in more detail in the merchant Self-Assessment tool.
Best PracticeControl Practice
1. Do not retain full magnetic stripe or CVV2, CVC2 and CID data. PIN blocks must never be retained
  • Application must not store full magnetic stripe or CVV2 or CVC2 or CID data after authorization is complete. Specifically, subsequent to authorization, service codes, discretionary data/CVV2/CVC2/CID, and Visa reserved values must be removed; however, account number, expiration date, and name may be extracted and retained.
  • PIN blocks must never be retained, even if encrypted, after verification of a transaction. This includes no storage in databases, flat files, logs, etc. Consider all possible locations for potential data storage.
2. Protect stored data
  • Application should purge cardholder data temporarily stored by the application during processing.
  • Stored cardholder data, specifically account numbers, should be encrypted, with strong encryption such as Triple-DES or AES (this applies to anywhere cardholder data is stored, even outside the payment application).
  • Protect encryption keys.
3. Provide secure password features
  • Application should require a username and complex password for all administrative access and access to cardholder data.
  • PC's or servers with payment applications should require a username and complex password for access.
  • Encrypt application passwords.
4. Log application activity
  • Application should be configured to log all cardholder data user access activities, and tie those activities to a unique individual or system.
5. Develop secure applications
  • Applications should be developed with secure coding techniques based on OWASP guidelines.
  • All system development processes should include security.
6. Protect wireless transmissions
  • If wireless technology is used within the payment environment, it should be implemented securely.
  • Wireless transmissions of cardholder data should be encrypted, over both public and private networks.
7. Test applications to address vulnerabilities
  • Software vendors should have processes in place to identify security exploits, test their applications for vulnerabilities, and for development of timely security patches and upgrades.
8. Facilitate secure network implementation
  • The application should not hinder merchants' ability to implement it into a secure network environment. The application should not interfere with use of network address translation (NAT), port address translation (PAT), traffic filtering network devices, anti-virus protection or encryption.
9. Cardholder data must never be stored on a server connected to the Internet
  • The application should not require that the database server and web server be on the same server, or in the DMZ with the web server.
10. Facilitate secure remote software updates
  • If software updates are delivered via remote access into merchants' systems, software vendors should tell merchants to turn on modem only when needed for downloads from vendor, and to turn off immediately after download completes. Alternatively, if delivered via VPN or other high-speed connection, software vendors should advise merchants to properly configure a personal or network firewall product to secure "always-on" connections.
11. Facilitate secure remote access to application
  • For Level 11 and Level 22 Merchants, if employees, administrators or vendors can access the application remotely, access should be authenticated using a 2-factor authentication mechanism. The application should allow for technologies such as RADIUS or TACACS with hardware tokens. For Level 3 Merchants, if employees, administrators or vendors can access the application remotely, security features of remote access software (e.g., pcAnywhere) should be enabled. Features like usernames with complex passwords, password protection for dial-in and dial-out files, automatic log off when call is completed, encrypting session traffic, limiting logon attempts, and logging failed attempts are available in most remote access software, but not enabled by default.
12. Encrypt sensitive traffic over public networks
  • Use encryption techniques (such as Secure Socket Layer -SSL) when transmitting sensitive data over the Internet.
13. Encrypt internal administrative access
  • Internal administrative access to application or related server should be encrypted via technologies such as Transport Layer Security (TLS), Secure Shell (SSH) or Secure Socket Layer (SSL). Telnet or logins must never be used for administration.
1 A merchant that processes more than 6 million transactions annually.
2 A merchant that processes between 500,000 and 6 million eCommerce transactions annually.
2. Quarterly System Perimeter Scan
In order to be certified as compliant and/or to maintain compliant status, merchants and service providers must conduct and pass quarterly perimeter scans performed by a security assessor approved by the PCI Security Standards Council. The system perimeter scan must be performed on a merchant's external-facing IP addresses. A list of PCI Security Standards Council Qualified Security Assessors (PDF*) may be downloaded from the PCI website.
3. Network Scanning Tools
Network scanning tools provide a real-time snapshot of a web site to help find vulnerabilities and recommend improvements. The report generated will help determine if the online merchant or Member Service Provider is in compliance with the PCI Data Security Standards.

Businesses can also use the scanning tools of any vendor that is in compliance with the PCI Security Standards applicable to vendors. A list of approved scan vendors can be found at https://www.pcisecuritystandards.org/pdfs/asv_report.html.
4. Next Steps
It is important for merchants to become compliant with Visa, MasterCard, and Discover Network's information security programs as soon as possible. Below is a list of steps to get started:
  • Identify the appropriate individuals in your organization. This is critical to ensure that cardholder data is protected. Be sure to include:
    • Chief Technology Officer
    • Human Resource Executive
    • Procurement Officer (Someone who outsources functions that require access to cardholder data)
    • Service Providers such as gateways and shopping carts
  • Complete Visa/MasterCard/Discover Network's approved PCI Data Security Standard Self-Assessment questionnaires. Be sure that the appropriate areas in your organization contribute to the assessment of your cardholder data protection practices.
  • Add the annual Self-Assessments to your internal audit program. Institutionalize information security.
  • Make sure that your organization has an Information Security Policy and that employees observe it.
  • Engage a qualified vendor to perform the required Network/Perimeter Scans. Look for a vendor that is qualified by Visa, MasterCard, and Discover Network.
  • Complete the quarterly Scans and immediately address any significant deficiencies.
  • Retain a record of all Self-Assessments, Scan results, and follow-up activities. Be prepared to provide these documents to Wells Fargo upon request.

Fines and Penalties

The following fines, penalties or assessments may be imposed upon merchants that do not comply with the PCI Data Security Standards, Visa's Cardholder Information Security Program (CISP), MasterCard's Secure Data Protection program (SDP), or Discover Network's Information Security and Compliance program (DISC). Other card companies may also impose penalties. Failure to comply with these standards and/or programs may also result in a violation of applicable federal or state law. Additionally, fines and penalties may be passed through to the merchant if assessed against the acquirer by the card associations.
Visa
Fines for Non-Compliance with CISP
  • 1st Violation in a rolling 12-month period — $50,000 USD
  • 2nd Violation in a rolling 12-month period — $100,000 USD
  • 3rd Violation in a rolling 12-month period — Discretion of Visa USA
MasterCard
Fines for Non-Compliance with SDP
  • 1st Warning letter with a specified correction date and assessment of up to 2,000 USD
  • 2nd Violation in a rolling 12-month period — up to $2,000 USD
  • 3rd Violation in a rolling 12-month period — up to $25,000 USD or merchant termination or both
Discover Network
Fines for Non-Compliance with DISC
  • $100,000 per violation plus an additional $100,000 per each additional thirty (30) calendar days such violation remains uncured
  • Financial responsibility for fraudulent transactions and any damages that acquirers, issuers and/or cardholders incur as a result of the theft, loss or unauthorized use or disclosure of cardholder information or card transaction information by the merchant or its agents
  • $7.50 for each notification to cardholders by issuers, $10.00 for each card reissued by issuers, and $7.50 for each unique card number compromised
Compromised Merchant Liabilities
If a merchant is compromised, it may be subject to the following liabilities in addition to the fines associated with non-compliance:
  • All fraud losses perpetrated using the account numbers associated with the compromise (from date of compromise forward)
  • Cost of re-issuance of cards associated with the compromise (approximately $50 per card).
  • Any additional fraud prevention/detection costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).

Additional Resources

If you have questions regarding information security requirements and best practices, please call your Relationship Manager or a Customer Service representative at the number provided on your statement.
 
* You need Adobe® Reader® to read PDF files. Download Adobe Reader for free.