Mandatory Information Security Compliance Programs

(Attach H.2) Mandatory Information Security Compliance Programs Overview Visa, MasterCard, and most major card companies have instituted mandatory compliance programs that require merchants and others who store or transmit cardholder data on behalf of the merchant to adhere to the Payment Card Industry (PCI) Data Security Standards. These standards are internationally recognized best practices for cardholder data security and are intended to ensure that cardholder data is appropriately protected at all points within the course of a transaction. For example, many e-commerce merchants use a gateway and a shopping cart, and some merchants may outsource fulfillment services or customer service functions. Any of these entities that store or transmit cardholder data must ensure that this cardholder data is protected in a manner that is consistent with the PCI Data Protection Standards. These security standards apply to merchants that accept cards in physical stores (card present transactions) as well as those, which maintain a web site or accept payment where the card is not physically presented (cardnot-present transactions). Wells Fargo requires all of its merchants and their service providers to comply with the PCI Data Protection Standards and Visa and MasterCard Information Security Programs. Although Visa's program, "Cardholder Information Security (CISP)," and the MasterCard's program, "Site Data Protection" are based on the PCI Data Security Standards, each association maintains their own compliance program and reserves the right to take independent action for non-compliance with these standards. Protecting cardholder data is the right thing to do. Protecting cardholders also protects merchants against fraud that has been committed with cardholder data obtained illegally, as well as protecting merchants against fines that may be levied by Visa or MasterCard for not properly protecting cardholder data. Payment Card Industry (PCI) Data Security Standard Compliance Requirements Annual Self-Assessment and Quarterly System Perimeter Scan Most merchants are only required to complete an Annual Self-Assessment to measure compliance with the PCI Data Security Standards and perform a Quarterly System Perimeter Scan by a Visa/ MasterCard certified vendor. Larger merchants (with over 6 million Visa or MasterCard transactions annually) will be contacted individually by Wells Fargo to discuss requirements that apply specifically to them. 1. Annual Self-Assessment The Annual Self-Assessment is designed to ensure that merchants have considered and addressed the most critical aspects of protecting cardholder data. The PCI Self-Assessment Questionnaire may be downloaded from the Visa CISP website. Note: Generally, Wells Fargo, Visa, and MasterCard do not require that you submit the completed annual PCI Self-Assessments Questionnaire to them. However, it is recommended that you include the Annual Self-Assessment as part of your company's on-going audit process and retain a record of having performed the Assessment and addressing areas that need improvement. In the event that cardholder data is possibly compromised, Wells Fargo will require that you provide evidence of Annual Self-Assessments as well as the results of all System Perimeter Scans. Page 1 of 4 (Attach H.2) Payment Application Best Practices Below is a list of 13 basic security requirements with which all Visa and MasterCard payment system constituents need to comply. These requirements, as well as the detailed criteria and requirements, are covered in more detail in the merchant Self-Assessment tool. 1. Do not retain full magnetic stripe or CVV2 data. PIN blocks must never be retained  Application must not store full magnetic stripe or CVV2 data after authorization is complete. Specifically, subsequent to authorization, service codes, discretionary data/CVV, and Visa reserved values must be removed; however, account number, expiration date, and name may be extracted and retained.  PIN blocks must never be retained, even if encrypted, after verification of a transaction. This includes no storage in databases, flat files, logs, etc. Consider all possible locations for potential data storage. 2. Protect stored data  Application should purge cardholder data temporarily stored by the application during processing.  Stored cardholder data, specifically account numbers, should be encrypted, with strong encryption such as Triple-DES or AES (this applies to anywhere cardholder data is stored, even outside the payment application).  Protect encryption keys. 3. Provide secure password features  Application should require a username and complex password for all administrative access and access to cardholder data.  PC's or servers with payment applications should require a username and complex password for access.  Encrypt application passwords. 4. Log application activity  Application should be configured to log all cardholder data user access activities, and tie those activities to a unique individual or system. 5. Develop secure applications  Applications should be developed with secure coding techniques based on OWASP guidelines.  All system development processes should include security. 6. Protect wireless transmissions  If wireless technology is used within the payment environment, it should be implemented securely.  Wireless transmissions of cardholder data should be encrypted, over both public and private networks. 7. Test applications to address vulnerabilities  Software vendors should have processes in place to identify security exploits, test their applications for vulnerabilities, and for development of timely security patches and upgrades. 8. Facilitate secure network implementation  The application should not hinder merchants' ability to implement it into a secure network environment. The application should not interfere with use of network address translation (NAT), port address translation (PAT), traffic filtering network devices, antivirus protection or encryption. Page 2 of 4 (Attach H.2) 9. Cardholder data must never be stored on a server connected to the Internet  The application should not require that the database server and web server be on the same server, or in the DMZ with the web server. 10. Facilitate secure remote software updates  If software updates are delivered via remote access into merchants' systems, software vendors should tell merchants to turn on modem only when needed for downloads from vendor, and to turn off immediately after download completes. Alternatively, if delivered via VPN or other high-speed connection, software vendors should advise merchants to properly configure a personal or network firewall product to secure "always-on" connections. 11. Facilitate secure remote access to application  For Level 1 (processes more than 6 million transactions annually) and Level 2 (processes between 500,000 and 6 million eCommerce transactions annually) Merchants, if employees, administrators or vendors can access the application remotely, access should be authenticated using a 2-factor authentication mechanism. The application should allow for technologies such as RADIUS or TACACS with hardware tokens. For Level 3 Merchants, if employees, administrators or vendors can access the application remotely, security features of remote access software (e.g., pcAnywhere) should be enabled. Features like usernames with complex passwords, password protection for dial-in and dial-out files, automatic log off when call is completed, encrypting session traffic, limiting logon attempts, and logging failed attempts are available in most remote access software, but not enabled by default. 12. Encrypt sensitive traffic over public networks  Use encryption techniques (such as Secure Socket Layer -SSL) when transmitting sensitive data over the Internet. 13. Encrypt internal administrative access  Internal administrative access to application or related server should be encrypted via technologies such as Transport Layer Security (TLS), Secure Shell (SSH) or Secure Socket Layer (SSL). Telnet or logins must never be used for administration. 2. Quarterly System Perimeter Scan In order to be certified as compliant and/or to maintain compliant status, merchants/service providers must complete a perimeter scan by a security assessor approved by Visa and MasterCard without the identification of a Level 3, 4, or 5 vulnerability on a quarterly basis. The system perimeter scan must be performed on a merchant's external-facing IP addresses. A list of Visa qualified CISP scan vendors may be downloaded from the Visa CISP website. 3. Network Scanning Tools Network scanning tools provide a real-time snapshot of a web site to help find vulnerabilities and recommend improvements. The report generated will help determine if the online merchant or Member Service Provider is in compliance with the MasterCard Security Standard. Participants can also use the scanning tools of any alternative vendor compliant with the MasterCard Security Standard Applicable to Vendors. 4. Next Steps It is important for merchants to become compliant with Visa and MasterCard information security programs as soon as possible. Below is a list of steps to get started:  Identify the appropriate individuals in your organization. This is critical to ensure that cardholder data is protected. Be sure to include: Page 3 of 4 (Attach H.2) o o o       Chief Technology Officer Human Resource Executive Procurement Officer (Someone who outsources functions that require access to cardholder data) o Service Providers such as gateways and shopping carts Complete Visa/MasterCard approved PCI Data Security Standard Self-Assessment questionnaires. Be sure that the appropriate areas in your organization contribute to the assessment of your cardholder data protection practices. Add the annual Self-Assessments to your internal audit program. Institutionalize information security! Make sure that your organization has an Information Security Policy and that employees observe it. Engage a qualified vendor to perform the required Network/Perimeter Scans. Look for a vendor that is qualified by both Visa and MasterCard. Complete the quarterly Scans and immediately address any significant deficiencies. Retain a record of all Self-Assessments, Scan results, and follow-up activities. Be prepared to provide these documents to Wells Fargo upon request. Fines and Penalties The following fines, penalties or assessments may be imposed upon merchants that do not comply with PCI Data Security Standards or Visa's Cardholder Information Security Program (CISP) or MasterCard's Secure Data Protection program (SDP). Other card companies may also impose penalties. Failure to comply with these standards and/or programs may also result in a violation of applicable federal or state law. Visa Fines for Non-Compliance with CISP  1st Violation in a rolling 12-month period — $50,000 USD  2nd Violation in a rolling 12-month period — $100,000 USD  3rd Violation in a rolling 12-month period — Discretion of Visa USA MasterCard Fines for Non-Compliance with SDP  1st Warning letter with a specified correction date and assessment of up to 2,000 USD  2nd Violation in a rolling 12-month period — up to $2,000 USD  3rd Violation in a rolling 12-month period — up to $25,000 USD or merchant termination or both Compromised Merchant Liabilities If a merchant is compromised, it may be subject to the following liabilities in addition to the fines associated with non-compliance:  All fraud losses perpetrated using the account numbers associated with the compromise (from date of compromise forward)  Cost of re-issuance of cards associated with the compromise (approximately $50 per card).  Any additional fraud prevention/detection costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity). Page 4 of 4