3. Agrees to the transfer of 27,000 revenue budget from Finance to HR, IT and Customer Services.

Transcription

1 Report of Head of HR, IT & Customer Services Author: David Cooke Tel: Cabinet Member responsible: Councillor Rodney Mann Tel: To: CABINET DATE: 2 July 2009 AGENDA ITEM NO 10 Recommendations That Cabinet: 1. waives the requirement for a competitive tendering process for the procurement of a PCI DSS compliant card payments system, in accordance with paragraph 64 of the council s contracts procedure rules 2. approves the purchase and implementation of the Civica AuthorityICON hosted card payments system (option three as described in Annex 2) in order to meet the requirements of the payment card industry data security standards (PCI DSS), at a revenue cost of 92,752 over three years as detailed in Annex Agrees to the transfer of 27,000 revenue budget from Finance to HR, IT and Customer Services. PURPOSE OF REPORT 4. This report addresses the issue of compliance with mandatory payment card industry data security standards (PCI DSS) and the actions the council needs to take to meet these requirements. 5. The report seeks Cabinet's approval to purchase and implement the option recommended.

2 BACKGROUND What is PCI DSS? 6. The payment card industry data security standards (PCI DSS) are technical and operational requirements created to help organisations that process card payments prevent credit card fraud and various other security threats. The standards apply to all organisations that store, process or transmit cardholder data. Implications for the council 7. The council processes credit and debit card payments in person, over the telephone and via the website, for the purposes of collecting council tax and payment of resident and business services such as the garden waste scheme, Hackney Carriage licensing, bulky waste collection etc. Our current software is not PCI DSS compliant. Noncompliance leaves the council vulnerable to credit card fraud, hacking and various other security threats. Non-compliance also puts the council at risk of losing the ability to process card payments, and being audited and/or fined. Banks will also cease to take card payments from the council if it is non-compliant. 8. In order to achieve compliance with mandatory PCI standards it will be necessary to upgrade or replace the current system. This will provide a more secure card payments service and provide additional features for customers such as Chip & Pin. OPTION EVALUATION 9. The business improvement team and Finance have analysed five options for becoming compliant with the PCI DSS, ranging from upgrades to our existing system to a procurement process for a new system. This analysis appears as the Annex 2 to this report. 10. The option evaluation concluded that option three (Civica hosted solution) offered the most cost effective solution, with three year costs being approximately 18,000 less than the closest equivalent quote from Capita. Civica's position as current supplier of card payments software to the council also mitigates a number of risks associated with the implementation. 11. This report proposes that we enter into a three year contract. This gives the council time to evaluate future options for efficiencies through harmonisation with Vale of White Horse District Council, without being tied to a longer term contract. It also leaves open the possibility of changing systems as part of a new financial services contract which could begin in The option to cease handling card payments completely was also discussed, but it was agreed that this was a valuable service for customers, and ceasing to offer it would not be in line with the council goal of providing excellent service, and would also place the council at greater risk of not being able (or taking more effort) to collect payment from residents and business. 13. We have discussed the recommended option with Capita, which is content with the proposal.

3 14. The options have been explored fully in Annex 2. Our recommended option offers better value than the alternatives, with the advantage that the council will maintain a relationship with the current supplier. As we will be operating an upgraded version of the current software, we will reduce risks in the migration and remove the need for additional training for the council and Capita customer services staff. FINANCIAL IMPLICATIONS We already have funding provision for the full cost of the implementation. This includes 54,220 in 2009/10 and 27,220 in each of the two subsequent years. The budget comes from two sources: an unavoidable recurring growth bid submitted by HR, IT & Customer Services in 2009/10 for 27,220 which will cover half of the first year one-off revenue costs and the annual revenue costs in the following years and a separate 27,000 one-off revenue budget requested by Finance in 2008/09 which will be used to pay the remainder of the first year one-off revenue costs. This was not spent in 2008/09 and has been carried forward to 2009/10. Cabinet is now asked to agree to transfer this amount from Finance to HR, IT and Customer Services who will be managing the process. RISKS The risks associated with not procuring a PCI DSS compliant card payments system are: An increased level of exposure to credit card fraud, hacking and theft of personal financial information The council being audited and/or fined for being non compliant That banks will refuse to take card payments from the council if it is not compliant, thereby resulting in the council being unable to take any public card payments By procuring the Civica AuthorityICON hosted card payments system, the council mitigates the majority of risks associated with card payments and PCI DSS in the most cost effective way. LEGAL IMPLICATIONS 15. The cost of the agreement would be 92,752 over three years, which is under the EU threshold of 139,893 for procuring services. Under normal circumstances, and in accordance with the council s Contract Procedure Rules, contracts exceeding the threshold of 50,000 would undergo a tender process, however, under contracts procedure rule 64 Cabinet can agree an exemption to this. 16. The business improvement team, along with the Head of HR, IT and Customer Services, and the Head of Finance considered the possibility of going through a tender process. They are agreed that this option would delay the achievement of PCI DSS compliance as the required time for a tender procurement process is approximately three months. They are also of the view that quotes from both Capita and Civica would increase by going through a full tender process. A procurement exercise may also lead to the possibility of selecting a solution that is more complex to integrate with existing systems and contractors.

4 17. The reason for seeking Cabinet s approval for an exemption is that we wish to reduce the risk currently faced by the council. While the council is not compliant with regulations it is at risk of penalties and of suspension of the card payment facilities, as noted in paragraph 6 above. Awarding a contract to Civica without going through a tender process places the council at risk of being challenged and/or receiving an adverse internal/external audit report. The risk may be considered to be lessened if a conclusion is reached that there are reasons for not going through the tender process that are exceptional (as per paragraph 64 of the council s Contract Procedure Rules). RECOMMENDATIONS 18. That Cabinet waives the requirement for a competitive tendering process in accordance with paragraph 64 of the council s contracts procedure rules. 19. That Cabinet approves the purchase and implementation of the Civica AuthorityICON hosted card payments system (option three) in order to meet the requirements of the payment card industry data security standards (PCI DSS), at a revenue cost of 92,752 over three years as detailed in Annex Agrees to the transfer of 27,000 revenue budget from Finance to HR, IT and Customer Services. LIST OF ANNEXES 1. Financial analysis 2. PCI DSS options analysis (including five year solution quotes) 3. Pros and Cons 4. Cost breakdown of the four options

5 ANNEX 1 FINANCIAL ANALYSIS OF PREFERRED SOLUTION Quoted costs 3 year hosted card payments Transaction fees: 50,000 transactions per annum Merchant registration No bank testing required Delivery channels: Distribution (link to Civica and banks) Telephone payments Internet payments Link to Verdant for brown bin payments Link to Government Planning portal Security Release: Implementation of Chip & Pin Chip & Pin device Private broadband link for Chip & Pin Workstation, reporting and distribution modules currently paid for by the council revenue One-off revenue 7,200 1,200 1,000 1,600 3,000 1, , , ,834 5,910 3,152 1, ,500 4,800 0 Total Year /10 21, ,112 48,992 Year /11 21, ,880 Year /12 21, ,880 Total 3 year costs 92,752 Available budget HR, IT & Customer Services unavoidable growth bid 2009/10 Finance revenue budget request = 27,220 () = 27,000 (One-off) 2009/ / /12 revenue budget 27,220 27,220 27,220 One-off budget 27, Total budget 54,220 27,220 27,220 revenue costs 21,880 21,880 21,880 One-off costs 27, Total costs 48,992 21,880 21,880 Unallocated budget 5,228 5,340 5,340 1 The 2009/10 annual revenue will be less than quoted as it will be required over only part of the year prorata. It is not possible to set a figure for this until the procurement is authorised and a project start date can be agreed with the provider.

6 ANNEX 2 PCI DSS OPTIONS ANALYSIS!" BACKGROUND AND PURPOSE The Payment Card Industry Security Standards Council (Visa, Mastercard, American Express, Discover card, and Japan Credit Bureau) introduced the payment card industry security standards in September 2006 (and updated to v1.2 in October 2008) and the deadlines for validating compliance with the PCI DSS have already passed. These standards require prompt compliance from the council or we risk compromising customer card data and refusal by banks to process our payments from customers. A number of companies, including our current payment software provider, offer services to ensure full compliance with these new standards. The aim of this document is to set out and clarify the costs, risks and benefits of the options available to the council in implementing a PCI DSS compliant solution. This paper will recommend the best solution available. CURRENT SYSTEM The current system is run jointly, with Capita maintaining the ICON Cash Receipting system and providing staffing as part of the financial contract and the council paying for three additional modules relating to e-payments, telephone payments and web accessibility. We pay approximately 10,000 annually for the modules directly to Civica (the supplier of the ICON software). Capita pay approximately 4,000 to Civica for the core system, which is incorporated in to the financial services contract. This means that we pay 14,000 annually for the software, and in addition to this there is an annual bank charge on transactions which is roughly 40,000. NEXT STEPS AND OPTIONS There are five options currently available to the council. These vary in cost, resource requirements and a number of other implications as now detailed. 1. Upgraded Civica solution hosted at the council, provided by Capita Upgrading our current system resolves the issue of the software storing sensitive card details un-encrypted and suppresses the unnecessary storage of sensitive card details. As Capita is involved in providing the service using the Civica software, it has provided an additional estimate of its own costs to the council for this option. The costs include additional security measures, project costs, training, testing, documentation, and Self Assessment Questionnaire completion 2. This will involve completing SAQ C (38 questions) 2 The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool intended to assist service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS SAQ to meet various scenarios.

7 and SAQ D 3 (228 questions). Whilst the council and Civica may be able to pick up some of these costs by managing the tasks themselves, it would still leave additional costs from Capita. For details on the estimated upgrade costs to the council and the additional costs quoted by Capita, please see Annex Upgrade current software and implement a Civica hosted card authorisation setup This will assist with PCI compliance as all card details will be removed from the council s premises. We will still need to invest in the upgrades to the current Civica software as shown in Option 1. We will be responsible for any compliance issues not solved by this option. These will include completing SAQ C (38 questions) and SAQ D (228 questions). We will still have to pay the current annual rate on top of this quoted annual rate. Please see Annex Fully hosted Civica service Civica would be responsible for the security of the payment card data. None of this information would go through council servers. The council should only be required to complete SAQ C (38 questions). Please see Annex Fully hosted Capita service Capita would be responsible for the security of the payment card data. None of this information would go through council servers. The council should only be required to complete SAQ C (38 questions). Please see Annex Procurement of a fully hosted service This option involves a formal procurement process, which would allow other suppliers to bid for this opportunity. This would be similar to options 3 and 4. OPTION EVALUATION 1. Upgraded Civica solution hosted at the council and provided by Capita This solution would also extend a complicated set of contract agreements between Capita, Civica and the council. RESOURCE IMPLICATIONS Despite having an experienced internal development team and a skilled support team, this option is likely to cost significant internal resource and effort. Software compliance requirements would need to be internally tested on a regular basis in order to satisfy banks. Network security would need to be strengthened on top of current Gov Connect requirements. This would involve additional resources as well as capital investment for the initial setup and high ongoing revenue costs to maintain compliance levels. Aside from 3 Whilst this is referred to as a questionnaire, it is actually a list of 228 individual requirements relating to network and physical security. #

8 software implications, the council would need to make improvements to physical security wherever card holder data is stored on the network (secure room, internal security systems etc). This would increase both capital and revenue costs well beyond those required to update the software on its own. Detailed project management would also be required in order to ensure the implementation is successful and compliant. This would be internally resourced unless there is sufficient budget to bring in a project manager with experience of PCI DSS compliant implementations. CUSTOMER IMPLICATIONS In order to maintain a good customer experience, resources would be required on a regular basis to provide updates and support. Failure of any internally developed customer facing system would need priority support from the business support team, which may have an adverse impact on other services they provide. Not providing such a high priority support framework would have a negative impact on the customer experience, and would directly effect satisfaction with the council as a service provider to the public. Protection of physical data storage systems from theft or damage would also be a high priority and high cost. Any failure in this area would result in damage to the image of the council, and potential legal action. These factors present extremely high risks for this option. BUDGET IMPLICATIONS Upgrading of the current software is relatively cheap, but there are many costs associated with the council taking responsibility for PCI DSS compliance by itself. Additional security requirements for the software and within the council offices would bring the budget for this option to roughly the same amount as the other three options. On top of this Capita would want to take responsibility for certain areas because they have their own PCI DSS requirements, and their quoted costs for these additional services (monitoring, security, protection) would result in far greater first year and revenue costs, making this the highest three year total costs of any of the options available to us. ADDITIONAL IMPLICATIONS This option has already been discussed with Capita, and they believe it to be a very high risk choice. Choosing this option will require a lot of work on their part as well as from council staff, and is likely to have a negative effect on the relationship between Capita and the council. 2. Upgrade current software and implement a Civica hosted card authorisation setup RESOURCE IMPLICATIONS Taking the card authorisations process off site would remove a large portion of SAQ responsibility from the council. However, it would require almost as much ongoing internal support and development resource as option 1 to maintain the current functions available to the public. The council would still be required to complete SAQ C, but may avoid having to complete the full questionnaire due to Civica holding the payment information on its own secured servers. There are likely to be future software implications for this option as it may become outdated and require increased development and support in order to maintain compliance. The software currently provided by Civica is no longer being developed as extensively, and they are now rolling out a newer software suite which provides additional functionality (which is option 3). $

9 CUSTOMER IMPLICATIONS Customer experience with this option is likely to be maintained successfully in the short term. Payments staff are already familiar with the software they would be using, and customers would receive the same services they have been offered in the past. However, as this software is no longer a priority for development, it is unlikely we will see any additional functionality such as Chip & Pin devices being provided for the system. Whilst this may not be a concern now, with technology and payment habits continually developing, selecting a payments system which is unable to keep up with future developments (without additional development costs) may have an adverse effect on the customer experience. If we cannot offer payment types that are efficient and trusted by the public during a time where public confidence in the government relating to data security is low, it may also have an impact on the image of the Council. BUDGET IMPLICATIONS This solution has a higher revenue cost than either of the two fully hosted solutions, and would still require an extensive level of project management in order to be successfully implemented. The three year cost implications for this option are the lowest in financial terms despite the higher revenue costs. There may well be additional hidden costs associated with this option. These would predominantly be related to any extra costs quoted by Capita for continuing to provide their side of the service. ADDITIONAL IMPLICATIONS As with the first option, Capita is unlikely to support this compliance solution and may provide additional costs to fulfil their own compliance requirements for this option. From their own business perspective it would continue a business relationship with a competitor in the PCI DSS solutions market. 3. Fully hosted Civica service RESOURCE IMPLICATIONS As a fully hosted solution offered by a supplier, there are likely to be minimal project management requirements compared with the first two options. There may be training implications for staff that use the current payments software, but these are also included in the budget, so this would be a time resource requirement rather than a budgetary implication. Internal resource may be required from our IT development team to alter the set of web-forms used in our current payments system, although this may not be a significant change from those currently being used as this option is from the same provider we currently use. The new software uses a generic XML format which is a widely used format in web document processing. With their familiarity with our current software, and the experience of our in-house development team, this option is likely to require minimal internal resource, and where it is required, the risks relating to the development would be low due to the strength of our existing IT knowledge base. Civica also give customers more flexibility to make custom changes to their software at no additional cost, which better suits the council s requirements. %

10 CUSTOMER IMPLICATIONS One of the risks of this option is that customer experience may be affected during the changeover from old to new systems. This risk should be successfully managed through good project management and aided by our familiarity with the previous software used by the provider. With the introduction of new software, there will be potential future benefits for customers in the form of added functionality, with full development and upgrade support from the supplier. Following the implementation the customer will have additional tools for payment such as Chip & Pin devices. These visible improvements will help to maintain customer confidence in data security management. By transferring the responsibility of transactions to a third party supplier, we would be removing a serious risk to the council. BUDGET IMPLICATIONS Whilst the revenue costs are 1,600 higher than those in option 4, the Civica hosted solution is the cheaper of the two hosted solutions currently available over a three year period and for the first year, with the three year total difference being approximately 18,000 less than that quoted for option 4. Civica have also quoted a fixed annual transaction charge, which would allow us to budget more easily for the ongoing costs associated with the solution. This is in addition to the annual bank charges of approximately 40,000 we already pay. The setup of a third party system (such as parking penalty systems) is also included in this quote. This allows us to integrate one system with the payments system during the implementation, utilising the project management from Civica that has already been included in the quote, rather than having to pay additional charges later on. ADDITIONAL IMPLICATIONS Whilst this system is slightly more expensive than option 2, there are additional benefits to be gained. The new software from Civica is designed specifically with future-proof PCI DSS compliance in mind, rather than simply being updated for compliance as with the option 2 software. This software will benefit from priority development from Civica, and will therefore provide increased functionality and possible additional functionality as needed. 4. Fully hosted Capita service RESOURCE IMPLICATIONS As a fully hosted solution offered by a supplier, there are likely to be minimal project management requirements compared with the first two options. There may be training implications for staff who use the current payments software, but these are also included in the budget, so this would be a time resource requirement rather than a budgetary implication. Internal resource may be required from our IT Development team to alter the set of web-forms used in our current payments system. As the software provided by Capita is different to the current software provided by Civica, it is likely that any alterations will be slightly more complex, and require more internal resource. Future development of the software by the council may also require additional costs from Capita. CUSTOMER IMPLICATIONS The customer implications are identical to those in option 3.

11 BUDGET IMPLICATIONS As mentioned in the budget implications for option 3, the revenue costs for this option are 1,600 less than the Civica quote, but the Capita hosted solution is the more expensive of the two hosted solutions over a three year period and for the first year, with the three year total difference being approximately 18,000 more than that of the Civica quote. The first year costs are approximately 22,000 more expensive than those in the Civica quote. Capita have been unable to provide us with a fixed annual transaction charge, instead providing us with per transaction charges and percentages for debit cards and credit cards respectively. This means that these charges will vary each year and will make it more difficult to budget our ongoing costs. As with the Civica solution, we will still need to pay the annual bank charges of approximately 40,000 we already pay. Capita have not included bank testing in their quote, and this could potentially add an additional 10,000 to their first year costs. The quote does not include a module for connecting to third-party applications. This software would come at extra cost, both in license fees and project management and development costs. 5. Full procurement process for hosted system The implications for this option are essentially the same as those in options 3 and 4, however, there would be very few benefits for doing this. It is possible that the quotes from both Capita and Civica would increase by going through a full tender process, whilst at the moment we have been given favourable quotes due to our close business relationships through the current card payments system. This option would also significantly delay the achievement of PCI DSS compliance as there are strict guidelines for the time-frame of a full procurement process (required time for full procurement process is approximately three months). A procurement exercise would also lead to the possibility of selecting a solution that is more complex to integrate with existing systems and contractors. SUMMARY OF OPTIONS Criteria for decision The solution must be able to reduce the security risks associated with payment card data and provide up-to-date developments and functionality to support any changing payment habits of the public. The solution should not be resource intensive for the council as resources are currently focused on long term efficiency saving projects such as Fit for the Future, and development of harmonised systems with Vale of the White Horse Council. The solution needs to be good value for money, offering a customisable and futureproof service to customers, whilst at the same time being low in revenue and capital costs. Cost analysis A full cost analysis appears in Annex 4.

12 Matching options against criteria A full analysis of pros and cons for each option appears in Annex 3. This is summarised below: Option 1 is high cost and has high resource implications, so is the least favoured option. Option 2 is cheaper cost, but is likely to have hidden revenue costs. It also has similar resource implications to option 1, so overall is not an ideal option. Option 4 is high cost and could have additional hidden costs, and it provides limited potential future benefits to the council and the public, so again this is not the best option. Option 5 could potentially result in higher costs, but is also likely to delay implementation of a compliant payments system by a minimum of three months, as well as adding undesirable complexity. Option 3 manages all of the risks associated with PCI DSS compliance at a competitive price, without consuming a large amount of staff resources. It provides all of the required functions plus some additional features that may be useful in future, such as potential integration with other council systems. Therefore we recommend that the council chooses this option. RECOMMENDATION Cabinet is requested to approve the purchase and implementation of the Civica AuthorityICON hosted card payments system (option three) in order to meet the requirements of the payment card industry data security standards (PCI DSS), at a revenue cost of 92,752 over three years as detailed in Annex 1.

13 ANNEX 3 - PROS AND CONS Pros Upgrade of current system (option 1) The council would retain a high level of control in future developments within PCI DSS as to whether we wish to outsource or maintain the service ourselves Cons Higher costs than any of the other options Would require a lengthy review of data security and processes Would require the full completion of the Self Assessment Questionnaire Would require significant internal resources and project management Timescale may require as much as three months to make the required changes to council processes. Capita processes our card payments and has its own compliance programme and our relationship with them may suffer if we do not work with them to achieve it. This is not the preferred option for them, should we decide to work with Civica software and a Capita customer service they would incur additional costs and changes.

14 Pros Civica hosted card authorisations (option 2) Cheapest three year costs and first year costs No need for re-training of Capita staff Software would be exactly the same as currently provided Civica provide our current card payments system and have provided good service in the past. Cons Higher revenue cost than the Capita hosted solution There are likely to be hidden revenue costs relating to this implementation and the ongoing support for the system No Chip and pin facility Software may become outdated after a while and future-proofing may be more difficult, particularly if PCI DSS changes in future. Increased responsibility for SAQ completion Limited scope for added functionality in future, as system will no longer be the primary payments software package of Civica Hosted solutions have the advantage of higher security which may allow us to reduce our bank charges. This option is unlikely to do so. Project management not included in the quote Keeping this system will mean that Capita are still responsible for the core software, with South Oxfordshire District Council paying Civica directly for the additional modules. Will require considerable project management and internal development resource

15 Pros Civica Hosted (option 3) Cheaper first year costs than Capita solution Automated telephone payments includes three concurrent lines Does include Paylink for third party applications to be linked to the system (first application included) Barclays full bank test included Option for Bank testing with Streamline, which would reduce first year costs. (possible saving) Quote includes Project management and implementation costs 1 Chip & Pin device included Single export file included Civica provide our current card payments system and have provided good service in the past. Improved software with on-going development to provide better services Options for added functionality in future if required Transaction charges are a fixed rate of 7200 for 50,000 transactions per year. Making it easier to manage budget. Choosing a hosted solution removed the complication of having Capita own part of the system and South Oxfordshire District Council own another. Cons Higher revenue costs than Capita solution Staff may require retraining for new software BIS development team may need to re-write any customised web forms to accommodate the new software

16 Pros Capita Hosted (option 4) Lower revenue costs than Civica solution Quote includes Project management and implementation costs 1 Chip & Pin device included Capita has a well established relationship with South Oxfordshire District Council in other areas, with experience of our practices and requirements Cheapest hosted solution Touchtone system includes four lines Improved software with on-going development to provide better services Options for added functionality in future if required Choosing a hosted solution removed the complication of having Capita own part of the system and South Oxfordshire District Council own another Cons Higher initial costs than Civica solution Staff may require retraining for new software BIS development team may need to re-write any customised web forms to accommodate the new software Does not include a module for taking payments from third-party applications Replication of current Civica exports is not included Price does not include bank testing Transaction fees cannot be predicted as they are charged on an individual basis for credit cards and debit cards. Bank charges included in transaction charges, which would make it more difficult to renegotiate them in future

17 Pros Procurement of a fully hosted service (option 5) An open invite may result in tenders being submitted by other companies, giving the council more choice Cons Would significantly delay PCI DSS compliance for SODC (approximately three months) Is not a preferred path for Capita or Civica May result in higher quotes for all options If a new supplier is appointed, potentially more complex to integrate new approach with current systems #

18 ANNEX 4 COST BREAKDOWN The table below provides a condensed view of the three year quoted costs relating to each of the four options (the fifth option of a procurement process has not been included in this table as the costs are not known). Item Upgrade CommsXL software Upgrade to latest version of ICON BestCrypt Software Total Software Upgrade Cost Upgrade of current system (option 1) Detail One-off 985 3, (approximatel y) 5,175 (excl VAT & expenses) Hosted Civica card authorisation (option 2) Item 3D Secure MPI Registrati on Merchant Registrati on (2 Merchant numbers) Bank Testing and Implement ation 3D secure, CSC & AVS Transacti on charge Detail Up to 50,000 transactio ns per annum One-off Item 600 WebPay 1,200 1,000 3,940 8,200 Automa ted Telepho ne Paymen ts Paylink (3rd party integrati on) Plannin g Portal Fully hosted Civica (option 3) Detail CP & CNP cards, cash & end of day. Account information Payment tracking and refunds To provide web services integration to third parties - licence for card authorisatio n (CNP) First Application One-off Item 3,000 5,910 Paye.net 1,600 5,834 1,600 3, ,576 AXIS Touch Tone Payment portal AXIS Planning Portal Fully hosted Capita (option 4) Detail Call centre type software for taking payments either CP or CNP Does not include module below* Allows 3rd party application s to connect in order to take payments Links to Governme nt Planning Portal and allows payments to be taken Not included in quote One-off 3,750 1,224 Not included in quote 150 $

19 Item Capita implementat ion costs Security & monitoring Upgrade of current system (option 1) Detail Costing estimat e with maximu m internal resourc e dedicat ed by the council 29,211 Training 800 SAQ D 2,000 Balance uploads 5,785 One-off 74,910 Hosted Civica card authorisation (option 2) Item Current Licence fee Upgrade CommXL software Upgrade to latest version of ICON Bestcrypt software Detail For Workstati on, Distributio n, Corporate Reporting Modules 14,000 One-off 985 3, Item Security Release Distribu tion Transac tion charge Current Licence fee Fully hosted Civica (option 3) Detail Chip & Pin, 3D secure, CSC, AVS and including 1 Chip and Pin device Single import/expor t file from hosted service Up to 50,000 transactions per annum For Workstation, Distribution, Corporate Reporting Modules One-off 2,080 8,652 1, Item Income Managem ent Internet Payment s Fully hosted Capita (option 4) Detail One-off 4,000 1,925 7,200 1,200 APACS 1, ,800 Chip and Pin device Service Setup cost Maintena nce transacti on charge Subtotal 37,796 85,260 Subtotal 23,200 10,915 Subtotal 21,880 27,112 Subtotal 20,273 49,959 Total first year 123,056 Total first year 34,115 Total first year 48,992 Total first year 70,232 Rough estimate from Capita 12,573 7, , Three year total 198,648 Three year total 80,515 Three year total 92,752 Three year total 110,778 %