IMPORTANT BID ADDENDUM FAILURE TO RETURN THIS BID ADDENDUM IN ACCORDANCE WITH INSTRUCTIONS MAY SUBJECT YOUR BID TO REJECTION ON THE AFFECTED ITEM(S).

Transcription

1 STATE OF NORTH CAROLINA STATE OF NORTH CAROLINA NC Department of Natural and Cultural Resources Purchasing Office IMPORTANT BID ADDENDUM FAILURE TO RETURN THIS BID ADDENDUM IN ACCORDANCE WITH INSTRUCTIONS MAY SUBJECT YOUR BID TO REJECTION ON THE AFFECTED ITEM(S). BID Number: RFP SERVICE: Merchant Services Audit ADDENDUM Number: 1 USING AGENCY: NC DEPT OF NATURAL AND CULTURAL RESOURCES PURCHASER: Cynthia Armes OPENING DATE/TIME: INSTRUCTIONS: June 22, :00 PM A. Questions and Responses: 1. Question: A.i, Are we limited to just 1 day for the security audit for each merchant? This is probably NOT enough time for SAQ-D review and scoping review. Response: Site visits are not required to be limited to one (1) day. Please provide pricing on a per day rate and an estimate of how long each site visit will take. 2. Question: A.i, Can we assume that we will be allowed additional time over the 1 day site visit for preparing the actual report/risk analysis? Response: Yes, however DNCR would like to have the gap analysis one (1) month after the site visit. 3. Question: A.ii, This requirement reference V3.1; however, V3.2 is now released. Is there a reason to not review under V3.2? Response: The merchants can be reviewed under PCI DSS Question: A.iii, Is it possible to combine site visits for the penetration tests with the on-site security audit visits? Response: It is possible, but would depend on scheduling and merchants operations. 5. Question: A.iv, How many public-facing hosts will be in scope for external scanning? Response: Less than Question: A.iv, Do you desire assistance with both external scanning and internal quarterly or only external? Addendum 1, RFP Page 1 of 9

2 Response: DNCR needs assistance with both internal and external scanning. 7. Question: Section A.v, Will the QSA be signing the AOC associated with the SAQ-D for each merchant? Response: The QSA will be assisting with completing the overall SAQ-D for DNCR (merchants will be rolled up), but will not be signing off. 8. Question: Section A.vi, Can the monthly meeting be virtual or is the QSA to be on-site? Response: Monthly meetings can be virtual. 9. Question: A.viii, Will the policy and procedure document(s) be a single document set for all merchants or a separate set for each merchant? Response: Each type of merchant (SAQ, A, B, C, D, etc.) needs a template to fill in their business process. 10. Question: Section A.ix, The training is listed as an annual event with up to 3 live web-based sessions. Will this training be provided on the same day, consecutive days, or will it be 3 distinct occurrences throughout the year? Are there different audiences for each or all the same audience? Response: These trainings will most likely occur on different days, and be presented to different audiences (merchant account owners, IT staff, directors) 11. Question: Section A.ix, Will the mechanism for employee login to training recordings be provided by the Department of Natural and Cultural Resources? Response: The login for merchant training will be provided by DNCR. 12. Question: Section A.xii, Where is the physical location to be visited for each of the sites in a. through j? Response: The physical locations are: a. NC Division of Parks 121 W Jones St., Raleigh, NC Main business office. There are multiple park sites. A representative sample will be selected for site visits, but exact locations have not been decided on at this time. b. DENR Aquarium Pine Knoll Shores 1 Roosevelt Blvd, Pine Knoll Shores, NC c. DENR Aquarium Jen Pier 7223 S Virginia Dare Trail, Nags Head, NC d. DENR Aquarium Roanoke Island 374 Airport Road, Manteo, NC e. DENR Aquarium Fort Fisher 900 Loggerhead Road, Kure Beach, NC f. DENR Zoological Park 4401 Zoo Parkway, Asheboro, NC g. Roanoke Island Festival Park Ticket Sales 1 Festival Park, Manteo, NC h. Roanoke Island Festival Park Museum Store 1 Festival Park, Manteo, NC i. NC Department of Cultural Resources 109 East Jones Street, Raleigh, NC j. DCR AH HPS Book sale 120 W Lane Street, Raleigh, NC Question: Section A.i, Page 11, The PCI-SSC typically equates an on-site assessment to that of a Report on Compliance. What is the NCDNCR interpretation of an on-site assessment? Is this intended to be a Full Report of Compliance for each merchant, a SAQ for each merchant, or a consolidated RoC/SAQ? Response: DNCR equates an on-site assessment to that of a PCI DSS gap analysis. Addendum 1, RFP Page 2 of 9

3 Each merchant will complete their own SAQ, but DNCR will roll up these into one SAQ D. Each merchant that has an on-site visit will need a detailed PCI DSS gap analysis to determine any remediation items. 14. Question: Section A.i, Page 11, In this section you mention that complex merchants will need a full day for the on-site audit. Is it anticipated that on-site time for each merchant will be limited to one day or less to complete the PCI DSS assessment? Response: Site visits are not required to be limited to one day. Please provide pricing on a per day rate and an estimate of how long each site visit will take. 15. Question: Section A.i, Page 11, Have these merchants undergone a PCI assessment before? Were these all passing without the need of remediating activities? Response: These merchants have not received a full PCI gap analysis before. Since these merchants have not received a full PCI gap analysis, there will likely be remediation items. 16. Question: Section A.i, Page 11, Has NCDNCR been advised by their acquiring bank as to the validation requirements? Who is the acquiring bank? Response: NCDCR is a Level 3 merchant, and will be completing an SAQ D. NCDCR validates to First Data Merchant Services. 17. Question: Section A.i, Page 11, What card brands (ie. MasterCard, Visa, American Express, etc.) is accepted by these merchants. Response: DNCR merchants accept MasterCard, Visa, Discover, and American Express. 18. Question: Section A.i, Page 11, Has the Cardholder Data Environment (CDE) been defined and mapped for credit card transactions? Do data flow diagrams exist for each process and merchant? Response: The CDE has not been fully mapped. No, data flow diagrams do not exist for each process or merchant. 19. Question: Section A.i, Page 11, How many different methods/processes are there for credit card data to enter the organization, i.e. mail, phone, , electronic files, etc. and what are they? Response: Merchants accept credit cards via mail, phone, ecommerce, and face to face. Since a full PCI DSS assessment has not been completed, there could be other methods used. 20. Question: Section A.i, Page 11, Are your credit card transactions card present, card not present or both? If both, what is the approximate percentage of each? Response: Credit Card transactions are both card present and card not present. 65% card present and 35% card not present. 21. Question: Section A.i, Page 11, Do you currently have data flow datagrams or similar documentation detailing the different processes which handle cardholder data? Addendum 1, RFP Page 3 of 9

4 Response: No, data flow diagrams do not exist for each process. 22. Question: Section A.i, Page 11, Please list the applications (other than POS) that are used to support the credit card processes? Please provide a description of the function of each? Response: CounterPoint, TAMS, and Active Network are the major payment applications used. However, since a full PCI DSS assessment has not been completed, there could be other applications used. These applications are integrated into a POS terminal and merchants also use their ecommerce functionality. 23. Question: Section A.i, Page 11, Please indicate whether each of these applications is developed in house or commercially available software? Response: To my knowledge, DNCR does not have any payment applications developed in house. All known payment applications are commercially available. 24. Question: Section A.i, Page 11, Please confirm that on-site assessments and security audits are limited to fifteen merchants. Page 12 lists 35 merchants with ten being high priority. Response: DNCR will not exceed 15 on-site merchant assessments per year. 25. Question: Section A.xi, Page 12, Section A.xii, Page 12, If ten are SAQ-D reports, what reports will be generated for the remaining five? Response: The other merchants will fall into a SAQ A, SAQ B, or SAQ C. 26. Question: Section A.i, Page 11, How was a full day determined for the complex merchants? Response: A full day is 7-8 hours onsite reviewing the merchant s business process, interviewing staff, and examining the physical security controls. 27. Question: Section A.i, Page 11, Are the PCI processing environments centralized or decentralized? +Centralized: -NCDNCR hosts centralized servers -Single payment application managed by NCDNCR -Policies and procedures have been developed and issued by NCDNCR -The merchants listed share a common infrastructure +De-centralized: -Merchant has and manages their own server environment -Merchant has their own payment application which they manage -Each Merchant maintains their own infrastructure Response: DNCR s PCI processing environment is currently decentralized, but would like to move toward centralizing. 28. Question: Section A.i, Page 11, What WAN transport is used to communicate between your locations and between yourself and vendors, business partners, etc.? Response: DNCR uses NC DIT s State Network. Addendum 1, RFP Page 4 of 9

5 29. Question: Section A.i, Page 11, Does NCDNCR currently outsource any portion of your IT infrastructure, application or operations? Response: Currently merchants manage their own merchant environments. Some merchants have decided to outsource portions of their IT infrastructure, applications, and operations. 30. Question: Section A.i, Page 11, Are you currently using any third-party service providers to store, transmit or process credit card information? Please list each and the nature of the relationship. Consider those who access or process credit card data: Application Developers Managed service providers Network and application hosting Response: Yes, DNCR is currently using third party payment providers to store, transmit, or process credit card information. CounterPoint Integrated Payment Application and ecommerce TAMS Integrated Payment Application ActiveNetwork Integrated Payment Application and ecommerce NC Department of IT hosting Accelerando hosting ActiveNetwork Integrated Payment Application and ecommerce A full PCI DSS assessment has not been completed; there could be other Third Party Service Providers used. 31. Question: Section A.i, Page 11, Is there any centralized logging currently being performed in either environment? If so, what tools are being used to collect and analyze? Response: Logging is currently being performed in NC Department of IT s PCI environment. NC Department of IT is using Alien Vault and manually monitoring logs in the PCI environment. 32. Question: Section A.i, Page 11, Are Intrusion Detection/Prevention systems in place? Response: NC Department of IT is using an IDS/IPS in the PCI environment. 33. Question: Section A.i, Page 11, Is there a POS system in place? Is the POS system or system(s) developed in house commercially available? If commercially available has it been PA-DSS certified? Response: There are multiple POS systems in place. CounterPoint, TAMS, and Active Network are the major payment applications used. However, since a full PCI DSS assessment has not been completed; there could be other applications used. Yes, the POS terminals are PA-DSS certified. 34. Question: Section A.i, Page 11, Please list whether applications are accessible from an internal network, from an external network (i.e. Internet) or both. Response: Applications are accessible from both an internal and external network. 35. Question: Section A.i, Page 11, Is there segmentation in place at the merchant sites between their work network and the credit card processing systems? Addendum 1, RFP Page 5 of 9

6 Are the system and databases that handle credit card data segmented from the remainder network or is it just one flat network? If yes, please explain how the segmentation is accomplished. Response: Not all merchant sites have the appropriate segmentation in place. A full PCI DSS assessment has not been completed so there could be a combination of segmentation and a flat network depending on the site. Full segmentation has not been accomplished at DNCR. 36. Question: Section A.i, Page 11, Within each CDE, approximately how many web and middleware servers are currently deployed within each environment? (e.g. Apache, IIS, WebSphere, TomCat, etc.). -At each complex merchant. -At each non-complex merchant. Response: A full PCI DSS assessment has not been completed. DNCR does not have a count of web and middleware servers for each merchant or for the agency as a whole. 37. Question: Section A.i, Page 11, Within each CDE, approximately how many network devices are in environment? (i.e. routers, switches, firewalls, VPN devices, etc.) -At each complex merchant -At each non-complex merchant Response: A full PCI DSS assessment has not been completed. DNCR does not have a count of network devices for each merchant or for the agency as a whole. 38. Question: Section A.i, Page 11, Is there wireless at the merchant? If yes, is this wireless used in the transmission of point-of-sale transactions? Do you currently have measures in place to detect rogue wireless access points? Response: Some merchant sites have wireless internet. Merchants have been instructed not to use Wireless internet for POS transactions. Yes. 39. Question: Section A.ii, Page 11, During a review there are may not be three compliant options to address a gap. How would this be expected to be addressed? Response: If there are not 3 available compliant solutions then a recommendation on business process change will also be acceptable. 40. Question: Section A.iii, Page 11, Is the penetration test external/internal/both? +If both, please provide number or hosts involved in each. Response: Internal and External Penetration testing is needed. A full PCI DSS assessment has not been completed. DNCR does not have a count of hosts involved. 41. Question: Section A.iii, Page 11, Are you currently performing, internal and external penetration testing, and internal vulnerability assessments? Addendum 1, RFP Page 6 of 9

7 If so, have the penetration tests been successful, i.e. satisfactory for compliance? Response: DNCR is currently performing internal vulnerability assessment. N/A 42. Question: Section A.iv, Page 11, Is the quarterly scanning interval/external (ASV)/both? +If both, please provide number of hosts involved in each. Response: Quarterly internal vulnerability scans are completed. A full PCI DSS assessment has not been completed. DNCR does not have a count of hosts involved. 43. Question: Section A.iv, Page 11, Are you currently engaged with an ASV to conduct the quarterly external scans? If so, have the scans been successful, i.e. satisfactory for compliance? Response: No. N/A 44. Question: Section A.iv, Page 11, Are you performing the required quarterly internal scans required for compliance? If so, have the scans been successful, i.e. satisfactory for compliance? Response: Yes, DNCR is performing internal vulnerability scans. Yes. 45. Question: Section A.v, Page 11, Will each merchant be completing their own SAQ? Response: Yes. 46. Question: Section A.v, Page 11, Will the vendor be expected to sign the SAQ? Response: No, the vendor is not expected to sign the SAQ since DNCR is able to self-assess. 47. Question: Section A.v, Page 11, Please clarify SAQ D self-assessments shall require assistance? Please clarify the level of review expected. Would the review be limited to validation of the existence of controls or expanded to include the validation of the effectiveness of controls? Response: Vendor will work with DNCR staff to complete overall SAQ D. Review will also include the effectiveness of controls. 48. Question: Section A.vi, Page 11, We suggest weekly status calls. Is NCDNCR open to meetings more frequently than monthly? Response: Yes, we are open to more frequent meetings. Please provide the price for weekly meetings, as well as, monthly. 49. Question: Section A.vi, Page 11, Approximately how many individuals from your organization do you feel will need to be involved in the assessment? (e.g. IT, application development, database management, business process, etc.) Addendum 1, RFP Page 7 of 9

8 Response: Approximately 10 individuals for each assessment. This includes merchant owners, merchant staff, and IT staff, and central business office. 50. Question: Section A.vi, Page 11, Can you provide an organization chart with titles and functions? Response: Yes, each department has an organizational chart. 51. Question: Section A.vii, Page 11/12, Is the Risk Assessment and Management Plan discussed to meet Requirements 12.2 or intended more as a Project Plan? Response: Risk Assessment and Management Plan will need to satisfy Requirement 12.2, but will also be utilized for our project plan along with the PCI gap analysis. 52. Question: Section A.viii, Page 12, Do PCI policies exist? If yes, have they been reviewed as part of a previous PCI effort? If so on a scale of 1 (low) to 5 (high how comprehensive are they?) (e.g. change control, data control, data retention, data classification, acceptable use disposal, etc.) Response: Limited PCI policies exist. DNCR is still in the process of discovering and reviewing existing policies. Existing policies are a 3, however, many areas are missing documentation. 53. Question: Section A.x, Page 12, Is training other than PCI Security Awareness expected? If yes, what type and to what extent? Will training be expected to be conducted per merchant or will all merchants attend the main training when offered? Response: No. N/A All merchants are expected to attend the main PCI Security Awareness Training. 54. Question: Section A.xi, Page 12, Section A.xii, Page 12, If the ten steps listed above address the SAQ-D for the ten listed high priority merchants, what SAQs are expected for the other five that are needed? Response: The other merchants will fall into a SAQ A, SAQ B, or SAQ C. 55. Question: Section A.x, Page 12, Does a formal information security policy exist? Response: Yes. 56. Question: Section B.5, Page 12, Are the 3 web based security awareness training sessions expected to be done by October 2016? Response: No, the 3 trainings are not expected to be completed by October Question: Attachment C: Pricing, Many of the activities are performed per merchant, including travel to each. Some activities are more global in nature, i.e. the web training. Should this total be broken down by merchant and global activities or combined? Response: Pricing should be broken down by per merchant (ex. site visit) and global activities as applicable (ex. training). Addendum 1, RFP Page 8 of 9

9 B. Offeror s Certification of Addendum Check ONLY one of the following categories and return one properly executed copy of this addendum prior to bid opening time and date. Bid has already been mailed. Changes resulting from this addendum are as follows Bid has already been mailed. NO CHANGES resulted from this addendum Bid has NOT been mailed and ANY CHANGES resulting from this addendum are included in our bid. BIDDER: ADDRESS (CITY & STATE): AUTHORIZED SIGNATURE: DATE: NAME and TITLE (Typed): Please note that the US Postal Service does not deliver any mail (US Postal Express, Certified, Priority, Overnight, etc.) on a set delivery schedule to this Office. It is the responsibility of the Vendor to have the bid in this Office by the specified time and date of opening. SEND ALL PROPOSALS DIRECTLY TO THE ISSUING AGENCY ADDRESS AS SHOWN BELOW: DELIVERED BY US POSTAL SERVICE DELIVERED BY ANY OTHER MEANS RFP NO RFP NO North Carolina Department of Natural and Cultural Resources North Carolina Department of Natural and Cultural Resources Purchasing Office Purchasing Office, Archives & History Building, 3 rd Floor 4605 Mail Service Center 109 East Jones Street Raleigh, NC Raleigh, NC Signature of Offeror: Print Name: Company: Address: Telephone Number Title: Address County of Service Street/PO Box City Zip Code Fax: Principal Place of Business if different from above (See General Information on Submitting Proposals, Item 18.): Will any of the work under this Contract be performed outside the United States? Yes No -(If yes, describe in technical proposal.) N.C.G.S and Executive Order 24 prohibit the offer to, or acceptance by, any State Employee of any gift from anyone with a contract with the State, or from any person seeking to do business with the State. By execution of any response in this procurement, you attest, for your entire organization and its employees or agents, that you are not aware that any such gift has been offered, accepted, or promised by any employees of your organization. THIS PAGE MUST BE SIGNED AND INCLUDED IN YOUR PROPOSAL. Addendum 1, RFP Page 9 of 9