CITY OF CORONA RFP SB. ADDENDUM No. 2

Transcription

1 CITY OF CORONA ADDENDUM No. 2 Purchasing Division (951) S. Vicentia Ave., Ste. 320 purchasing@discovercorona.com Corona, CA /22/2014 Scott Briggs Addendum No. 2 for the Evaluation of the City s Payment Card Industry Compliance, RFP SB is issued to answer questions from prospective consultants. The following questions from prospective consultants and the City s responses are, by this reference incorporated into RFP SB: Question: Regarding page 11 of the PDF (first bullet) (Section V. Proposal Content and Forms - Pg 3of 3): auditing the City s policies, procedures and payment processes (including but not limited to mail, telephone, online and counter payments) through on-site evaluations and meetings with City staff? Does Audit mean a true attestation by an audit firm or just a review? The ultimate goal would be for the Consultant to provide recommendations in order for the City to be compliant and attest to the compliance status. Question: How many data centers and are they owned, outsourced etc.? We have one main data center at City Hall. We have a smaller datacenter at DWP. Question: Regarding training, how many people need to be trained and in how many sessions. (Our standard is typically 20 trainees per session.) At least 40 people, but could be more. Question: How many total systems (IPs) are we going to assess. We have approximately 100 servers of which only a handful are used for credit card transactions. Addendum No. 2 Page 1 of 6

2 Question: How many Applications are to be assessed; How many pages per App; How many users per App Includes, but not limited to: CIS pages unk users 25 Cash Central pages unk users 25 Fuelmaster pages unk users 3 CATS pages unk users 10 CoronaStores unk public Goapp pages unk public Ilink pages unk public Services ActiveNet Paymentus Transfirst FirstData Question: Number of total payment transactions each year? 670,000 per year Question: Is each division (water, fire, power, etc) using a unique merchant number? Yes, that is correct. Question: Approximately how many total systems and applications are in scope for PCI? Unknown as to what specifies the scope for PCI. Users for the 7 systems listed above total about 70. We have four in house systems that process payment data and four companies that process payments on the City s behalf. Question: Are the responsibilities of network/system administration in-house or outsourced to a third party? In house for routine work, outsource for complex projects Question: Has the city staff gone thru some PCI training or no PCI training? We have not received any PCI training. Question: Approximately how many IPs would be involved in the scans? External IP Addresses (128) Internal what would be scanned? We have approximately 100 servers of which only a handful are used for credit card transactions. Question: Does the organization develop any PCI applications in house? The City has not developed any PCI applications. Question: Has the organization been certified PCI complaint before? Yes, but only for our transactions at the City s CNG pumps. Due to hardware and software changes to the CNG pumps, we are no longer certified. Addendum No. 2 Page 2 of 6

3 Question: How many total employees, how many in IT? 622 total City employees and 10 IT employees. No Question: Is the CDE segmented from the rest of the network? Question: About how many systems are in scope for the PCI Assessment? Includes, but not limited to: CIS pages unk users 25 Cash Central pages unk users 25 Fuelmaster pages unk users 3 CATS pages unk users 10 CoronaStores unk public Goapp pages unk public Ilink pages unk public Services ActiveNet Paymentus Transfirst FirstData Question: Is each division responsible for their own FACTA compliance or is there one team that has responsibility for FACTA for the entire agency? Department of Water and Power will be responsible for their FACTA compliance and the Finance Department will handle the rest. Question: To confirm the intent of the language in Section II: H. Acceptance of Order. Is it the City s intention to not allow any negotiated changes to the language contained in the professional services agreement of Section VII? The City s intention is to not allow changes to the City s professional services agreement. You may submit a proposal with contractual changes; however your firm will run the risk of scoring lower than firms without contractual changes. Question: How is the City beholden to Red Flag Rule and the Fair and Accurate Credit Transaction Act (FACTA)? The City does not have a response for this question. We have issued this request for proposals with the intent of hiring a consultant that will advise the City in this matter. Question: Does the City desire to benchmark itself against version 2.0 or 3.0 of the PCI DSS? 3.0 compliance Question: When auditing the City s policies, procedures and payment processes is the vendor expected to perform the same level of detail it would use for an actual Report on Compliance or is an inquiry only based approach acceptable to establish the current control gaps? The initial audit should be performed with the same level of detail it would use for an actual Report on Compliance. Based on the first audit, future audits could be adjusted accordingly. Addendum No. 2 Page 3 of 6

4 Yes. Question: Will a Report on Compliance (ROC) and accompanying Attestation of Compliance (AOC) be required as a deliverable? Question: Is the city aware of what compliance/merchant level they are based on the number of card transactions? The City does not have a response for this question. We have issued this request for proposals with the intent of hiring a consultant that will advise the City in this matter. Question: What is the timeline for starting and completing this project? As soon as possible. Question: Approximately how many individuals will the vendor be required to interview as part of the evaluation process? At least 40. Question: For bidding purposes, should the vendor assume 1 penetration test and 4 external /internal quarterly scans? The City will agree to this if 1 penetration test and 4 external /internal quarterly scans are recommended in the PCI compliance guidelines. Question: Who is to be trained? Technical resources or employees at all levels? Employees at all levels Question: Are there any shared services (e.g., vulnerability scanning, log management, shared data centers, policies and procedures, etc.) among the different departments, if so, what are those shared services? Unsure of question. No known shared services. Question: Is network segmentation used to reduce the PCI scope? Not at this time Question: Until the completion of the initial assessment, we will not have a clear understanding of the level and amount of remediation work required. Should we provide a range of hours based on previous experience, or is a different approach suggested by CCSF to estimate that effort (e.g. estimate the initial assessment leaving the remaining phases TBD with respect to hours.)? Provide an estimate based on your previous experience for the initial assessment and subsequent phases. Question: With respect to assisting the City with the implementation of recommended changes; what level of assistance does the City require? General guidance, or hands on (e.g. server configuration, implementation of monitoring solutions, installations of log servers, etc)? Recommendations on how to ensure PCI compliance. The scope of what is required will dictate how much assistance would be needed. Addendum No. 2 Page 4 of 6

5 Scoping Questions: What is the scope of the cardholder environment: a. Question: How many firewalls are there? We have one external and three internal. b. Question: How many Internet facing systems are part of the cardholder data environment (# of IPs)? 7? We have 128 public facing IP s. c. Question: How many Internet facing web applications are part of the cardholder data environment? 2? (i-link, Corona Store) d. Question: How many systems in the cardholder data environment store cardholder data? We do not store credit card information e. Question: What databases are used in the cardholder data environment? We do not store card data. The databases we use are MS SQL Server. f. Question: How many systems are there in the cardholder data environment and what operating systems do they run? Three using Microsoft Server 2008R2. g. Question: How many network devices are considered in-scope? What type of devices are inscope? The exact number will depend on the parameters of the test. Approximately a dozen devices on the network infrastructure. h. Question: How many locations are considered in-scope for this assessment? Four City Hall, Department of Water and Power, Fire Department and Police Department i. Question: Is wireless used to transmit cardholder data? Is wireless segmented out from the rest of the environment? The City accepts payments from customers via cell phones and other wireless connections. Yes, the city wireless environment is segmented out. j. Question: How many administrative locations are in-scope (e.g. call centers, back end processing, card storage locations)? Four City Hall, Department of Water and Power, Fire Department and Police Department k. Question: Is cardholder data shared with any business partners or do third-party vendors have access to cardholder systems? How many? Yes, approximately two vendors l. Question: Is tokenization used to reduce scope? No Addendum No. 2 Page 5 of 6

6 Question: Are any portions of the cardholder data environment(s) outsourced? If yes, please specify which components/applications are outsourced? Are these components managed and controlled by the outsourcing service provider? Is the outsourcing service provider included on the Visa list of PCI compliant service providers? Would this include our payment processor?if so, then yes. Includes but not limited to: ActiveNet Paymentus Transfirst FirstData Question: How many datacenters host systems that are part of the cardholder data environment(s)? Where are these datacenters located? Two. 755 Public Safety Way, Corona CA and 400 S. Vicentia Ave., Corona CA Question: How many of the in-scope applications are PA-DSS certified? Which PA-DSS applications are used? Zero. Question: Are any systems in cardholder data environment virtualized? If virtualization is used, are guest systems that are part cardholder environment reside on the same virtual host as out of scope systems, or do PCI in-scope systems reside on dedicated virtual hosts? They are virtualized, and do not reside on a separate host. Question: Do you have estimated number of live hosts that are internally facing for the various cardholder data environments? Three? Thank you, Scott Briggs Purchasing Manager Addendum No. 2 Page 6 of 6