Vendor 1 QUESTION CCSF RESPONSE

Transcription

1 Vendor 1 QUESTION 1 If we have already filled out the vendor profile application, business tax declaration and local business forms will we need to fill them out again? 2 Is CCSF open to rolling up all 70 merchant IDs into a single Report on Compliance (ROC) or will each merchant validate individual compliance by submitting the appropriate SAQ/ROC? If you have done so, you can simply provide us with your vendor registration number. Each merchant will have to submit an individual appropriate SAQ/ROC. 3 In regards to the PCI workshops mentioned in the scope of work on page 7 (#1): Is it the expectation that workshop content will allow CCSF staff to take the CPIP exam offered by the PCI SSC? Should we assume that the training be structured so that CCSF staff can attain the necessary CPE s to maintain their CPIP? How many CCSF employees should we anticipate attending the workshops? 4 Is it the expectation that the responder be required to create new or update existing policies and procedure to address PCI DSS documentation gaps? 5 Does CCSF currently have an identified list of projects for items mentioned in scope of work #3? 6 As SFO s current QSA is there overlap between the PCI services you requested and the PCI services were already performing. 7 Is it expected that the readiness/gap assessment (page 7 SOW #5) will lead to each department completely their own SAQ or will there be a single level 1 merchant ROC completed by a QSA? 8 In regards to SOW #6, are systems in scope hosted onsite or by a third party? Is there a current inventory of in-scope systems including servers, network devices, applications, databases, etc? No. No. For each workshop, approximately 70 CCSF employees are expected to attend. Workshops can be divided into smaller groups. No. Unknown. Please see response to question #2. Given the different state of technology sophistication across City agencies, the selected vendor will need to advise City agencies as to what documentation is necessary to be completed by City staff in order to obtain compliance certification and assist as needed. There is no City-wide inventory of systems. The vendor will advise departments which systems components need to be included to obtain certification. NOTE: Carefully review the project scope on page 7 of the RFP. The City is not asking vendors to scan and ensure compliance of each environment. The vendor will be assisting the City in obtaining self-certification and will serve as an advisor. The vendor will not scan the Data center environment and City applications. It will be advising the City staff on how to close gaps to help us obtain the required compliance certification. Page 1 of 17

2 9 Is the cardholder data environment segmented from all other systems that do no store process or transmit cardholder data? 10 Does CCSF leverage wireless and/or mobile payment technology to transmit cardholder data? 11 Are CCSF merchants currently quarterly vulnerability scans or yearly penetration tests? a. If so please identify the scope of internal and external IPs addresses. 12 Based on the aggregate transaction volume for MUNI and Port, 24.5m and 5m respectively, has CCSF s acquiring bank determined if these departments are required to validate annual compliance as Level 1 merchants requiring an annual onsite audit and ROC/Attestation of Compliance (AOC)? Vulnerability scans and penetration tests are not part of the RFP. Vendor will advise City agencies which systems and applications require this analysis in order to become compliant. Not applicable - see above. No. Page 2 of 17

3 Vendor 2 QUESTION 1 General Question: a. Do you have an established compliance date within the next six No. months? If so what is it? Do you have a letter from any bank or processor giving you a deadline on any of the entities or threating fines of any kind? i. Please list this out per reporting merchant ID. NA. ii. How many Processors do you have? Do you have any requirements To be determined. for those processors to become compliant? b. If you are a merchant, what is your merchant level? The City is a highly diversified organization. Transaction volume varies from one City department to another. The City is looking for an advisor to help us with our compliance process and determine the appropriate merchant level as identified in the business assessment study of this project. i. From the RFP it seems that there are 25 Merchant IDs throughout the city. If this is the case what is the level for each merchant in need of this assessment? ii. How many MIDs are there throughout the city? c. Have you ever undergone any type PCI assessment in the past? Partially. There are 72 MIDs throughout the City. Some agencies, especially the large ones such as MUNI, have more than one MID. The selected vendor can help the City determine the appropriate merchant level as identified in the business assessment study of this project. 72 MIDs. i. A Compliance Validation Assessment? Partially. ii. A GAP assessment/review? Partially. iii. If so, will we be able to utilize information provided in the past from prior assessors? d. How many IT Operations locations are in scope for compliance, and what is the geographic location of each facility? This RFP covers all City and County San Francisco agencies located in San Francisco and San Mateo area. e. Is there a centralized IT Organization in addition to individual IT teams for the departments? If so what is their role within the scope of this project? f. What are the geographic locations of all the facilities that will fall into scope for this type of project? g. How many data centers are in scope for compliance? What is the geographic location of these data centers? Are any of the data centers owned by you? Are any of the data centers 3rd party data centers? If 3rd party are the data centers PCI compliant? h. Due to the nature of our business our clients expect a certain amount of privacy, when being references. Would CCSF be willing to sign an NDA so we can release these names to meet the requirements of your RFP? If so where should I send a copy of our NDA? NOTE: Carefully review the project scope on page 7 of the RFP. The City is not asking vendors to scan and ensure compliance. The vendor will be assisting the City in obtaining self-certification and serves as an advisor. CCSF has a centralized IT Organization that provides a variety of technology services. The selected vendor for this project, however, will be working with individual departments. This RFP covers all City and County San Francisco agencies located in San Francisco and San Mateo area. This RFP covers all City and County San Francisco agencies located in San Francisco and San Mateo area. The City is a highly diversified organization. Some agencies have their own data center (Dept of Technology, MTA, Airport, PUC, etc) while others rely on external services. NOTE: Carefully review the project scope on page 7 of the RFP. The City is not asking vendors to scan and ensure compliance. The vendor is assisting the City in obtaining self-certification and serves as an advisor. Page 3 of 17

4 i. If answering questions takes longer than expected for CCSF, would there be an extension granted? j. Under The Scope of work. Can you elaborate, for #5, on what you would like accomplish? k. In the RFP there seems to be back end requirements for other compliances. Would HIPAA or any other compliance assessments be a part of this project? If so please explain any other compliance initiatives which are expected. l. Are you looking to have an individual assessment performed on a per department basis and then one as a whole? Would you like reporting to be for each entity or one report on compliance for all? Has CCSF thought through the implications of one report versus multiple reports? If so what are your thoughts on this matter? Yes, if necessary. The selected vendor will serve as an advisor and evaluate how prepared the organization is for any process change, identify organizational needs, and develop a plan to introduce in order for us to obtain the required compliance certification No. We are looking for per department/merchant assessment. However, you may include in your response the benefits of one reporting versus multiple reporting. m. What is the intention of the PCI compliance and certification educational workshops? i. Is it to satisfy the security awareness training components for PCI? ii. Is it to train those PCI Project representatives from each department as they lead efforts for compliance n. Does CCSF expect a project plan developed per department? If so to what level of detail and what happens when dates are missed as a result of CCSF resources? o. Is it the intention that the PCI compliance certification of individual merchants, is in reference to the PCI Compliance to the individual departments? p. Does the assist in documenting CCSF payment card environment, imply the creation of all network/connection/dataflow diagrams, plus the asset inventory of the card holder data environment? What information do you have now for each entity (dataflow, network diagram, inventory, IP#s,? Training and educational workshops are applicable. CCSF expects a project plan developed per department. The City's Treasurer & Tax Collector Office (TTX) will provide oversight of this project. The selected contractor will have to communicate any issues with this project to TTX and renegotiate deadlines. CCSF is looking for a vendor to provide us with the business assessment, gap analysis, and remediation compliance reports. These will be the basis for PCI compliance and certification. The City is looking for advisor that will help us document the City's existing payment card environment and process. This may include diagrams given that the level of documentation available varies by City agency. We are not looking for an inventory of assets. q. What is the intended start/end date for this engagement? Early part of calendar year r. Will there be dedicated CCSF staff to facilitate the project coordination TTX will facilitate and coordinate the project between between departments? departments. s. How many acquirers do you have and who are they? For Card Present, the City utilizes Bank of America Merchant Services (BAMS) and Chase Payment Tech for Card-Not-Present. Depending on the results of assessment review, there may be other indirect acquirers that are not known to TTX. t. What Does Lockbox entail (i.e., mailed in bills with credit card numbers Mailed in payments with checks and card payment information at on them?) times, but very few. u. What position types will be the audience for PCI DSS Training? Senior staff and staff at various organizational levels. v. What are the Goals of the Training program for PCI DSS To educate CCSF employees and set-up compliance policies and processes. w. Has there been budget allocated for this project? If so can you share Proposals should indicate cost of service. what it is? x. Are there any negative repercussions if CCSF does not move forward Not relevant. with this project? Page 4 of 17

5 y. Will the CCSF assistance be city employees or contractors? If so what is the average time of employment with the city? Will they have any IT background? z. Will TTX have the authority to mandate the assessments to happen in a timely manner? aa. Will there be a public announcement on which vendor was awarded the business? bb. Do you currently have a way to fill out SAQs? If so which solution do you utilize? If not would you like a solution for this to be included in this RFP? cc. In the appendix there are required forms. Must these be filled out at time of submission or during the contract negotiation phase? dd. In the P-500 document, point 19 page 9. Is liquidated damages a show stopper for CCSF? ee. Can we utilize one of our business partners for the contract negotiation process? 2 Organizational Question: a. Do you intend to use a project manager to facilitate the assessment process? Will the project manager be dedicated to this project? b. Do you contract with any third parties who provide services in the cardholder data environment? c. Are there any specific lead-times, especially related to third parties, which affect the availability of personnel necessary to support the assessment? d. Do you perform any internal application development (including web applications)? e. Do you have a complete set of information security policies to address all PCI DSS requirements? If not is there any base policies and procedures to begin with? CCSF employees, mostly with IT background. No. TTX does not publicly announce the selected vendor for TTX services. Yes, but performed manually. Please feel free to discuss your recommended solution. These forms must be filled out during the contract negotiation phase. Any questions regarding P-500 can be discussed during the contract negotiation phase. That is the solely your decision. The selected vendor is expected to manage the business assessment review and submit the required reports to TTX staff. No. Some Departments have internally developed applications but most rely on third party software. The City has a Dept of Technology Security Group that provides general guidance. Large City agencies have a separate CIO and technology organization with their own separate policies. For a list of approved technology policies by the City's COIT Committee, visit f. Please explain the different methods of accepting credit card transactions for each merchant ID. i. Do you accept Mail Order or Telephone Order transactions? CCSF accepts telephone orders through an IVR system. 1 If you are accepting phone orders, are these calls being Unknown. recorded? Are the credit card numbers being recorded? Are fax transactions recorded? Are transactions recorded? g. If required for each merchant. Have penetration tests been completed? Is penetration testing a part of this RFP? i. If so please explain how many Class C Networks each department has, as well as the PCI application count for each department? ii. Is there a case where penetration testing would go beyond PCI? If so how many Class C environments and how many applications? Penetration testing is not a requirement of this RFP. NA - see above. NA - see above. 3 Environment Question: Page 5 of 17

6 a. Has a data discovery process been performed to identify all storage, processing and transmission of credit card data within the environment? If not is this something that would fall into scope for this project? Given the different state of technology sophistication across City agencies, the selected vendor will need to advise City agencies when and if this documentation is necessary to be completed by City staff in order to obtain compliance certification and assist as needed. NOTE: Carefully review the project scope on page 7 of the RFP. The City is not asking vendors to scan and ensure compliance of each environment. The vendor will be assisting the City in obtaining self-certification and will serve as an advisor. The vendor will not scan the Data center environment and City applications. It will be advising the City staff on how to close gaps to help us obtain the required compliance certification. b. How many acceptance channels are in place for the acquisition of credit card data? CP-POS, CNP-Ecommerce, CNP-MOTO, PIN-Debit, etc. c. Has segmentation of the network environment been implemented to reduce the scope of compliance? Again, given the different state of technology adopted across City agencies, there are multiple acceptance channels. The selected vendor will need to advise staff in City department what documentation is required to obtain PCI compliance and assist as needed. agencies, each agency, especially the large ones, will have unique technology environments. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. d. Are any wireless network technologies utilized in the cardholder environment? unique technology environments and may/may not include wireless. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. e. Are any virtualization technologies utilized in the environment? unique technology environments and may/may not include virtualized environments. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. f. How many different types of operating platforms (e.g., Windows, Unix, mainframe, etc.) are present in your environment? unique technology environments with varying operating platforms. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. g. How many servers are in the cardholder environment? unique technology environments with different types of servers involved. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. h. How many different payment applications are present in your environment? unique technology environments with different types of payment solutions involved. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. Page 6 of 17

7 i. How many different types of databases (e.g., SQL Server, Oracle, etc.) are present in your environment? j. Is Card Holder Data being stored? Is encryption used when storing credit card data? unique technology environments with different types of database solutions involved. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. unique technology environments with different types of database solutions involved. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. k. What degree of consistency do you have within your environment? unique technology environments with different types of solutions involved. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. l. Where are the webservers located? unique technology environments with different types of web servers involved. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. m. How many compliance programs are up and running as of now and Unknown. what are their scopes? n. What type of project management methodology is currently in place? What type of Project Management tools are in use? o. Is there a current report format being used for compliance reporting with CCSF? If so what is it? p. Is there an up to date inventory for each department of all networking equipment, servers, computers, and POS systems? How many of the departments have inventories? Those City agencies that have project management methodologies in place are using the PMI standard or a close variation. The purpose of this RFP is to establish a City-wide compliance program, including a standard for reporting. unique technology environments with different equipment locally controlled. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. q. Is there an up to date cardholder data flow for each department of all networking equipment, servers, computers, and POS systems? How many of the departments have data flow diagrams? r. Is there an up to date network Diagram for each department of all networking equipment, servers, computers, and POS systems? How many departments have editable network diagrams There is no single cardholder data flow. Departments currently vary in their adoption of e-payment solutions. unique technology environments with different level of documentation available. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. Page 7 of 17

8 s. Is there an up to date cardholder data flow for each department of all networking equipment, servers, computers, and POS systems? How many of the departments have data flow diagrams that are editable? t. Is there an up to date network Diagram for each department of all networking equipment, servers, computers, and POS systems? How many departments have editable network diagrams? u. Does CCSF have a preferred report format for metrics and Risk? If so what is it? v. What is meant by use of CCSF staff? What are the limits of use of CCSF Staff if any? (note: engagement can t be completed without use of staff so not sure what this really means) w. Will there be CCSF staff dedicated as POC's/Liaisons for each department? Will these people be dedicated to the PCI program while the selected company is engaged? x. What is the reporting structure and lines of accountability between department staff and project owner with CCSF? What will be the escalation process for non-responsiveness on part of CCSF? y. Is there a complete list of 3rd party vendors and gateways? How many of the contracts are set to expire in the next 6 months, next 12 months? z. Will CCSF be giving the selected company control over tasking CCSF employees when making request to support the effort in terms of deadlines? aa. Is there any internal application development done for the city? If so please list departments which have internal application development teams. bb. How many severs are within the card holder environment? cc. Has proper network segmentation taken to reduce the scope of compliance? unique technology environments with different level of documentation available. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. unique technology environments with different level of documentation available. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. Contain all the elements of compliance metrics and risk, customizable and downloadable to a user friendly application. CCSF staff will consist of employees from IT and/or Finance departments who typically work on banking related issues. They will be available on as needed basis. It is expected to have CCSF staff from each City department to work on this project. Their time, however, are not solely dedicated on the PCI program. The City's Treasurer & Tax Collector Office (TTX) will provide oversight of the PCI compliance process for CCSF. The selected vendor will have to communicate or escalate any project issues that may arise to TTX. The list of 3rd party vendors and gateways are not available at this time. This service is expected to reveal these information. Contractor can give direction to CCSF employees for this engagement. unique technology environments with different level of application development efforts. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. unique technology environments with different types of servers involved. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. agencies, each agency, especially the large ones, will have unique technology environments. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. Page 8 of 17

9 dd. Are there any virtualization technologies utilized in the environment? ee. Are your systems being backed up? If so please list the departments that are and how they are backing up? (i.e.: Tape, Disk, Cloud) ff. Do you have anyone working from home? If so what functions do they perform from home? What systems can they access from home? unique technology environments and may/may not include virtualized environments. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. unique technology environments and may/may not include backup solutions. The selected vendor will need to advise staff in City department as to what documentation is required to obtain PCI compliance and assist as needed. Again this is dependent on each department situation. 4 Logistics: a. Are there any considerations which will affect the scheduling of any Vendor is expected to coordinate delivery of advisory services assessment activities (environment freeze, implementation timelines with each department and the Treasurer/Tax Collector Office. etc.)? 5 Vulnerability Scanning: a. How many internal IP addresses are in scope for PCI? This RFP does not require vulnerability scanning but it can be offered as an optional service. The vendor would advise each City agencies as to what would be required to meet compliance requirements. i. Please give a break out of IPs per reporting Merchant ID for each location. This RFP does not require vulnerability scanning but it can be offered as an optional service. The vendor would advise each City agencies as to what would be required to meet compliance requirements. b. Are all IP addresses routable from a centralized location? This RFP does not require vulnerability scanning but it can be offered as an optional service. The vendor would advise each City agencies as to what would be required to meet compliance requirements. c. How many external IP addresses are in scope for PCI? This RFP does not require vulnerability scanning but it can be offered as an optional service. The vendor would advise each City agencies as to what would be required to meet compliance requirements. i. Please give a break out of IPs per reporting Merchant ID for each location. d. Have you ever performed vulnerability scans in the past? e. Are you currently doing any vulnerability scanning? If so for which network and entities? This RFP does not require vulnerability scanning but it can be offered as an optional service. The vendor would advise each City agencies as to what would be required to meet compliance requirements. GENERAL FEEDBACK FROM CITY OF SF These questions are all framed with the understanding that the vendor would deliver vulnerability & network scanning services, which are beyond the scope of this RFP. The RFP requires the vendor to provide educational and advisory services that will assist the City agencies in either becoming PCI compliant. Vendors are encouraged to carefully review the scope of services laid out on page 7 of the RFP. Page 9 of 17

10 Vendor 3 QUESTION 1 How many employees will be a part of the educational workshops? For each workshop, approximately 70 CCSF employees are expected to attend. Workshops can be divided into smaller groups. a. How many workshops will need to be performed? CCSF expects a minimum of two workshop sessions in the first year of engagement. b. Will the workshops be concurrent calendar dates or scheduled for different times of the year? c. Will the workshops be led by an onsite trainer or will they be performed as an online webinar? To be determined. Can be a combination of both. Web training is fine. People just need an opportunity to ask questions. 2 How many Level 4 merchants do you estimate will require selfcertification guidance? 3 Have you previously filed SAQs for the principal merchant businesses within the CCSF? a. Can you tell us how many were submitted of each type (e.g., SAQ A, SAQ B, SAQ C-VT, etc.)? 4 Does the CCSF utilize data centers and are these to be included in the scope of the consulting? Undetermined at this time. Only SAQs were submitted. This RFP covers all City and County San Francisco agencies located in San Francisco and San Mateo area. The City is a highly diversified organization. Some agencies have their own data center (Dept of Technology, MTA, Airport, PUC, etc) while others rely on external services. NOTE: Carefully review the project scope on page 7 of the RFP. The City is not asking vendors to scan and ensure compliance. The vendor is assisting the City in obtaining self-certification and serves as an advisor. a. What are the locations of these data centers? San Francisco/San Mateo area. 5 Number 5 in the Scope of Work references Establish a process with CCSF staff to conduct a compliance readiness assessment. Will this readiness assessment be a part of this RFP or will the planning of the process by which the readiness assessment would be conducted solely in this RFP? Both are part of the scope of the services. Page 10 of 17

11 6 The chart provided on page 5 of the RFI indicates that there are merchants who fall into all four merchant levels as defined by Visa and MasterCard. This includes Level 1 and Level 2 merchants who may requires PCI DSS assessments as well as others who may require penetration testing and/or external vulnerability scanning. Is it accurate that the request for proposal is seeking focused and expert guidance/consulting on PCI matters for each principal merchant and is not asking for the QSA to perform to full validation on compliance for each merchant. Given the different state of technology sophistication across City agencies, the selected vendor will need to advise City agencies as to what documentation is necessary to be completed by City staff in order to obtain compliance certification and assist as needed. There is no City-wide inventory of systems. The vendor will advise departments which systems components need to be included to obtain certification. NOTE: Carefully review the project scope on page 7 of the RFP. The City is not asking vendors to scan and ensure compliance of each environment. The vendor will be assisting the City in obtaining self-certification and will serve as an advisor. The vendor will not scan the Data center environment and City applications. It will be advising the City staff on how to close gaps to help us obtain the required compliance certification. 7 Would you like supporting services such as penetration testing and vulnerability scanning for your merchants included in the proposal? Penetration testing is not a requirement of this RFP. 8 If supporting services are to be performed in addition to the consulting guidance as part of this RFP would you like information provided for any or all of the following: a. Policy templates b. Penetration testing c. External vulnerability scanning 9 If supporting services are to be performed in addition to the consulting guidance as part of this RFP could the following information be provided for each of the principal merchants? a. Is segmentation in place between the principal merchants of CCSF? b. How many total external IPs are owned by each principal merchant? i. How many external IPs are routed and active for each principal merchant? ii. How many virtual hosts are living on these IPs? c. How many externally facing web applications are in use by each principal merchant? i. Please provide a brief description of each application and its use. d. How many physical servers are in use by each principal merchant? i. How many virtual servers are present on each principal merchant s servers? The vendor, as part of this RFP, will primarily serve as an advisor responsible for analysis, advisory and reporting services. This vendor will not be responsible for DSS assessments, scanning, etc. The vendor, however, is welcome to mention and price these services in the response. Page 11 of 17

12 e. How many internal hosts are present within each principal merchant? f. How many different point-of-sale (POS) systems are used within the principal merchants for card-present transactions? g. Are you using any PA-DSS validated applications? Page 12 of 17

13 Vendor 4 QUESTION General Question: 1 What is the timeline for starting and completing this project? This project is expected to start at the beginning of calendar year The service contract will be evaluated at the end of 2 years. 2 Is there a preference for face-to-face training verses online training? Can be a combination of both. Web training is fine. People just need an opportunity to ask questions. 3 Who is to be trained? Technical resources or employees at all levels? Senior staff and staff at various organizational levels. 4 Are there any shared services (e.g., vulnerability scanning, log management, shared data centers, policies and procedures, etc.) among the different merchant IDs, if so, what are those shared services? 5 Is the goal to ultimately implement shared services among the different merchant IDs? 6 The RFP states, "For CCSF locations that use Gateways or third-party vendors, how do you ensure these locations are PCI compliant?" If these providers are not validated services providers, as defined by PCI, does CCSF have the ability and desire to audit the controls performed by these Gateways / third-party vendors? Unknown. This will be determined after consultation with the vendor. CCSF will initially rely on the PCI certificates. 7 The RFP has identified 21 different departments with their associated transaction levels, does that number match up with the number of actual Merchant IDs that will be in-scope for this project? No. There are 72 MIDs throughout the City. Some agencies, especially the large ones such as MUNI, have more than one MID. a. Is it your desire to complete a Report on Compliance (Level 1/2 merchants) and Self-Assessment Questionnaire (Level 3/4 merchants) for each merchant ID? b. It is expected that the bidder will also be executing the ROC or does the CCSF already have a designated QSA that we would be working with to facilitate the effort? c. What is the current compliance status of each of the merchant IDs / department? d. Do network diagrams and data flow diagrams currently exist for each department? 8 Is network segmentation used to reduce the PCI scope? 9 Could you provide more details on what the important factors are to CCSF in selecting a vendor? Specifically of the three project dynamics: quality, cost, and thoroughness; please describe the significance of each? 10 Until the completion of the initial assessment, we will not have a clear understanding of the level and amount of remediation work required. Should we provide a range of hours based on previous experience, or is a different approach suggested by CCSF to estimate that effort (e.g. estimate the initial assessment leaving the remaining phases TBD with respect to hours.)? Project Management Question: Yes, if business review leads to those merchant levels. CCSF will have a separate RFP focused on QSA and/or ASV to complement this project. In 2012, CCSF was in compliance. Unknown Criteria in selecting a vendor is provided on page 11 of the RFP. You may provide a range of hours based on your previous experience in similar role and project scope and size. Page 13 of 17

14 1 Does the Respondent of the RFP have access to CCSF resources to assist with the creation and execution of: policies, procedures, and standards; vulnerability scanning and penetration testing; perform PIN Entry Device inspection; log management, etc.? 2 Do we need to assume that we will be conducting any vulnerability/penetration testing to validate compliance? If so, what should we assume is the scope? 3 In addition to the report to each City Agent, is a report to the TTX required? What frequency? 4 Who is responsible for managing all remediation activities that are identified during the scoping and validation activities? a. If it is the responsibility of the selected Respondent, what authority is granted to the Respondent in executing the work? The vendor, as part of this RFP, will primarily serve as an advisor responsible for analysis, advisory and reporting services. This vendor will not be responsible for DSS assessments, scanning, etc. The vendor, however, is welcome to mention and price these services in the response. Yes, annually. Each department will be managing remediation activities, but selected vendor is expected to submit compliance progress reports for each merchant under review. NA. b. What are the escalation procedures for reporting merchants that are missing project execution deadlines? Scoping Question: The selected vendor will submit reports to TTX. TTX will communicate to individual department. 1 What is the scope of the cardholder environment: Given the different state of technology sophistication across City agencies, the selected vendor will need to advise City agencies as to what documentation is necessary to be completed by City staff in order to obtain compliance certification and assist as needed. There is no City-wide inventory of systems. The vendor will advise departments which systems components need to be included to obtain certification. NOTE: Carefully review the project scope on page 7 of the RFP. The City is not asking vendors to scan and ensure compliance of each environment. The vendor will be assisting the City in obtaining self-certification and will serve as an advisor. The vendor will not scan the Data center environment and City applications. It will be advising the City staff on how to close gaps to help us obtain the required compliance certification. a. How many firewalls are there? b. How many Internet facing systems are part of the cardholder data environment? c. How many Internet facing web applications are part of the cardholder data environment? Page 14 of 17

15 d. How many systems in the cardholder data environment store cardholder data? e. What databases are used in the cardholder data environment? f. How many systems are there in the cardholder data environment and what operating systems do they run? g. How many network devices are considered in-scope? What type of devices are in-scope? h. How many locations are considered in-scope for this assessment? i. Is wireless used to transmit cardholder data? Is wireless segmented out from the rest of the environment? j. How many administrative locations are in-scope (e.g. call centers, back end processing, card storage locations)? This RFP covers all City and County San Francisco agencies located in San Francisco and San Mateo area. Please see chart on page 5 of the RFP (Card Payment Transaction by Department). This RFP covers all City and County San Francisco agencies located in San Francisco and San Mateo area. The City is a highly diversified organization. Some agencies have their own data center (Dept of Technology, MTA, Airport, PUC, etc) while others rely on external services. NOTE: Carefully review the project scope on page 7 of the RFP. The City is not asking vendors to scan and ensure compliance. The vendor is assisting the City in obtaining self-certification and serves as an advisor. k. Is cardholder data shared with any business partners or do thirdparty vendors have access to cardholder systems? How many? Combination of both. The number could not be determined at this point. l. Is tokenization used to reduce scope? Unknown. 2 Are any portions of the cardholder data environment(s) outsourced? If yes, please specify which components/ applications are outsourced? Are these components managed and controlled by the outsourcing service provider? Is the outsourcing service provider included on the Visa list of PCI compliant service providers? 3 How many datacenters host systems that are part of the cardholder data environment(s)? Where are these datacenters located? This RFP covers all City and County San Francisco agencies located in San Francisco and San Mateo area. The City is a highly diversified organization. Some agencies have their own data center (Dept of Technology, MTA, Airport, PUC, etc) while others rely on external services. NOTE: Carefully review the project scope on page 7 of the RFP. The City is not asking vendors to scan and ensure compliance - the vendor is assisting the City in obtaining self-certification and serves as an advisor. Page 15 of 17

16 4 How many of the in-scope applications are PA-DSS certified? Which PA-DSS applications are used? Given the different state of technology sophistication across City agencies, the selected vendor will need to advise City agencies as to what documentation is necessary to be completed by City staff in order to obtain compliance certification and assist as needed. There is no City-wide inventory of systems. The vendor will advise departments which systems components need to be included to obtain certification. NOTE: Carefully review the project scope on page 7 of the RFP. The City is not asking vendors to scan and ensure compliance of each environment. The vendor will be assisting the City in obtaining self-certification and will serve as an advisor. The vendor will not scan the Data center environment and City applications. It will be advising the City staff on how to close gaps to help us obtain the required compliance certification. 5 Are any systems in cardholder data environment virtualized? If virtualization is used, are guest systems that are part cardholder environment reside on the same virtual host as out of scope systems, or do PCI in-scope systems reside on dedicated virtual hosts? 6 Do you have estimated number of live hosts that are internally facing for the various cardholder data environments? Page 16 of 17

17 Vendor 5 QUESTION 1 Has this scope of services been awarded before and if so: No. a. Please provide the name of the prime and sub consultants b. When was the contract awarded? c. How long has City and County of San Francisco been having outside consultants provide these services? d. what was the budget for this last award and was the scope similar? 2 Please provide contact information for prime firms that have shown and interest in this scope of work by having meetings with the City and County of San Francisco, Office of the Treasure and Tax Collector or Procurement and Contracts Department. 3 Please address small and DBE requirements associated with this procurement? NA. We have no small and DBE requirements associated with this procurement. Page 17 of 17