CITY OF CORONA RFP 15-005SB. ADDENDUM No. 2



Similar documents
Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Payment Card Industry (PCI) Data Security Standard

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry (PCI) Data Security Standard

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Common Use Systems and PCI Compliance

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry (PCI) Data Security Standard

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry (PCI) Data Security Standard

PCI DATA SECURITY STANDARD OVERVIEW

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Payment Card Industry (PCI) Data Security Standard

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

How To Ensure Account Information Security

Why Is Compliance with PCI DSS Important?

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

PCI Requirements Coverage Summary Table

PCI COMPLIANCE FOR HIGHER EDUCATION BEST PRACTICES CHECKLIST. Presented By: The Treasury Institute for Higher Education.

A PCI Journey with Wichita State University

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

PCI Requirements Coverage Summary Table

Office of Finance and Treasury

PCI DSS Compliance Information Pack for Merchants

Requirements & Potential Costs for SAQ D

PCI DSS. Payment Card Industry Data Security Standard.

PCI Compliance. Top 10 Questions & Answers

Your Compliance Classification Level and What it Means

Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015

How To Protect Your Data From Being Stolen

Payment Card Industry (PCI) Data Security Standard

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Client Security Risk Assessment Questionnaire

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Payment Card Industry Data Security Standard (PCI DSS) v1.2

PCI Compliance Top 10 Questions and Answers

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Payment Card Industry (PCI) Data Security Standard

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

ADDENDUM #1 REQUEST FOR PROPOSALS

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Merchant guide to PCI DSS

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS

Sample Statement of Work

Two Approaches to PCI-DSS Compliance

Payment Card Industry (PCI) Data Security Standard

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Payment Card Industry (PCI) Data Security Standard

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Payment Card Industry Compliance

PCI Compliance: Protection Against Data Breaches

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

PCI: The Dark Side. May 2012 Roanoke, VA

PCI Compliance Overview

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Becoming PCI Compliant

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

PCI DSS Gap Analysis Briefing

Josiah Wilkinson Internal Security Assessor. Nationwide

Payment Card Industry Data Security Standards

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Third-Party Access and Management Policy

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Property of CampusGuard. Compliance With The PCI DSS

FAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

PCI-DSS Penetration Testing

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

Continuous compliance through good governance

Frequently Asked Questions

Transcription:

CITY OF CORONA ADDENDUM No. 2 Purchasing Division (951) 736-2272 400 S. Vicentia Ave., Ste. 320 purchasing@discovercorona.com Corona, CA 92882 09/22/2014 Scott Briggs Addendum No. 2 for the Evaluation of the City s Payment Card Industry Compliance, RFP 15-005SB is issued to answer questions from prospective consultants. The following questions from prospective consultants and the City s responses are, by this reference incorporated into RFP 15-005SB: Question: Regarding page 11 of the PDF (first bullet) (Section V. Proposal Content and Forms - Pg 3of 3): auditing the City s policies, procedures and payment processes (including but not limited to mail, telephone, online and counter payments) through on-site evaluations and meetings with City staff? Does Audit mean a true attestation by an audit firm or just a review? The ultimate goal would be for the Consultant to provide recommendations in order for the City to be compliant and attest to the compliance status. Question: How many data centers and are they owned, outsourced etc.? We have one main data center at City Hall. We have a smaller datacenter at DWP. Question: Regarding training, how many people need to be trained and in how many sessions. (Our standard is typically 20 trainees per session.) At least 40 people, but could be more. Question: How many total systems (IPs) are we going to assess. We have approximately 100 servers of which only a handful are used for credit card transactions. Addendum No. 2 Page 1 of 6

Question: How many Applications are to be assessed; How many pages per App; How many users per App Includes, but not limited to: CIS pages unk users 25 Cash Central pages unk users 25 Fuelmaster pages unk users 3 CATS pages unk users 10 CoronaStores unk public Goapp pages unk public Ilink pages unk public Services ActiveNet Paymentus Transfirst FirstData Question: Number of total payment transactions each year? 670,000 per year Question: Is each division (water, fire, power, etc) using a unique merchant number? Yes, that is correct. Question: Approximately how many total systems and applications are in scope for PCI? Unknown as to what specifies the scope for PCI. Users for the 7 systems listed above total about 70. We have four in house systems that process payment data and four companies that process payments on the City s behalf. Question: Are the responsibilities of network/system administration in-house or outsourced to a third party? In house for routine work, outsource for complex projects Question: Has the city staff gone thru some PCI training or no PCI training? We have not received any PCI training. Question: Approximately how many IPs would be involved in the scans? External IP Addresses (128) Internal what would be scanned? We have approximately 100 servers of which only a handful are used for credit card transactions. Question: Does the organization develop any PCI applications in house? The City has not developed any PCI applications. Question: Has the organization been certified PCI complaint before? Yes, but only for our transactions at the City s CNG pumps. Due to hardware and software changes to the CNG pumps, we are no longer certified. Addendum No. 2 Page 2 of 6

Question: How many total employees, how many in IT? 622 total City employees and 10 IT employees. No Question: Is the CDE segmented from the rest of the network? Question: About how many systems are in scope for the PCI Assessment? Includes, but not limited to: CIS pages unk users 25 Cash Central pages unk users 25 Fuelmaster pages unk users 3 CATS pages unk users 10 CoronaStores unk public Goapp pages unk public Ilink pages unk public Services ActiveNet Paymentus Transfirst FirstData Question: Is each division responsible for their own FACTA compliance or is there one team that has responsibility for FACTA for the entire agency? Department of Water and Power will be responsible for their FACTA compliance and the Finance Department will handle the rest. Question: To confirm the intent of the language in Section II: H. Acceptance of Order. Is it the City s intention to not allow any negotiated changes to the language contained in the professional services agreement of Section VII? The City s intention is to not allow changes to the City s professional services agreement. You may submit a proposal with contractual changes; however your firm will run the risk of scoring lower than firms without contractual changes. Question: How is the City beholden to Red Flag Rule and the Fair and Accurate Credit Transaction Act (FACTA)? The City does not have a response for this question. We have issued this request for proposals with the intent of hiring a consultant that will advise the City in this matter. Question: Does the City desire to benchmark itself against version 2.0 or 3.0 of the PCI DSS? 3.0 compliance Question: When auditing the City s policies, procedures and payment processes is the vendor expected to perform the same level of detail it would use for an actual Report on Compliance or is an inquiry only based approach acceptable to establish the current control gaps? The initial audit should be performed with the same level of detail it would use for an actual Report on Compliance. Based on the first audit, future audits could be adjusted accordingly. Addendum No. 2 Page 3 of 6

Yes. Question: Will a Report on Compliance (ROC) and accompanying Attestation of Compliance (AOC) be required as a deliverable? Question: Is the city aware of what compliance/merchant level they are based on the number of card transactions? The City does not have a response for this question. We have issued this request for proposals with the intent of hiring a consultant that will advise the City in this matter. Question: What is the timeline for starting and completing this project? As soon as possible. Question: Approximately how many individuals will the vendor be required to interview as part of the evaluation process? At least 40. Question: For bidding purposes, should the vendor assume 1 penetration test and 4 external /internal quarterly scans? The City will agree to this if 1 penetration test and 4 external /internal quarterly scans are recommended in the PCI compliance guidelines. Question: Who is to be trained? Technical resources or employees at all levels? Employees at all levels Question: Are there any shared services (e.g., vulnerability scanning, log management, shared data centers, policies and procedures, etc.) among the different departments, if so, what are those shared services? Unsure of question. No known shared services. Question: Is network segmentation used to reduce the PCI scope? Not at this time Question: Until the completion of the initial assessment, we will not have a clear understanding of the level and amount of remediation work required. Should we provide a range of hours based on previous experience, or is a different approach suggested by CCSF to estimate that effort (e.g. estimate the initial assessment leaving the remaining phases TBD with respect to hours.)? Provide an estimate based on your previous experience for the initial assessment and subsequent phases. Question: With respect to assisting the City with the implementation of recommended changes; what level of assistance does the City require? General guidance, or hands on (e.g. server configuration, implementation of monitoring solutions, installations of log servers, etc)? Recommendations on how to ensure PCI compliance. The scope of what is required will dictate how much assistance would be needed. Addendum No. 2 Page 4 of 6

Scoping Questions: What is the scope of the cardholder environment: a. Question: How many firewalls are there? We have one external and three internal. b. Question: How many Internet facing systems are part of the cardholder data environment (# of IPs)? 7? We have 128 public facing IP s. c. Question: How many Internet facing web applications are part of the cardholder data environment? 2? (i-link, Corona Store) d. Question: How many systems in the cardholder data environment store cardholder data? We do not store credit card information e. Question: What databases are used in the cardholder data environment? We do not store card data. The databases we use are MS SQL Server. f. Question: How many systems are there in the cardholder data environment and what operating systems do they run? Three using Microsoft Server 2008R2. g. Question: How many network devices are considered in-scope? What type of devices are inscope? The exact number will depend on the parameters of the test. Approximately a dozen devices on the network infrastructure. h. Question: How many locations are considered in-scope for this assessment? Four City Hall, Department of Water and Power, Fire Department and Police Department i. Question: Is wireless used to transmit cardholder data? Is wireless segmented out from the rest of the environment? The City accepts payments from customers via cell phones and other wireless connections. Yes, the city wireless environment is segmented out. j. Question: How many administrative locations are in-scope (e.g. call centers, back end processing, card storage locations)? Four City Hall, Department of Water and Power, Fire Department and Police Department k. Question: Is cardholder data shared with any business partners or do third-party vendors have access to cardholder systems? How many? Yes, approximately two vendors l. Question: Is tokenization used to reduce scope? No Addendum No. 2 Page 5 of 6

Question: Are any portions of the cardholder data environment(s) outsourced? If yes, please specify which components/applications are outsourced? Are these components managed and controlled by the outsourcing service provider? Is the outsourcing service provider included on the Visa list of PCI compliant service providers? Would this include our payment processor?if so, then yes. Includes but not limited to: ActiveNet Paymentus Transfirst FirstData Question: How many datacenters host systems that are part of the cardholder data environment(s)? Where are these datacenters located? Two. 755 Public Safety Way, Corona CA 92880 and 400 S. Vicentia Ave., Corona CA 92882. Question: How many of the in-scope applications are PA-DSS certified? Which PA-DSS applications are used? Zero. Question: Are any systems in cardholder data environment virtualized? If virtualization is used, are guest systems that are part cardholder environment reside on the same virtual host as out of scope systems, or do PCI in-scope systems reside on dedicated virtual hosts? They are virtualized, and do not reside on a separate host. Question: Do you have estimated number of live hosts that are internally facing for the various cardholder data environments? Three? Thank you, Scott Briggs Purchasing Manager Addendum No. 2 Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information