1 - Annexure 5 (C) Technical Criteria S. Eligibility Criteria Documents required Complied Y/N Formatted: Heading 2, Indent: Left: 0", Hanging: 0.4" C) Technical Criteria (Experience and other Technical Requirements) 6 The Bidder/ OEM should have Credential letter from the client a proven and field-tested with duration. technology for the implementation of such solutions already in operation for at least two years.. 7 Bidder should have direct Provide supporting documents from authorization from the Original OEM Equipment Manufacturer (OEM) for selling and supporting the solution offered 8 Bidder/ OEM should have implemented 2FA solution in at least one scheduled commercial bank in India with Internet Banking customer base not less than 1,00,000. 9 Solution/product proposed should have undergone third party penetration testing / ethical hacking tests. 10 Solution proposed should have been implemented in at least 1 scheduled commercial bank in India with Internet Banking customer base not less than 1,00,000. Credential letter from the client Bank Audit report regarding same with compliance thereof / Any supporting document establishing the compliance Credential letter from the client Bank
2 : 4.1 Project Scope Para 4, Page no. 14 amended as follows: The Proposed solution shall support at least 10 Lakhs Internet/ Mobile Baning customer base. However, the solution should be scalable to support up to 20 Lakhs Internet Banking Customers. 3: 4. 3.1 Detailed scope of work General Para 3 on page no.16 amended as follows The Bank does not intend to deploy any hardware token based solution. The Bank expects the bidder to propose multifactor authentication solution for the Bank s Internet Banking customers including corporate users. The solution shall not require any token hardware logistics to be maintained by the Bank. 4: 4.4.3 Proposed Flow of IB Transactions: (Functional requirement) i. The internet/mobile banking user should be allowed to register into the system. ii. At the time of registration the user should be asked the multiple questions of his choice. OTP (One time password) should also be sent on to the user s registered mobile. The user has to feed in the OTP for completing the registration process iii. After registration the user should be allowed to do the transaction however when there is change in pattern, he should be challenged using random question which he has answered during registration. iv. Solution shall provide mechanism to form encrypted channel of communication between user s machine/ device and authentication server v. In case of corporate customer of the Bank, the Bank may opt to implement software token based authentication. In case Bank opts for digital certificate and crypto tokens, the Bank shall arrange the digital certificates and crypto tokens.
5 : 4.4.7 Solution Servers Requirements The Solution server shall be able to manage at least 10,00,000 Internet/Mobile Banking customers and the concurrent transactions to the tune of 10,000. The vendor has to deploy servers in redundant mode at DC and DR of the Bank. The servers at DC should be in high availability mode (active active) while servers at DR should be in (Active Passive) mode. The servers at DC and DR should have replication of data on real time basis. The RPO should be 0 and RTO should be less than 80 minutes in DC and DR. The servers should have backup capability with the required backup software. Solution server storage capacity shall be optimum for 10,00,000 clients and it shall be up-gradable as the need arise. The hardware, software for the solution servers including storage, OS etc shall be supplied and maintained by the SI. The bidder is also responsible to provide test setup. The bidder shall perform testing and obtain Go Ahead from the Bank before implementing any change in the production setup.. 6: 8.2 Payment Terms The SI must accept the payment terms proposed by the Bank. The financial bid submitted by the SI during the commercial bid submission must be in conformity with the payment terms proposed by the Bank. Any deviation from the proposed payment terms would not be accepted. The Bank shall have the right to withhold any payment due to the SI, in case of delays or defaults on the part of the SI. Such withholding of payment shall not amount to a default on the part of the Bank. a) 20% on delivery of Hardware, Software, Communication equipments etc and inspection of the equipments and media delivered by the Bank staff at respective locations. b) 50% on installation, successful commissioning and acceptance of the solution by the Bank c) 10% after completion of one year warranty period. d) 10% after completion of two year warranty period e) 10% after completion of three year warranty period f) The payment for additional Hardware and Software tokens if any, will be on delivery and the successful commission, integration and sign off.
The recurring payment application support charges for the services on Two Factor Authentication Solution project" shall be at actuals and paid quarterly in arrears; after deducting the applicable penalty; post the successful commissioning of the project and acceptance of all the relevant requirements under this tender. Bidder has to ensure that the equipments deployed are operational till five years and there is no end of life / end of sale or end of support from OEM. In case any upgrade / replacement is required due to any such reason, the bidder should provide the upgrade / replacement free of cost without hampering ongoing operations. No price variation relating to increases in customs duty, excise tax, Service tax, currency exchange rate fluctuation etc. will be permitted. 7 : Annexure 1 - Technical Specification Sr no.1, 2 Sr no Features K/ B Fitment (FC/ PC/ HC) Remark 1 The solution should be proposed for 10,00,000 Internet / Mobile Banking users. 2 The proposed solution must support scalability to add additional 10,00,000 users without the need to discard the earlier set-up. K K Comment [b1]: To be decided Comment [b2]: To be decided
8: Appendix 1 Form 02: Masked commercial Bid (without commercial) Part 2A & B is amended as follows: A) 2FA Solution Charges Including Licensing Cost (Same Hardware configuration is to be provided at both DC and DR. The hardware and software shall carry warranty of 3 years) Particulars HA Qty Rate Total Solution Server at DC (give details) including OS Solution Server at DR (give details) including OS Database Server at DC (give details) Database Server at DR (give details) Solution software at DC Solution Software at DR Any other hardware Yes Yes Yes Yes Yes Yes HA in DC, Active passive in DR Total Hardware and Software Charges
B) Services Charges Particulars Parameter Rate Total Migration of customer login to 2FA method in lot of 10000. Changes carried out in the 2FA solution (application customization - Indicative) 5 Lakhs migration 1000 Mandays. Total Service Charges Changes/ Customization requirement for the first 6 months from UAT sign off date shall not be charged to the Bank.
Replies to queries related to RFP # 072013 Sr. 1 Not Applicable Not applicable Not mentioned Approach: What is the number of anticipated transactions (any instance of an API call to the Risk Engine is a transaction) per year per user? 'Transactions' would include Login, Add beneficiary, funds transfer etc 2 Not Applicable Not applicable Not mentioned Approach: Can the Risk Engine be provided as a hosted Cloud Service (SaaS platform)? 3 Page 69 Point No 6, Technical Criteria The Bidder should have a proven and field-tested technology for the implementation of such solutions already in operation for at least two years. Request to change the Term Bidder to Bidder/OEM The sizing of the solution shall be done based on number of customers. No it should be captive
4 Page 69 Point No 8, Technical Criteria Bidder should have implemented 2FA solution in at least one scheduled commercial bank in India with Internet Banking customer base not less than 1,00,000. Request to change the Term Bidder to Bidder/OEM 5 Page 69 Point No 10, Technical Criteria Solution proposed should have been implemented by the bidder in at least 1 scheduled commercial bank in India with Internet Banking customer base not less than 1,00,000. 6 14 4.2 Project Timelines: Designing the architecture of the solution as per the requirement of the Bank and doing necessary customization: 6 Weeks from LOI Date Complete Installation of the solution: 8 weeks from LOI Date 7 16 4.3.1 General: The 2 Factor Authentication (2FA) solution should be able to support and seamlessly integrate with any Fraud Request to change the Term Bidder to Bidder/OEM The time period for each milestone i.e. for Point 2 is very less. Other banks for similar projects have given atleast 14-16 weeks for similar projects. Request the bank to increase the time period for each milestone. Since Fraud Management and Risk-based authentication solution is a future requirements, request the bank to: (1) amend clause No change in RFP in clause
Management and Riskbased authentication solution if bank opts to deploy in the future. The bidder has to give an undertaking to this effect. 8 69 8 Bidder should have implemented 2FA solution in at least one scheduled commercial bank in India with Internet Banking customer base not less than 1,00,000. 4.4.3 Proposed flow of IB transaction posing questions in case of change is user behaviour. (2) remove all the points related to this i.e. Clauses Numbers - 4,15,27, 28,31,32, 33,36,37, 39,41,45, 46, 49,51,65 from Annexure 1 - Technical Specifications. The bank should reframe it as below to allow more number of bidders to participate Bidder/ or OEM should have implemented 2FA solution in at least one scheduled commercial bank in India with Internet Banking customer base not less than 1,00,000. OR Bidder should /or is currently implementing 2FA solution in at least one scheduled commercial bank in India with Internet Banking customer base not less than 1,00,000 9 69 10 Solution proposed should The bank should reframe it as
10 14 4.1 Appendix1 Form 02 Part 1 & 2 have been implemented by the bidder in at least 1 scheduled commercial bank in India with Internet Banking customer base not less than 1,00,000. The proposed solution shall support at least 5 lakhs Internet/Mobile Banking customer base. However, the solution should be scalable to support up to 15 Lakhs Internet Banking Customer Base 2FA Solution Charges Including Licensing Cost below to allow more number of bidders to participate Solution proposed should have been implemented in at least 1 scheduled commercial bank in India with Internet Banking customer base not less than 1,00,000. What is the total quantity the bank intends to buy?
11 16 4.3.1 Although the Bank proposes token less solution for its Internet Banking customers, the Bank also expects to provide token based solution for its corporate users. The architecture, inventory, logistics etc. with respect to the token based solution shall be the responsibility of the bidder 12 16 4.3.1 Although the Bank proposes token less solution for its Internet Banking customers, the Bank also expects to provide token based solution for its corporate users. The architecture, inventory, logistics etc. with respect to the token based solution shall be the responsibility of the bidder. What is the total quantity of hardware tokens the bank intends to buy? What is the bank implying by The inventory, logistics etc. with respect to the token based solution shall be the responsibility of the bidder. Please clarify.
13 68 4 Shall have a minimum average annual Net Sales Turnover of Rs.50.00 crores (Rupees Fifty Crores) during last three financial years viz. 2009-10, 2010-11 and 2011-12. 14 16 4.3.1 The 2 Factor Authentication (2FA) solution should be able to support and seamlessly integrate with any Fraud Management and Risk-based authentication solution if bank opts to deploy in the future. 15 16 4.3.1 The solution shall seamlessly integrate with the SIEM solution of the Bank. 16 16 4.3.1 Although the Bank proposes token less solution for its Internet Banking customers, the Bank also expects to provide token based solution for its corporate users. The bank should reduce Net Sales Turnover to 10 Crores to allow more number of bidders to participate Query: Section 4.4.1 states "The solution should have risk engine a self-learning technology..". This means that the proposed solution should have the risk based authentication. Request to clarify the clause. Query: For integration purpose request Bank to share details related to SIEM solution. Name of product, technology and integrated functionality desired. Suggestion: Annexure 1 Technical Specifications Point 64 states: "Solution should support both H/W and S/W token for both OTP & PKI based Athentication". Since Bank is open to software token suggested to remove tokenless requirement. No change in RFP clause the details will be shared with the successful bidder
17 17 4.4.1 The solution should support risk based authentication and it should. In case of corporate customers, if the Banks decides to use digital certificate, the solution should have on board certificate issuing capability 18 18 4.4.3 Proposed Flow of IB Transactions: (Functional requirement) 19 18 4.4.5 At present the Bank is using the BANCs24 solution as a Core Banking solution (CBS) and Internet Banking (IB) solution deployed by M/s.TCS. The 2FA solution should get integrated with the above mentioned CBS and IB solution. The bidder has to coordinate with the vendor of Suggestion: There are three major areas which bank is targeting to achieve namely 1) Multi-factor Authentication 2) Risk Based Authentication and 3) PKI. There are lots of solutions in field which provide best in breed solutions in this space. It is recommended to separate these areas so that bank can evaluate each of these separately to benefit from best solutions in these individual fields. Query: The flow mentioned in the section only talks about the registration and transaction. However, actual login flow for 2FA is missing from the use case. Request bank to clarify the login flow in order to enable 2FA for login. Comment: In order to be fair to the bidder request bank to coordinate and bear the cost of integration. Since bank has existing relationship with existing CBS and mobile banking vendor it would be in interest of bank to negotiate and secure favorable terms. Suggested Clause: At present the The Bank will extend support needed in terms of integrating the solution. The major initiative in implementation shall be from the bidder only
CBS and IB solution for integrating 2FA solution. The solution shall be made compatible for any changes in the CBS software or Internet Banking Application / Mobile Banking Application at no extra cost. Also whenever changes are carried out in CBS software or Internet Banking Application/ Mobile Banking Application, the bidder shall make the 2FA solution compatible with the new changes without any extra cost to the Bank. Bank is using the BANCs24 solution as a Core Banking solution (CBS) and Internet Banking (IB) solution deployed by M/s.TCS. The 2FA solution should get integrated with the above mentioned CBS and IB solution. Bidder shall have to give undertaking of developing all APIs/ Interfaces as requested by Bank's existing vendor of CBS and IB solution for integrating 2FA solution and would extend all support towards such integration at no extra cost to bank. Bank will co-ordinate with the CBS and IB vendor for such integration activity. Also whenever changes are carried out in CBS software or Internet Banking Application/ Mobile Banking Application, the bidder shall make the 2FA solution APIs/ Interfaces available as demanded by Bank's CBS and IB vendor making solution compatible with the new changes without any extra cost to the Bank.
20 27 6.1.5 SCORING METHODOLOGY FOR PAST EXPERIENCE (PE) Suggestion: We think bank should also consider OEM experience, since it would be most critical aspect of OEM solution validation. Recommended Clauses : The bidder should provide details of implementation of proposed Two Factor Authentication Solution including deployment of hardware, software and training Bank staff. Table 1-2: Scoring Methodology for Past Experience Number of Indian Public Sector Banks where proposed solution is implemented. Number of Banks / Sites where proposed 2FA solution has been implemented No change in RFP clause
21 33 7.2.1.5 The offer shall specify only a single product for the 2FA solution and for each of the components required as a part of solution implementation, which is costeffective and meeting the tender document specifications. It is the responsibility of the bidder to provide the best suitable solution. However, bidder shall not offer more than one product for the entire solution or any component of the solution. Suggestion: It is in Bank's interest to evaluate the solution as whole where bidders can come out with various competitive solutions in this space which may be combination of multiple products. This will trigger healthy competition and bank will benefit both by getting technically superior solution at lower cost. Recommended Clause: The offer may specify multiple products as long as 2FA solution proposed is matching technical requirement specified in Annexure 1 Technical Specifications and for each of the components/ product required as a part of solution implementation, which is costeffective and meeting the tender document specifications. It is the responsibility of the bidder to provide the best suitable solution. The 2FA solution proposed shall be cost effective and meeting the tender document specifications. In case bidder offers 2FA solution from one OEM and FRM/ Risk Based Authentication solution from different OEM, then it is the bidder s responsibility to ensure that the two components are compatible to each other and with other interfaces.
22 57 Annexure 1 Technical Specifications 23 65 Annexure 1 Technical Specifications: Point 58 The token should not insert itself into any form for authentication. An intermediate manual step shall be there while reading the token into any application. Suggestion: In order to protect the user from Man-In-The-Middle type of attacks it is recommended to include following feature - "Solution should provide mechanism to form encrypted channel of communication between user machine/ device and authentication server". Query: Request to clarify the point. Yes There should be no possibility of hijacking of session and inserting the token automatically into any form / web page. 24 65 Annexure 1 Technical Specifications: Point 62 The One Time Password (OTP) should be sent at the time of beneficiary maintenance and at the time of Funds transfer also. The OTP entered by the user should be authenticated before allowing user to proceed further. The password should be sent in encrypted form through network. Suggestion: OTP is one way of enabling 2FA. There are advanced and secure ways of performing 2FA which bank should consider. Recommended Clause: At time of at the time of beneficiary maintenance and at the time of Funds transfer solution should ask user to provide 2FA. Only after successful authentication user should be allowed to proceed further. All communication between user OTP as second factor is mandatory. The bidder shall provide additional second facto such as Challenge questions or any advanced secured methods.
machine/ device should be encrypted. 25 69 Annexure 5: C) Technical Criteria (Experience and other Technical Requirements) 26 69 Annexure 5: C) Technical Criteria (Experience and other Technical Requirements) The Bidder should have a proven and field-tested technology for the implementation of such solutions already in operation for at least two years.. Bidder should have implemented 2FA solution in at least one scheduled commercial bank in India with Internet Banking customer base not less than 1,00,000. Suggestion: In order to get best quality with lowest cost. It is advisable to include consider OEMs experience. The quality of OEMs installation is more critical for success of the implementation. Recommended Clause: The Bidder and/or OEM should have a proven and field-tested technology for the implementation of such solutions already in operation for at least two years. Suggestion: Same as above Recommended Clause: Bidder and/or OEM should have implemented 2FA solution in at least one scheduled commercial bank in India with Internet Banking customer base not less than 1,00,000.
27 69 Annexure 5: C) Technical Criteria (Experience and other Technical Requirements) 28 28 6.1.5 SCORING METHODOLOGY FOR PAST EXPERIENCE (PE) Solution proposed should have been implemented by the bidder in at least 1 scheduled commercial bank in India with Internet Banking customer base not less than 1,00,000. The bidder should provide details of past experience in implementing Two Factor Authentication Solution including deployment of hardware, software and training Bank staff. The bidder s past experience shall be evaluated as given below: Suggestion: This will narrow down the list to a very few companies. And bank will not benefit from healthy competition. Recommended Clause Solution proposed should have been implemented in at least 1 scheduled commercial bank in India with Internet Banking customer base not less than 1,00,000. there are hardly any PSU / banks in India who has implemented TWO factor authentication solution. Most of the Implementation were conducted by the OEM itself Implementation Project in Indian PSU for Two Factor Authentication solution for Internet Banking. Request bank to consider experience of either Bidder or OEM on scoring methodology.
29 Change in Internet Banking and mobile banking Application 30 16 and 71 onwards Detail Scope of Work and Commercial Format Resources: Overall scope must ensure full coverage of 24*7*365 monitoring & management aspects of Two-Factor Authentication system. Most of the Internet banking and Mobile banking solution changes are carried by the OEM / Bidder of the Internet/ Mobile Banking (IB / MB) solution. Even for Two Factor Authentication solution bank will have to ensure that the existing OEM of IB / MB provides complete support and carry out changes as per mutual discussion during the project planning & Implementation phase Bank has not request for Resources to manage the operations of critical 2FA infrastructure. Is bidder expected to implement solution and handover to banks call center or any other department for day to day operations. We suggest that since there is no provision of FM, the requirement of 24x7365 monitoring & Management should be removed. The bidder shall deploy one L1 level resource at Helpdesk of the Bank. The resource shall be available during Bank s working hours. The bidder should not quote separate cost for the same.
31 71 Part 2: Segment wise Detailed Commercial Proposal Format: Summary Sheet (Without Commercials) A. Hardware Token Charges and B.. Services Charges: Migrate of Customer login to 2FA method Bank has mentioned only 2000 hardware tokens. The Migration of 3 lac Internet banking login customers to Internet Banking is Software token / On Demand SMS token? 32 43 Payment terms Clause 8.2 20% against delivery, 50% against Installation & balance 10% every year for next 3 yrs. Since this is primarily a product tender, 80-90% of the payment is outflow to OEM which the SI has to make against delivery of equipments. Hence would request Bank to consider following payment terms 80% against Delivery 10% against Installation Balance 10% after 3 yrs or against submission of PBG of same amount valid for the warranty period. 33 52 Exit Option There is no mention of payment in this clause. Request Bank to include clause for releasing payment to SI for Product Investments done & services provided if any against this tender. Similar clause already exists in another clause i.e. Effects of Termination. No change in RFP clause No change in RFP clause