Electronic Payment Processing Services

The vendor is required to provide the taxpayers and customers of government an expanded choice of secure payment methods, enhance customer service and convenience, and achieve operational efficiencies in its depository, accounting, and reconciliation functions through the application of a variety of electronic payment technologies
- Electronic payments methods currently accepted include:
• Bank, debit cards, and non-bank payment cards accepted at point of sale (pos), by phone, mail, internet, and interactive voice response (IVR).
• On-line and off-line debit cards combination debit and payment cards at pos.
• Automated clearing house (ach).
• Gift cards
- Current and future electronic payment methods, including those where the card is present or not present, that fall under the include but are not limited to the following:
• Chip and signature
• Chip and pin
• E-check
• Convert paper checks to ach
• Online payment options
• Hosted payment solution and check-out page
• Web services API
• Electronic benefit transfer (EBT)
• Near field communications (NFC), e.g., mobile pay, card readers, cellular, WIFI, etc.
• Tokenization
• Address verification for non-present cards and CVV
• Terminal registers, including pin pads
• Recurring payment options (i.e., subscriptions, automatic monthly withdrawals)
• Interactive voice response (IVR)
• Microdeposit verification
• Time out reversals
- Include a central processing platform that fully integrates with the commonwealth’s enterprise resource planning (ERP) system (currently sap).
- Provide decentralized processing platform(s) to meet individual commonwealth agency processing needs.
- Integrate with board oracle, Computronix, and Trintech systems.
- Expedite the availability and access to funds to manage the day-to-day cash operations of the commonwealth more efficiently.
- Reduce bank processing charges and reduce the costs associated with the return and collection of bad checks and ACHs.
- Comply with all current and future relevant laws, regulations, and industry practices.
- Deliver technical support for commonwealth agency application development using new technology.
- Adhere to all statutory and regulatory requirements, including any commonwealth agency-specific requirements, relating to the acceptance of electronic transfer of funds and payment cards.
- Deliver, configure, and maintain a payment card industry (PCI) compliant fully outsourced online payment transaction mechanism utilizing payment applications that are securely hosted by the selected offeror where cardholder data is fully transmitted, processed and/or stored by offeror and the cardholder data environment (CDE) is not stored and maintained by the commonwealth.
- Provide specialized reporting, specialized information requirements, and accounting assistance.
- Deliver to individual commonwealth agencies specialized technology and customized information reporting functions.
- Provide marketing, training, customer service, and problem resolution
a. Security and compliance requirements
1. The solution shall comply with all federal laws and regulations for the processing of electronic payment transactions.
• During the term of the contract, the selected offeror shall notify the commonwealth of any changes to federal or credit and debit card company rules and regulations, bylaws, or any other related materials that will affect processing of debit/payment card transactions.  
• The selected offeror shall provide this information to the contract manager and may be required to provide this information to each commonwealth merchant.
• The selected offeror shall provide the notice as described in subparagraph (a) above within five (5) business days of the selected offeror’s receipt of same, but in no event shall such notice be given less than thirty (30) days prior to the effective date of such changes.
2. Software-as-a-service (SaaS).
• Offeror shall propose a SaaS solution with a hosted payment page mechanism for use with existing online applications that processes online financial transactions
• The solution shall support card present and card not present in-person transactions using a pos payment device and transactions by a phone.
• The commonwealth prefers that the offeror meet the technical requirements using one payment application.  
• The commonwealth will consider proposals that include up to four payment applications to meet the technical requirements of this RFP.  
• If more than one payment application is proposed, the offeror should state succinctly how each payment application functions in relation to the requirements of the RFP and how the payment applications work together as a complete solution for the commonwealth.
• The payment application shall ensure that payment card data is not traversing the commonwealth network and is separate and apart from commonwealth agency it applications and meets the requirements set forth in this RFP including the commonwealth data in transit and data at rest security
3. Payment card industry (PCI) data security standards
• The SaaS based hosted payment application page shall be payment application data security standard compliant, and the offeror shall comply with the most current SSAE   auditing standard.
4. Risk assessment review: in support of a risk assessment, the offeror must submit the following documents and information with its proposal as they relate to the solution being proposed by the offeror
• A copy of the three most recent PCI data security standards (PCI DSS) and an
 attestation of compliance (AOC).
• A soc2 type ii, iso 27001 certification, standardized information gathering (sig) questionnaire and/or other relevant security documentation.
• Information security policy.
• Penetration testing summary results.
• Any other relevant information pertaining to the offeror’s security and compliance programs.
5. Security and confidentiality.
• All materials and information provided to the selected offeror by the commonwealth or acquired by the selected offeror on behalf of the commonwealth shall be regarded as confidential information in accordance with federal and state laws and ethical standards.
• The selected offeror shall provide a secure electronic solution between the selected offeror and commonwealth agencies to ensure the security and confidentiality of information passed.
• The selected offeror’s solution shall have a system of controls and procedures in place to accurately account for all transactions and occurrences.
• The selected offeror shall incorporate system security measures to prevent disclosure of information, except as authorized by the commonwealth, in any personally identifiable system user records.
6. Data mining.  
• The selected offeror shall not sell, use or provide lists of cardholder or customer data for any purposes but those explicitly contemplated in the resulting contract
7. Record retention and availability.  
• The selected offeror shall maintain records and other data as specified in the contract and in such detail shall properly substantiate claims for payment under a contract and meet electronic payment operating regulations, federal and state laws.
• The selected offeror may be required to retain such records for up to a maximum of seven years, based on commonwealth agency application requirements and for the duration of the retention period the records shall be accessible to the agencies via the selected offeror’s system.
- Payment processing requirements
1. At the time of proposal submission, the offeror’s solution shall provide electronic authorization, data capture and processing of all the payment cards/methods as outlined in this solicitation
• Perform an exact validation on the payment card number and the payment card expiration date.
• Support timeout reversal requests.
• Ensure that the quality control system uses sufficient information provided by the commonwealth to recognize each tender as unique.
• Provide the ability to track an individual order by the commonwealth’s unique transaction number from authorization through adjustment, settlement, funding, and reconciliation reporting.
• Provide the ability to charge transaction service fees.
• Be capable of fully integrating with commonwealth systems, which at a minimum include the following:
a. The commonwealth’s ERP (currently sap);
b. Board systems, which are oracle, Computronix, and Trintech systems; and
c. Department systems, which are eGov, inspections, dealers’ application system, commercial vehicle registration system, financial application system, road user charge application, pay department, driver history information application
2. Authorization and capture
• Return authorized/declined data upon receipt of payment authorization, which includes tokenization or related recurring payment options.
• Perform an automatic reversal if the transaction times out.
• Accept, store, and return the commonwealth’s unique transaction identifier.
• Support of address verification service (AVS) and 3-digit card validation code (CID) and card verification value (CVV) for visa, Mastercard, discover, AmEx., etc.  in authorization requests for cards not present transactions, i.e. -internet, telephone and mail order
3. Adjustment and voids.   
• The proposed solution shall provide the commonwealth the ability to adjust a transaction before submitting for settlement, including adjustment and cancellation
4. Credits and refunds
• The solution shall allow the commonwealth to issue credits or refunds in the case of an error in payment amount, card number, return, etc.
• The system shall be able to process and obtain authorization of credit or debit card and ach returns for partial or full credit.
• The solution shall provide separate reports at multiple levels, so that refunds may be mapped back to a specific commonwealth agency location or entity, with summaries, details and totals being possible at the commonwealth agency level
5. Data transmission
• Transmitting and retransmitting payment transaction results at user-definable intervals over a user-definable period until a successful confirmation is returned from the merchant system.
• Providing email notification of transaction failures.
• Transmit data to the commonwealth either via the internet or over a private network utilizing TCPIP and SFTP protocol.
• Encrypt files using pretty good privacy (PGP).
• Provide data through application programming interfaces (API) and webservices.
• Import and export EDI ANSI x.12, xml and various other open systems data transfers.
• import, export and transmit data on-line and in batch mode.
• Retain payment card data in an encrypted format in accordance with PCI-DSS (data security standard) requirements
• This data shall only be accessible to authorized commonwealth personnel.  
• Retention period shall be a minimum of 18 months. offeror shall describe its retention options which meet or exceed the minimum requirements.
• Provide for tokenization that allows the commonwealth to maintain secure tokens for future, recurring payment transactions without needing to maintain specific card or account information.
6. Customer payment card statements.  
• The selected offeror shall provide a merchant descriptor on the customer’s payment card statement indicating what the payment amount is for as specified by each commonwealth agency
- Contract Period/Term: 3 years