The vendor is required to provide payment card industry qualified security assessor services for include:
• The vendor must be in good standing with the payment card industry (PCI) security standards council (PCI SSC) as a PCI qualified security assessor (QSA) for the contract term. the contract, at the state’s discretion may be terminated immediately if the vendor has been removed from the PCI SSC listing of QSA companies or is placed on remediation status.
• The QSA company and QSA employee must submit to the state annually evidence that the QSA company and employee have received their annual re-qualification.
• The vendor must be a PCI SSC qualified QSA company and have at least two (2) qualified QSA employees.
• The vendor must adhere to all business and professional ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing PCI SSC assessments.
• Employee of the QSA company should be an employee of the company and have passed a background check, possess sufficient information security knowledge and experience to conduct technically complex security assessments.
• The following audit and assessment disciplines: IT security auditing, information security risk assessment or risk management.
• This understanding shall include, but not limited to, all system components, network components, servers (web, application, database, authentication, mail, proxy, network time protocol, domain name server), firewalls, switches, routers, wireless access points, network appliances, security appliances, applications (purchased, custom, internal, and external/internet), applicable manual and automated business processes, and in-house and contracted personnel duties.
• The vendor shall verify all technical information provided by the state.
• The vendor shall identify and analyze the state’s current information security protocols including a review of the policies, processes, and procedures (to include documentation, system and network device configuration details, and network and application architecture guidelines).
• The vendor shall in accordance with the appropriate security assessment procedures, perform any necessary examinations and sampling of system components and compensating controls deemed in scope and subject to compliance requirements.
• The vendor shall provide all necessary guidance to the state as required to achieve compliance with the appropriate security standards.
• The vendor shall determine all areas where the state may be non-compliant with standards, and the extent of non-compliance.
• The vendor shall identify issues of concern and communicate potential deficiencies or lack of controls that may result in failure to comply with the standards, or which may present a general security risk.
• Each area of concern must be documented with its level of non-compliance.
• Provide all necessary on-going consultant services to support annual compliance requirements.
• the vendor shall prepare all necessary documentation required to demonstrate compliance that the state will in turn submit to the acquiring bank and payment card brands or regulatory authority on an annual basis.
• At any time during the terms of this contract, the state may request, and the vendor shall provide, a security assessment for:
o A state agency that is accepting credit card payments for the first time,
o An existing state agency that proposes to modify their current system/application, and/or
o Network or other infrastructure changes that impact the data environment including but not limited to physical location.
o The purpose of the security assessment shall be to validate the state, as the merchant, remains fully compliant with PCI security standards
• The QSA company must protect all confidential and sensitive information and adhere to state policies.
• Adherence must include adequate physical, electronic, and procedural safeguards consistent with industry accepted practices to protect confidential and sensitive information against any threats or unauthorized access during storage, processing and/or communicating this information.
• The work plan shall include all the vendor’s major work activities and shall address all major tasks and subtasks.
• The vendor will update the work plan bi-weekly, and shall include, at a minimum, the following:
o Project status related to the project work plan and milestones.
o Accomplishment(s) during the past bi-weekly period being reported.
o Planned activities for the upcoming bi-weekly period.
o Future activities; and
o Summary of concerns along with vendor recommendations on resolution.
• After the state team has reviewed the preliminary roc and any necessary remediation is completed by the state, the requested changes and/or edits will be submitted to the vendor.
• Provide an attestation of compliance (AOC) form that shall accompany the roc for filing with the state’s acquiring bank.
• The AOC shall include such assertions as are required by payment card brands to ensure that accuracy and completeness of the roc.
• After the roc and AOC have been completed, the vendor will be required to draft a post assessment executive report to be reviewed with and approved by the PCI compliance team.
• The report shall include, but is not limited to, the following:
o High-level summary of overall state compliance.
o High-level summary of control strengths and weaknesses.
o High-level summary of applied compensating controls that were put in place to address areas of noncompliance and recommended long term solutions; and
o High-level summary of short and long-term changes that the state should consider to reduce overall PCI compliance exposure and future costs.
- Contract Period/Term: 2 years
- Questions/Inquires Deadline: May 05, 2025