The vendor is required to provide a comprehensive assessment of the authority’s payment card industry data security standard (PCI DSS) compliance status.
- Assessment Areas:
• Network architecture review: evaluate network and system architecture for compliance with PCI DSS requirements.
• Network segmentation: ensure logical and physical segmentation controls are in place.
• Policies and procedures review: assess existing policies and procedures related to handling payment card data.
• Data security and encryption: verify the implementation of appropriate data security measures, including encryption, data storage, and access control.
• Access control and authentication: assess user access management, multi-factor authentication (MFA), and segregation of duties.
• Risk assessment and vulnerability management: review risk assessment practices, vulnerability scanning, and remediation processes.
• Third-party vendor management: review third-party agreements and relationships (e.g., payment processors) to ensure they meet PCI compliance standards.
• Payment card transactions: identify and analyze how the college processes payment card transactions (e.g., online payments, point-of-sale (POS) systems, phone-based payments, etc.)
• Systems and applications in scope: list the systems, applications, and networks involved in processing, storing, or transmitting cardholder data (CHD).
• This may include payment gateways, POS systems, payment terminals, e-commerce platforms, and web servers.
- Contract Period/Term: 5 years
- Questions/Inquires Deadline: March 26, 2025