E
ელ. ტენდერი

T16728 - AUDIT SERVICE (SECURITY ASSESSMENT AGAINST PCI 3DS STANDARDS REQUIREMENTS

აღწერა

შეკითხვები

შეთავაზება

რეზულტატი

შეტყობინებები

Tender Description:

INTRODUCTION:

Purpose of this document and therefore tender, is to select service provider for Georgian Card JSC (JSC Bank of Georgia’s processing center), which will provide assessment services against PCI 3DS security standards requirements.

Purpose:

As a Level 1 Service Provider and VISANET Processor, Georgian Card JSC is willing to perform onsite or remote security assessment against PCI 3DS security standard requirements. As a result, we have decided to conduct market research in order to evaluate possible partnership in the scope of PCI 3DS security standards requirements assessment.
In this regards, we are looking for the interested VISA Approved Security Assessor (SA), 3DS Assessor (3DS), Qualified PIN Assessor and Qualified Security Assessor (QSA) companies. We are free to discuss the details regarding PCI 3DS and other PCI family standards (in specific PCI DSS and PCI PIN) for possibility of future cooperation.

Briefly about our Georgian Card JSC:

Georgian Card JSC is the leading service operator of the payment business, providing the service to the companies in Georgia since 1997. Until today, Georgian Card retains its position of the market leader: processing up to 200 operations per second for 1000 ATM-s, more than 10000 POS terminals and more than 3000 Self-Service terminals.

The bidder shall conduct an assessment of Georgian Card JSC 3DS environment against the PCI 3DS security standard. The assessment shall include the following:

Review of the 3DS environment architecture, configuration, and documentation (Georgian Card JSC 3DS environment only includes 2 components (ACS, MPI/3DSS) out of the possible 3 (ACS, MPI/3DSS, DS).
Assessment of the 3DS environment against the PCI 3DS requirements.
Identification of any gaps or deficiencies in the 3DS implementation.
Remediation guidance to address any identified gaps or deficiencies.

REQUIREMENTS
In order to qualify for the review, the bidder must meet all the requirements listed below:

Must be listed as a 3DS Assessor (in the corresponding online listing)
Must be able to conduct onsite or remote (if pre-agreed and pre-approved) PCI 3DS assessment against latest versions of the standards mandated by PCI SSC
Must be able to conduct onsite or remote (if pre-agreed and pre-approved) PCI 3DS assessment 2 (two) times in a raw starting from year 2023.
Must be able to provide consulting in the scope of PCI 3DS and other PCI standards family (in specific PCI DSS, PCI PIN, PCI CP).
Must be able to issue RoC and AoC that are acceptable by all brands, included but not limited to VISA, MASTERCARD and AMERICAN EXPRESS.
Must be able to negotiate compliance confirmation with payment brands, included but not limited to VISA, MASTERCARD and AMERICAN EXPRESS.
Must be able to conduct assessments in region of Georgia.
Must be able to start assessment within 14 (calendar days) from the signing of agreement.
Must not face insolvency proceedings and must not be in the process of liquidation / reorganization.
Must have at least 5 (five) years of experience in providing similar services.

DELIVERABLES
The bidder shall provide the following deliverables:

Assessment report detailing the results of the assessment and any identified gaps or deficiencies.
Remediation guidance report detailing the actions required to address any identified gaps or deficiencies.
Final report detailing the results of the remediation efforts.

INFORMATION REQUEST
In order to qualify for the review, the bidder must provide following information:

General overview of the company:
- Short history of the company (presentation)
- Number of clients
- Experience (list of verifiable projects in the scope of PCI 3DS and other PCI standards family)
- Number of successful assessment
- Contact information for three references from previous PCI 3DS assessment clients
- CV of assessor(s)
- Regional presence for Georgia (or country from which account manager will be assigned to Georgian Card JSC)
Description of onsite and remote assessment process:
- Assessment methodology
- Assessment timeline
- Information about pre-engagement work (that must be completed by Georgian Card JSC)
Budgeting:
- Assessment service price for PCI 3DS
- Price of any additional services included but not limited to assessment services of PCI family standards (PCI DSS, PCI PIN and PCI CP), vulnerability scanning, penetration testing or any other services that can be related to PCI 3DS assessment.
- Any additional costs, included but not limited to travel, accommodation.

DISCLAIMER:

The announcement of the tender does not oblige Georgian Card JSC to sign a contract with any of the participants and at any stage of the tender Georgian Card JSC reserves the right to terminate the tender without disclosing reason to any of the bidders.

EVALUATION CRITERIA
Proposals will be evaluated based on the following criteria:

Experience and qualifications of the bidder and its personnel.
Proposed approach to conducting the assessment.
Cost of the service.
References from previous clients.

PROPOSAL SUBMISSION
Bidders must submit a proposal that includes the following:

Bidders are obliged to provide the documents required by the tender requirements – to the contact person, indicated in this document;
Additional information – if needed, should be obtained or clarified by contacting to the person – via e-mail or telephone, indicated on the cover page of this document;
After the completion is over, the tender commission will review the bids and select the supplier with the best conditions;
The bidder should submit the total price of the service;
The bidder should submit a presentation of the proposed product (or service) and datasheet files;
Proposal currency should be indicated in USD excluding VAT;
All documents and information that should be submitted by the bidder must be certified with the signature and seal of the authorized representative;
In order to participate in the tender, it is necessary for the organization to submit the following mandatory documents:
- Suggested price list (Appendix 1);
- Bank details (Appendix 2);
- Decision characteristics (Appendix 3) (only when needed and if not pre-filled);
- Extract from the Entrepreneurial Register;
- MAF [Manufacturer Authorization Form] that is given to resellers from manufacturer to prove that they are indeed partners accredited by the manufacturer (if applicable for the tender type);
During the tender, bidder is obliged to submit an additional legal or financial document upon the request;
The proposal must be valid at least for 90 calendar days.