SR 05-08-2018 3K
City Council
Report
City Council Meeting: May 8, 2018
Agenda Item: 3.K
1 of 4
To: Mayor and City Council
From: Gigi Decavalles-Hughes, Director, Finance Department, Revenue
Subject: Award RFP #132 to RSI Security to provide Payment Card Industry Audit and
Compliance Services
Recommended Action
Staff recommends that the City Council:
1. Award RFP #132 to RSI Security, a San Diego based company, to provide
Payment Card Industry (PCI) audit and compliance services.
2. Authorize the City Manager to negotiate and execute a professional services
agreement with RSI Security for five years in an estimated total amount of
$346,000 (including a 10% contingency), with future year funding contingent on
Council budget approval.
Executive Summary
All merchants that accept credit cards for payments must comply with the Payment
Card Industry Data Security Standard (PCI DSS) compliance requirements. The City
has been categorized as a Level 1 merchant under the PCI industry standards and must
conduct annual security assessments. In order to continue to accept credit/debit card
payments and ensure no fines are assessed for noncompliance, the City must receive a
Report of Certification from a PCI Council approved vendor. Staff recommends RSI
Security (RSI) to conduct these audits and provide necessary certifications under a five-
year contract in an estimated amount of $346,000 (including 10% contingency).
Discussion
The City maintains multiple websites and currently allows credit card payments for
various services throughout the City. Credit card payments are accepted over the
internet, via Point of Sale (POS) devices, over the phone, and with card swipe devices
through a multitude of systems and vendors. The City processed 9.34 million
transactions during fiscal year 2016-17. With the increased use of credit cards and
growing number of services available to pay by debit or credit card, the City recently
2 of 4
was reclassified to a Level 1 merchant (defined as merchants that process over 6
million transactions per year), requiring additional security and compliance monitoring.
PCI Compliance Requirements
PCI DSS are a set of security standards designed to ensure all companies that accept,
process, store, or transmit credit card information maintain a secure environment.
These are universally accepted standards that help protect the safety of customer data .
PCI DSS set the operational and technical requirements for both organizations
accepting or processing payment transactions and the software developers and
manufacturers of the applications and devices used in those transactions. Based on the
standards, all merchants will fall into one of the four merchant levels that have been
established and are based on the annual volume of transactions. The validation
requirements for Level 1 merchants are as follows:
1) Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) –
also commonly known as a Level 1 onsite assessment – or internal auditor if
signed by officer of the company.
2) Quarterly network scan by Approved Scan Vendor (“ASV”).
3) Attestation of Compliance Form (annual).
4) Security training and consulting services.
5) Development and review of security policies and procedures.
6) Additional Consulting, as needed.
Santa Monica and PCI Compliance
To ensure that the City has taken the safety measures to minimize any security risk,
PCI audit and compliance services are required.
The City currently does not have a consultant that provides PCI audit and compliance
services. However, with the expansion of online payment options, the credit/debit card
transactions are an integral part of today’s payment channels. Due to the volume of
credit card transactions, PCI audit and compliance services are needed to manage
payment account security throughout the transaction process. Newly reclassified to a
Level 1 merchant, this will be the first time the City undergoes PCI DSS compliance
3 of 4
certification.
The City currently contracts with TransFirst Health and Government Solutions, LLC,
(Transfirst), American Express Travel Related Services, ActiveNet, and PayPal for
merchant processing services. The City is in the process of transferring parking related
meter transactions from Transfirst to IPS Group, Inc. to reduce processing costs and
potentially change the merchant level categorization from Level 1 to Level 2, which
would reduce the PCI compliance requirements. PCI DSS sets the security standards
and requirements for credit card merchants.
Consultant Selection
On May 19, 2017, the City published a Request for Proposals (RFP #132) for PCI audit
and compliance services. The RFP was posted on the City’s online bidding website and
notices were advertised in the Santa Monica Daily Press in accordance with the City
Charter and Municipal Code provisions. Fifty-four vendors downloaded the RFP.
Proposals were received from the following five firms:
Trustwave
Coalfire Sytems, Inc.
RSI Security
CampusGuard
Online Business Systems
An evaluation panel composed of representatives from the Finance, Planning and
Community Development, and Information Systems departments reviewed and ranked
the proposals using the criteria set out in the RFP. The panel short-listed three firms to
participate in an interview process: Trustwave ; Coalfire Systems, Inc.; and RSI Security.
Based on the selection criteria in SMMC 2.24.073, staff recommends RSI as the best
qualified firm to provide PCI audit and compliance services for a five-year period in an
estimated amount of $346,000. RSI was selected based on the firm’s ability to assist
4 of 4
with quality control measures to minimize risk, experienced and qualified staff,
technology solutions, ability to provide required services and availability of optional
services and/or additional services, creative solutions that can reduce the cost of
services while improving operational efficiencies and effectiveness, pricing, and
compliance with the City scope of work. RSI would provide audit, security, and
compliance solutions to establish, assess and validate Information Technology (IT)
compliance.
Financial Impacts and Budget Actions
Fees for PCI audit and compliance services are based on the scope of the work
determined by the amount of credit card transactions performed annually. Based on the
current number of transactions, staff estimates cost of services over the five -year life of
the contract to be $346,000 including a 10% contingency ($69,200 pe r year). Funds for
the initial assessment and the first year of funding for on -going costs are available in the
FY 2017-19 Biennial budget in account number S010130.589000 (expenditure control
savings). Future year funding is contingent on Council budget approval.
Prepared By: David Carr, Assistant City Treasurer
Approved
Forwarded to Council
Attachments:
A. Oaks Initiative Form
REFERENCE:
Agreement No. 10676
(CCS)