Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field)

Request for Proposals (RFP) for

PCI DSS COMPLIANCE SERVICES

Project # 15-49-9999-016

Addendum #1 - Q&A

May 29, 2015

Notes: 1) Questions received are reproduced as they were received from those firms posing questions.

The names of the companies have been removed and replaced with “Company 1”, “Company 2” etc. The order of the companies listed are random and are not intended to show favoritism to any. Typographical errors contained in the original questions are also reproduced as received. The Airport’s answers are highlighted in red.

2) A couple of questions from different companies delve into system configurations and transaction flow. Page 6 of the RFP states “the Airport shall be responsible for the following: Providing necessary documentation of the existing in-scope network configuration, servers, application, and security devices”. Due to the sensitivity of revealing this type of information on a public website, the airport will provide that information upon selection of firm.

1 of 12

Questions from “Company #1” General PCI Scoping Questions

Has a PCI audit (PCI Data Security Assessment with Report on Compliance) been performed previously? If so, was the environment found to be in compliance?

o No; N/A

Have any PCI self-assessments or Gap Analyses been conducted? o No

Which SAQ is the airport required to complete annually? o To be determined as part of the Gap Analysis, Phase 1

Briefly describe each PCI process, application or data flow that stores, processes and/or transmits credit card data. Include the electronic and paper flows.

o See Note 2 on page 1 of this addendum. In general, most of our transactions flow from our Point of Sale equipment through a gateway, to a processor, to a banking institution.

How many individuals would be interviewed in order to understand the current state of PCI across the organization’s various business units? Include HR, Legal, Finance, IT, Physical Security & Information Security, or any other business operational departments that process or handle payment card data, etc…

o As many as necessary, however we estimate less than 10 individuals

How many different business locations are involved? Please identify headquarters, data center and number of store locations (if appropriate).

o All credit card transactions are processed at one location, Spokane International Airport There are approximately 26 individual terminals throughout the Airport campus

Environment

Of the applications that store, process, and/or transmit cardholder data, are any internally/custom developed, commercial-off-the-shelf, or a combination of both?

o Commercial off the shelf

Do all systems/applications follow a standard build? o There are no custom applications

Is there an up-to-date network diagram showing all PCI systems? o See Note 2 on page 1 of this addendum

Is the cardholder data segmented logically from other systems by external facing firewalls, internal facing firewalls, or both?

o See Note 2 on page 1 of this addendum PCI Application Counts

How many “Card Present” Payment systems exist? For each payment system, how many unique application versions exist within the environment?

o 4: One Parking Revenue Control System (PRCS); One wireless Multi-Space Meter Pay Station system; two stand-alone POS terminals; three wireless handheld devices

How many P2PE “Card Present” Payment systems exist? For each P2PE system, how many unique application versions exist within the environment?

o Unknown

How many “Card Not Present” Payment systems exist? o 3: One PRCS terminal; one stand-alone POS terminal; one embedded Sage Software solution

2 of 12

How many other applications exist in the environment that process card data? o Unknown

System Counts

For each category below, please identify the following three items: How many of the system exist within the PCI environment, how many of the system exist outside of the PCI environment, and how many administrative teams have direct responsibility for managing the systems

o See Note 2 on page 1 of this addendum

o Network Components Perimeter (Internet Facing) Firewalls Internal Firewalls Routers Switches Wireless Access Points

o Servers Windows Linux UNIX Novell Other

o Workstations Windows Linux Thin-Client (i.e., WYSE) Virtualization Management Systems

o Mainframe / Midrange / Processing Systems (include backup systems) zOS OS400 Tandem Other

o Databases (include backup databases) Microsoft SQL Server Oracle DB2 Other

3 of 12

Questions from “Company #2”

1. What is the internal active IP count? See Note 2 on page 1 of this addendum

2. What is the external active IP count? See Note 2 on page 1 of this addendum

3. How many VLAN's does the network consist of? See Note 2 on page 1 of this addendum

4. Can all the airport sites be reach from one internal location?

No

5. In the deliverables section, it states "assist the Airport with implementing corrective measures ...". It is

also mentioned the need to have a resource available to the Airport for "corrective efforts". To what

extant are you looking for assistance; consulting, remediation assistance, and/or implementation of

recommendations?

This will be determined upon completion of Phase 1, Gap Analysis

6. For the second item under deliverables, will you accept hourly rates, since the scope of assistance is

unknown until Phase 1 is complete?

Yes

4 of 12

Questions from “Company #3” 1. Is there an approved budget for this requested service/solution? What is the budget?

No, any contract above $48,400 will have to be approved by the board of directors. 2. Is there a current solution in place for the requested solicitation?

No 3. When questions are submitted with all Q & A be released for all parties to review?

See Page 3 of the RFP 4. Can your organization sign a multiyear contract? If so, what is the desired length?

The Airport can, but it is not being considered at this time 5. Will a POC be needed prior to purchase?

No 6. If POC is needed, how many days is desired?

N/A 7. What is the largest focus when making a decision on vendor (i.e., Price, Functionality, Etc.)

See the Evaluation Criteria on Page 6 of the RFP 8. How will the finalist/awardee be notified?

Via phone and email 9. Will there be a public announcement on which vendor was awarded the business?

No 10. What is your timeframe?

See the Schedule on page 3 of the RFP 11. How many Vendors are involved?

This is an open solicitation advertised nationally, so the number of respondents is unknown 12. Who makes the ultimate decision?

Evaluation committee recommendation to CEO recommendation to Board

13. Why did the project go out to RFP? The expected cost to a government agency such as ours forces the need to go out for the RFP

14. What happens if it takes you longer to answer these questions that anticipated? Will there be an extension granted?

Answers posted as scheduled on May 29, 2015; N/A 15. What happens if you decide not to move forward with this RFP? Will you release the reason as to why

not to move forward? See “Rights Reserved” on Page 10 of the RFP

16. Why is it important that you have this assessment take place? Compliance and risk management

17. What (if any) compliance regime, other than PCI-DSS, is behind this project? None

18. Have you worked with any of the solicited vendors in the past? No

19. Have you been working with a company for budgetary purposes on this project prior to release of this RFP?

We have been in contact with other airports 20. What happens if all bidders are well over your anticipated budget?

See “Rights Reserved” on Page 10 of the RFP 21. What are the benefits to you of having this project completed?

Compliance and risk management

5 of 12

22. Why are you bidding or re-bidding this? The expected cost to a government agency such as ours forces the need to go out for the RFP or bid

23. What outstanding factors might push this decision and procurement back? Exceedingly high cost proposals

24. Are there any other projects the RFP team members are involved in that might hinder a decision in a timely manner? No If so how does this RFP rank within priorities? N/A

25. Is the airport considered a Merchant, Service Provider, or Both?

Merchant 26. If the airport is considered a Level 3 Merchant, is there a reason that they would like to move forward

with a Report on Compliance, rather than completing a self-assessment questionnaire? The Airport is open to suggestions to accomplish compliance after the Phase 1, GAP Analysis

27. How many Head Quarter Locations will need to be visited? One

28. How many IT operation locations will need to be visited? One

29. How many Data Centers will need to be visited? One

30. Does the airport have a call center? If so how many? No

31. How many terminals will need to be visited? Approximately 26

32. How many retail locations will need to be visited? All locations are located on the main airport campus, so one

33. Do the airport merchants (i.e. retail stores, airlines, rental car agencies, etc.) use the airport’s backbone to process credit cards?

No

34. Does the airport own the equipment that airport merchants (i.e. retail stores, airlines, rental car agencies, etc) process credit cards on?

No 35. How many applications will be in scope for this assessment?

Five

36. How many operating systems will be in scope for this assessment? Three primary OS

37. How many servers will be in scope? See Note 2 on page 1 of this addendum

38. How many network devices will be in scope? See Note 2 on page 1 of this addendum

39. How many databases will be in scope? See Note 2 on page 1 of this addendum

40. How many people will need to be interviewed as part of this assessment? As many as necessary, however we estimate less than 10 individuals

41. Is segmentation in place? No

42. Does the airport have network and dataflow diagrams in place for this assessment? (Including make and models of equipment, all connections to and from the card data environment and all segments,

6 of 12

dated in the last 12 months, clearly marked out of scope environments, all wired and wireless networks, all other connection points, a key to explain the diagram)

See Note 2 on page 1 of this addendum

a. If not, is this a service that the airport would like to include in the proposal? No

43. Do you have a written narrative explaining their high level network diagram? See Note 2 on page 1 of this addendum

44. Do you have a connection diagram showing: See Note 2 on page 1 of this addendum a. Maps to high level network diagrams b. Externals connections to 3rd parties, payment processors, card brands c. Any internal environment connected to the card data environment d. Dated in the last 12 months

45. Does the airport have a written narrative explaining the connection diagram? See Note 2 on page 1 of this addendum

46. Does the airport outsource any parts of their card data environment to a 3rd party? Yes If so is that 3rd party PCI Compliant? Each company appears on PCISecurity.org website as being compliant. What roles does the third party play? Gateway, Processor, Banking Institution

47. Does the airport have a complete set of Policies and Procedures for PCI v 3.1? No a. If not is this something that the airport would like included in the proposal?

As part of Phase 3, please provide an estimated cost to assist in developing and / or documenting processes

48. Will the airport have an updated/documented in-scope assets inventory readily available? Yes

49. Will the airport have an updated/documented in-scope critical software inventory readily available? Yes

50. Does the airport annually perform penetration testing on their Card Holder Network both internally and externally? No

a. Is this something that that airport would like included in the proposal? As part of Phase 4, annual recurring testing or compliance can be construed to present future cost proposals

i. If so how many Internal and External IPs need to be tested? 51. Does the airport annually perform penetration testing on any applications that accept card holder

data? No a. Is this something that the airport would like included in the proposal? As part of Phase 4,

annual recurring testing or compliance can be construed to present future cost proposals i. If so how many applications need to be tested?

52. Does the airport currently complete the requirement for external vulnerability scanning? No a. Are they being completed by an Approved Scanning Vendor? b. How many external IPs need to be scanned?

53. Does the airport currently complete the requirement for internal vulnerability scanning? No a. Is this something the airport would like included in the proposal?

i. If so how many internal IPs need to be scanned? 54. What types of parking terminals are being used by Spokane airport?

a. Make? Skidata Pay in Lane; IPS Multi-Space Meter Pay Station b. Model? c. Are these terminals certified as PA-DSS compliant? Yes

7 of 12

# Questions from “Company 4”

1 Certify Compliance – will payment terms be

contingent on the organizations overall compliance

with PCI

Payment will be made in phases as outlined in

the RFP.

2 In Background there’s reference to SAQ; however

there’s mention of providing a ROC; which type of

report is the authority looking for from the outside

consultant?

This project will occur in phases. First phase is

a GAP analysis. From this analysis, the proper

report will be determined between the firm

and the Airport.

3 In Background Authority indicated that it is a Level 3

merchant. Is this defined by the Acquirer? Does the

authority have a written statement?

The Airport self-identified this level based on

the number of transactions; No

4 Does the Authority also provide network services for

the airlines to support their payment channels? Has

authority considered itself a Service Provider for this

purposes?

No; No

5 What is scoring for # of pages? Will >30 pages be

discounted in scores?

Possibly, see Item #6 in the Evaluation Criteria

6 Does the Authority have an updated CDH document

and dataflow?

No

8 of 12

Questions from “Company #5” 1. What is the scope of the PCI DSS?

The scope of the project is outlined in the RFP on pages 4 – 6

2. Is “Consortium bidding” allowed? In other words, is subcontracting allowed? If yes, is there any eligibility criterion for the same?

The middle of page 4 of the RFP says: “If Proposer intends to assign a team to perform

the services:” and outlines the requirements

9 of 12

Questions from “Company #6”

1. The RFP describes the Airport Board’s interest in assistance with “implementing remediation recommendations.” Does this include technical and infrastructure changes or implementations? Possibly To maintain independence, our Firm doesn’t perform technical implementations. However, we can provide detailed guidance as the Airport implements infrastructure changes. Can you provide more detail around this requirement? Not prior to Phase 1 work

2. Section 3 of the Evaluation Criteria requires proposers to “demonstrate a minimum of 5 years of verifiable experience performing [Qualified Security Assessor services].” While we have provided IT advisory, audit, and compliance services to various industries for over 10 years (including airport authorities), and while we have QSAs on staff with significant experience with PCI compliance in industry and with other firms, our firm achieved QSA status just over a year ago. Would not having QSA status for over 5 years – as suggested in the RFP – preclude us from being selected for this engagement? Yes

3. The RFP notes that the Airport has determined itself to be a PCI Level 3 merchant. Unless there is a unique circumstance (such as a previous breach), or unless specifically required by the PCI SSC, the card brands, or the Airport’s bank, or unless the Airport is a shared hosting or service provider, the Airport would not require completion of a Report on Compliance. An appropriate version of the Self-Assessment Questionnaire (SAQ) would be sufficient to attest to PCI compliance. Can you provide more detail as to why the Airport is seeking a full Report on Compliance as part of its PCI compliance initiative?

The Airport is seeking to determine whether it is PCI compliant, or what it may take to become compliant. If an SAQ will achieve that end, we will go that route after Phase 1 work.

4. Given the multiple assessments required as part of the first year engagement, can the Airport provide a high-level cost estimate range that it would expect to see to complete the initial RoC?

Page 5 of the RFP requests costs by Phases 1-4. Each phase will be reviewed and allowed to move forward after completion of the prior phase. Any phase over $48,400 will have to be approved by the Board of Directors.

10 of 12

QUESTIONS from “Company 6”

How has the organization demonstrated their PCI DSS compliance standing in the past? ROC? If an SAQ, which one?

The Airport has depended upon various service providers in the past. We find the need to determine compliance in our own environment.

How do Transactions flow? Please describe.

Parking: Point of Sale readers to collection gateway provider to processor to banking institution.

Estimated total number of annual transactions?

VISA describes a level 3 merchant as 25,000 to 1,000,000 transactions; the Airport is between those two numbers. AMEX, MC and Discover have different definitions.

Storing Card data? Transactional data is stored on a local encrypted database

How many locations are within the cardholder data environment (CDE)?

All credit card transactions are processed at one location, Spokane International Airport. There are approximately 26 terminals throughout the Airport campus.

How many retail locations?

How many different footprints? Are they all the same?

All locations are located on the main airport campus, so one

Various sizes

Ecommerce? Not currently, however we are working on an application

How many Datacenters? One

How many employees? Approximately 150 full and part time employees, however only about 50 work with Credit Card processes

Describe Segmentation of CDE? See Note 2 on page 1 of this addendum

How many servers (virt/phys) in CDE? See Note 2 on page 1 of this addendum

How many other items in CDE? See Note 2 on page 1 of this addendum

11 of 12

POS System? PADSS? Main Parking POS = Skidata; Yes

Encryption? Yes

Wireless? Yes, to be installed summer of 2015

Number of external IP’s See Note 2 on page 1 of this addendum

Other Misc.

Policies? Being developed

Timeframe? See RFP page 3

Optional: External Scans? Part of Phase 4, see page 5 of RFP

Optional: Penetration Test?

Applications?

Part of Phase 4, see page 5 of RFP

12 of 12