REQUEST FOR PROPOSAL (RFP) FOR SELECTION OF … · request for proposal (rfp) for selection of qualified security assessor (qsa) for payment card industry-data security standard (pci-dss)

REQUEST FOR PROPOSAL (RFP)

FOR

SELECTION OF QUALIFIED SECURITY ASSESSOR (QSA) FOR

PAYMENT CARD INDUSTRY-DATA SECURITY STANDARD (PCI-DSS)

CERTIFICATION

RFP Reference No. BCC: CISO: RFP:102/01

Date : 18 November 2010

Bank of Baroda,

Baroda Corporate Centre,

C-26, G Block, Bandra Kurla Complex

Bandra (East),

Mumbai - 400 051.

Confidential Page 2 of 43 IT Security Cell,

Risk Management Department, Baroda Corporate Centre

Bank of Baroda

Mumbai-400051

RFP for Selection of Qualified Security Assessor(QSA) for

Payment Card Industry-Data Security Standard (PCIDSS)

Certification

RFP Ref No: BCC:CISO:RFP:102/01 Date : 18 Nov 2010

Important Dates:

Sr. No.

Particulars Dates and Timelines

1 Issuance of RFP document by the Bank

00:00 hours IST on 18th November 2010

2 Last date of submission of any queries and Last date for reporting any error, omissions or faults in the RFP document


3 Pre-bid Meeting date/venue 15:00 hours IST on 3rd December 2010. Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051

4 Last Date of submission of RFP response

15:00 hours IST on 16th December 2010

5 Technical bid opening date / time / venue

16:00 hours IST 16th December 2010 Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051

Important Clarifications:

Following terms are used in the document interchangeably to mean:

Bank means “Bank of Baroda (including domestic operations, overseas operations, Overseas & Indian subsidiaries & Associate Banks)”

BOBCARDS Ltd. means Bank’s subsidiary which carries out card operations and attendant functions.

BCC means “Baroda Corporate Centre”

Recipient, Respondent, Bidder and Vendor means “Respondent to the RFP document”.

DC means Bank’s Data centre at Mumbai

DR, DRS means Bank’s Disaster Recovery centre at Hyderabad

RFP means this “RFP document”

QSA, Consultant means the Qualified Security Assessor approved by PCI-SSC (Payment Card Industry Security Standards Council).

Qualified Security Assessor(QSA), Bank shall be individually referred to as “Party” and collectively as “Parties”.



Bank of Baroda

Mumbai-400051



Certification


TABLE OF CONTENTS

SECTION – I...................................................................................................................................... 4

1.1 INTRODUCTION AND DISCLAIMER ........................................................................................ 4

1.2 INORMATION PROVIDED........................................................................................................ 4

1.3 FOR RESPONDENT ONLY ....................................................................................................... 4

1.4 CONFIDENTIALITY ................................................................................................................. 4

1.5 DISCLAIMER .......................................................................................................................... 5

1.6 ELIGIBILITY CRITERIA. ......................................................................................................... 5

1.7 COSTS BORNE BY RESPONDENTS ......................................................................................... 5

1.8 NO LEGAL RELATIONSHIP ..................................................................................................... 6

1.9 RECIPENT OBLIGATION TO INFORM ITSELF ......................................................................... 6

1.10 EVALUATION OF BIDS ........................................................................................................ 6

1.11 ERRORS AND OMISSIONS ................................................................................................... 6

1.12 ACCEPTANCE OF TERMS .................................................................................................... 7

1.13 RFP RESPONSE TERMS ...................................................................................................... 7

1.14 NOTIFICATIONS ................................................................................................................ 11

1.15 DISQUALIFICATION .......................................................................................................... 11

1.16 ERASERS OR ALTERATIONS ............................................................................................. 12

1.17 RIGHT TO REJECT BIDS ................................................................................................... 12

1.18 PROCESS & TIMEFRAME .................................................................................................. 12

1.19 OTHER TERMS AND CONDITIONS .................................................................................... 13

SECTION – II .................................................................................................................................. 14

2.1 BANK OF BARODA-INTRODUCTION...................................................................................... 14

2.2 PROJECT OBJECTIVE .......................................................................................................... 14

2.3 PROJECT SCOPE .................................................................................................................. 14

2.4 BANK’S CARD RELATED BUSINESS PROCESSES/OPERATIONS .......................................... 18

SECTION – III ................................................................................................................................. 20

3.1 GENERAL TERMS AND CONDITIONS .................................................................................... 20

SECTION – IV ................................................................................................................................. 28

ANNEXURE-A : ELIGIBILITY CRITERIA .......................................................................................... 28

ANNEXURE-B : QSA’S SELECTION/EVALUATION PROCESS ........................................................... 30

ANNEXURE-C : COMPLIANCE CERTIFICATE .................................................................................. 35

ANNEXURE-D : TECHNICAL BID FORMAT ...................................................................................... 36

ANNEXURE-E : ESTIMATED EFFORT AND ELAPLSED TIME ........................................................... 40

ANNEXURE-F : PROPOSED TEAM PROFILE .................................................................................... 41

ANNEXURE-G : COMMENTS ON TERMS & CONDITIONS & SERVICES ............................................ 42

ANNEXURE-H : COMMERCIAL BID FORMAT .................................................................................. 43



Bank of Baroda

Mumbai-400051



Certification


SECTION – I

1.1 INTRODUCTION AND DISCLAIMER

This Request for Proposal document (“RFP”) has been prepared solely to enable Bank of Baroda (“Bank”) in the selection of suitable Qualified Security Assessor(QSA) through tender for PCI-DSS Certification and consultancy services for the Bank including BOBCARDS Ltd.

The RFP document is not a recommendation, offer or invitation to enter into a contract, agreement or other arrangement in respect of the services. The provision of the services is subject to observance of selection process and

appropriate documentation being agreed between Bank of Baroda and any successful Bidder as identified after completion of the selection process as detailed in Annexure-B on Qualified Security Assessor(QSA)’s Selection/Evaluation Process.

1.2 INORMATION PROVIDED

The RFP document contains statements derived from information that is believed to be true and reliable at the date obtained but does not purport to provide all of the information that may be necessary or desirable to enable an intending contracting party to determine whether or not to enter into a contract or arrangement with Bank in relation to the provision of services. Neither Bank nor any of its directors, officers, employees, agents, representative, contractors, or advisers gives any representation or warranty (whether oral or written), express or implied as to the accuracy, updating or completeness of any writings, information or statement given or made in this RFP document. Neither Bank nor any of its directors, officers, employees, agents, representative, contractors, or advisers has carried out or will carry out an independent audit or verification or investigation or due diligence exercise in relation to the contents of any part of the RFP document.

1.3 FOR RESPONDENT ONLY

The RFP document is intended solely for the information of the party to whom it is issued (“the Recipient” or “the Respondent”) i.e. Government Organization/PSU/ limited Company, partnership firm.

1.4 CONFIDENTIALITY

This document is meant for the specific use by the Company / person/s interested to participate in the current tendering process. This document in its entirety is subject to Copyright Laws. Bank of Baroda expects the Bidders or any person acting on behalf of the Bidders to strictly adhere to the instructions given in the document and maintain confidentiality of information. The Bidders will be held responsible for any misuse of the information contained in the



Bank of Baroda

Mumbai-400051



Certification


document and liable to be prosecuted by the Bank in the event of such a circumstance is brought to the notice of the Bank. By downloading the document, the interested party is subject to confidentiality clauses.

The RFP document is confidential and is not to be disclosed, reproduced, transmitted, or made available by the Recipient to any other person. The RFP document is provided to the Recipient on the basis of undertaking of confidentiality given by the Recipient to Bank. Bank may update or revise the RFP document or any part of it. The Recipient acknowledges that any such revised or amended document is received subject to the same confidentiality undertaking.

The Recipient will not disclose or discuss the contents of the RFP document with any officer, employee, consultant, director, agent, or other person associated or affiliated in any way with the Bank or any of its customers or suppliers without prior written consent of the Bank.

1.5 DISCLAIMER

Subject to any law to the contrary, and to the maximum extent permitted by law, Bank and its directors, officers, employees, contractors, representatives, agents, and advisers disclaim all liability from any loss, claim, expense (including, without limitation, any legal fees, costs, charges, demands, actions, liabilities expenses or disbursements incurred therein or incidental thereto) or damage (whether foreseeable or not) (“Losses”) suffered by any person acting on or refraining from acting because of any presumptions or information (whether oral or written and whether express or implied), including forecasts, statements, estimates, or projections contained in this RFP document or conduct ancillary to it whether or not the Losses arises in connection with any ignorance, negligence, inattention, casualness, disregard, omission, default, lack of care, immature information, falsification or misrepresentation on the part of Bank or any of its directors, officers, employees, contractors, representatives, agents, or advisers.

1.6 ELIGIBILITY CRITERIA.

Qualified Security Assessor(QSA)s who wish to bid should conform to the Eligibility Criteria as per Annexure-A : Eligibility Criteria. For meeting the eligibility criteria, 31.10.2010 would be considered as the date on which the

Bidder should be eligible.

1.7 COSTS BORNE BY RESPONDENTS

All costs and expenses (whether in terms of time or money) incurred by the Recipient / Respondent in any way associated with the development, preparation and submission of responses, including but not limited to attendance at meetings, discussions, demonstrations, presentation etc. and providing any additional information required by Bank, will be borne entirely



Bank of Baroda

Mumbai-400051



Certification


and exclusively by the Recipient / Respondent. Stamp duty that may be incurred towards entering in to agreement with the successful Bidder for awarding the contract will be shared by the Bank and the successful Bidder in equal proportion.

1.8 NO LEGAL RELATIONSHIP

No binding legal relationship will exist between any of the Recipients / Respondents and the Bank until execution of a contractual agreement to the full satisfaction of the Bank.

1.9 RECIPENT OBLIGATION TO INFORM ITSELF

The Recipient must apply its own care and conduct its own investigation and analysis regarding any information contained in the RFP document and the meaning and impact of that information.

1.10 EVALUATION OF BIDS

The evaluation of the bids will be done as per evaluation Criteria mentioned in Annexure-B “QUALIFIED SECURITY ASSESSOR(QSA)’S SELECTION/EVALUATION PROCESS” of this RFP document. The Bidders who do not qualify eligibility criteria as stipulated under Annexure-A will not be considered for Technical evaluation. A Bidder not eligible under Technical Bid will not be considered for opening of Commercial Bid.

However each Recipient acknowledges and accepts that the Bank may, in its sole and absolute discretion, apply whatever criteria it deems appropriate in the selection of organizations, not limited to those selection criteria set out in this RFP document .

The issuance of RFP document is merely an invitation to offer and must not be construed as any agreement or contract or arrangement nor would it be construed as material for any investigation or review to be carried out by a Recipient. The Recipient unconditionally acknowledges by submitting its response to this RFP document that it has not relied on any idea, information, statement, representation, or warranty given in this RFP document.

For meeting the requirements of eligibility criteria, 31.10.2010 would be considered as the date on which the Bidder should be eligible. For Technical Evaluation Criteria the date on the basis of which marks would be given would be 31.10.2010.

1.11 ERRORS AND OMISSIONS

Each Recipient should notify the Bank of any error, fault, omission, or discrepancy found in this RFP document upto 17:00 hrs IST 29th November, 2010.



Bank of Baroda

Mumbai-400051



Certification


1.12 ACCEPTANCE OF TERMS

The Recipient will, by responding to the Bank’s RFP document, be deemed to have accepted the terms as stated in this RFP document.

1.13 RFP RESPONSE TERMS

1.13.1 Application Money & Earnest Money

The Bidder will be required to submit Application Money of Rs.5,000/-(Rupees Five Thousand) by way of Bankers Cheque/Demand Draft/Pay Order favoring Bank of Baroda, Payable in Mumbai, which is non refundable, must be submitted separately along with RFP response.

Earnest Money Deposit of Rs 50,000/- (Rupees Fifty Thousand only) has

to be submitted by way of Demand Draft / Banker's Cheque / Pay Order drawn in favor of "Bank of Baroda” payable in Mumbai. Earnest Money Deposit will not carry any interest. The Earnest Money Deposit of unsuccessful Bidders will be refunded while intimating the rejection of the bid. The Earnest Money Deposit of the successful Bidder will be adjusted towards security deposit.

Application Money and Earnest Money Deposit should be delivered separately along with the sealed envelopes containing RFP responses and the Application Money and Earnest Money documents should not be put inside the envelope containing RFP Response documents.

RFP document should be downloaded from the Tenders Section of the Bank’s website, http://www.bankofbaroda.com.

The Earnest Money Deposit will be forfeited if:

The Bidder withdraws his tender before processing of the same.

The Bidder withdraws his tender after processing but before acceptance of “Work Order” to be issued by the Bank.

The selected Bidder withdraws his tender before furnishing Bank Guarantee/Security Deposit as required under this RFP.

The Bidder violates any of the provisions of the terms and conditions of this RFP specification.

If the selected Bidder fails to enter into the contract agreement.

1.13.2 RFP Closing Date

RFP Response should be submitted to the officials indicated below not later than 3:00 PM IST (Indian Standard Time) on 16.12.2010.

1.13.3 Format of Bids

The Bidders should use the formats prescribed by the Bank in the RFP for submitting both technical and commercial bids. Any deviation in this regard entails the Bidder for disqualification.



Bank of Baroda

Mumbai-400051



Certification


1.13.4 Submission of Bid

-2- Sets of Technical and Commercial Bids in separate sealed envelopes (Total -4- sealed envelopes – two sealed envelops for technical bid and 2 sealed envelops for commercial bid) should be submitted along with Application money and Earnest Money Demand Drafts / Pay Orders which should be in a separate unsealed envelop, before the RFP closing date and time. The sealed envelopes containing technical proposal should be superscribed as “TECHNICAL PROPOSAL for Selection of Qualified Security Assessor(QSA) for Payment Card Industry-Data Security Standard (PCI-DSS) Certification” and the sealed envelops containing the commercial proposal should be superscribed as “COMMERCIAL PROPOSAL for Selection of Qualified Security Assessor(QSA) for Payment Card Industry-Data Security Standard

(PCI-DSS) Certification”. The e-mail address and phone/fax numbers of the Bidder should also be indicated on the sealed envelopes.

The soft copy of the technical proposal in MS-Word / Excel format should also be submitted in a CD along with hard copy of the technical proposal. It should be noted that in case of any discrepancy observed in information submitted by the Bidder in hard-copy and soft-copy, the hard-copy will be given precedence. However, in case of non-submission of any hard copy document, if the same is found submitted in the soft-copy and vice-versa, Bank reserves right to accept the same at its discretion.

The Bidder shall submit the proposals properly filed so that the papers are not loose. The Bidder shall submit the proposal in suitable file such that the papers do not bulge out and tear during scrutiny. All the pages of the proposal including documentary proofs should be numbered as “Page ____ (current page) of _____ (Total pages)" and be signed by authorized signatory. The current page number should be a unique running serial number across the entire proposal.

List of Contents for Technical Bid:

The Technical Proposal should be as per the requirement of the Bank in prescribed formats as follows:

a. Index of contents submitted.

b. Compliance Certificate as per Annexure-C.

c. Technical Bid Format as per Annexure-D

d. Estimated Effort and Elapsed time as per Annexure-E

e. Proposed Team Profile as per Annexure-F

f. Comments on Terms and Conditions & Services as per Annexure-G

g. Masked Copy of Commercial Bid as per Annexure-H (i.e. a copy of the Commercial Bid without price figures)



Bank of Baroda

Mumbai-400051



Certification


h. All the copies of certificates, documentary proofs, work orders, brochures etc should be clearly marked.

i. A CD containing soft copy of the proposal

List of Contents for Commercial Bid

a. Commercial Bid as per Annexure-H.

RFP Response should be addressed to:

The Chief Information Security Officer Risk Management Department Bank of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Bandra (East), Mumbai 400 051.”

RFP Response/Bids in the sealed envelopes as detailed above must be hand delivered to the Bank at the following address :

P.S.Rashtrawar(Chief Manager-IT Security) or Punit Kumar (Senior Manager-IT Security), IT Security Cell, Risk Management Dept, Bank of Baroda, 2nd Floor, Baroda Corporate Centre, C-26, G Block, Bandra Kurla Complex, Mumbai-400051.

Submission of bids by any mode other than hand delivery to the officials mentioned above is not allowed and will be considered invalid.

Bids submitted not as per the process and terms specified above will be rejected.

1.13.5 Registration of RFP

Registration of RFP response will be effected by the Bank by making an entry in a separate register kept for the purpose upon Bank receiving the RFP response in the above manner as detailed in this RFP. The RFP response must contain all documents, information, and details required by this RFP. If the submission to this RFP does not include all the documents and information required or is incomplete or submission is

through Fax mode or e-mail or any mode other than hand delivery, the RFP is liable to be summarily rejected.

All submissions, including any accompanying documents, will become the property of Bank. The Recipient shall be deemed to have licensed, and granted all rights to the Bank to reproduce the whole or any portion of their submission for the purpose of evaluation, to disclose the contents of the submission to other Recipients who have registered a submission and to disclose and/or use the contents of the submission as the basis for any resulting RFP process, notwithstanding any copyright or other



Bank of Baroda

Mumbai-400051



Certification


intellectual property right of the Recipient in the submission or accompanying documents.

1.13.6 Late RFP Policy

RFPs lodged after the deadline for lodgment of RFPs may be registered by Bank of Baroda and may be considered and evaluated by the evaluation team at the absolute discretion of Bank of Baroda. Respondents are to provide detailed evidence to substantiate the reasons for a late RFP submission. It should be clearly noted that Bank of Baroda has no obligation to accept or act on any reason for a late submitted response to RFP.

Bank of Baroda has no liability to any person who lodges a late RFP for any reason whatsoever, including RFPs taken to be late only because of another condition of responding.

1.13.7 RFP Validity Period

RFP responses will remain valid and open for evaluation according to their terms for a period of at least six (6) months from the RFP closing date.

The Bank shall have the right at its sole and absolute discretion to continue the assignment/contract on the Qualified Security Assessor(QSA) for future requirement on the rates finalized in this processing for various items/activities as described in the Price Bid after expiry of current assignment period.

1.13.8 Requests for Information

All queries relating to the RFP, technical or otherwise, must be either in writing or by email only and will be entertained by the Bank only in respect of the queries received up to 17:00 hrs IST 29.11.2010. All queries should be addressed to the nominated point of contact as mentioned below.

Chief Information Security Officer (CISO) Bank of Baroda, 2nd Floor, Baroda Corporate Centre,

C26, G Block, Bandra Kurla Complex, Mumbai, 400 051 Tel No: 022-66985230/ 66985227

E-mail ID: [email protected]

The Bank will try to reply, without any obligation in respect thereof, every reasonable query raised by the Recipients in the manner specified.

However, the Bank will not answer any communication initiated by respondents later than the date of Pre Bid Meeting. Bank may in its absolute discretion seek, but being under no obligation to seek, additional information or material from any Respondent after the RFP



Bank of Baroda

Mumbai-400051



Certification


closes and all such information and material provided will be taken to form part of that Respondent’s response.

Respondents should invariably provide details of their email address as responses to queries will only be provided to the Respondent via email.

If Bank in its sole and absolute discretion deems that the originator of the query will gain an advantage by a response to a question, then Bank reserves the right to communicate such response to all Respondents.

Bank may in its sole and absolute discretion engage in discussion or negotiation with any Respondent (or simultaneously with more than one Respondent) after the RFP closes to improve or clarify any response.

1.13.9 Charges Terms

By submitting the bid, the Bidder will be deemed to have satisfied with all the terms and conditions mentioned in the RFP document and the rates quoted by the Bidder will be adequate to complete such work according to the specifications and conditions attached thereto and the Qualified Security Assessor(QSA) has taken into account all conditions and difficulties that may be encountered during the period of assignment and to have quoted all the commercial rates, which shall include agreed price/ contract amount with taxes, royalties, VAT and other duties and all other facilities and services necessary for proper completion of the assignment, except such as may be otherwise provided in the contract document for completion of the assignment.

The TDS amount on prevailing rate and work contract tax etc. shall be deducted from QSA’s running account/final bills. Necessary certificates shall be issued to the Qualified Security Assessor(QSA)s by the Bank.

All taxes, levies, cess and duties in respect of this contract except service tax shall be payable by the Qualified Security Assessor(QSA) and the Bank will not be liable for any claim whatsoever in this respect during the period of contract. Service Tax payable on the payment of contract amount will be borne by the Bank.

1.14 NOTIFICATIONS

Bank will notify the Respondents in writing as soon as practicable, about the outcome of the RFP evaluation process, including whether the Respondent’s

RFP response has been accepted or rejected. Bank is not obliged to provide any reasons for any such acceptance or rejection.

1.15 DISQUALIFICATION

Any form of canvassing/lobbying/influence/query regarding short listing, status etc will result in disqualification.



Bank of Baroda

Mumbai-400051



Certification


1.16 ERASERS OR ALTERATIONS

The offers containing erasers or alterations may not be considered. There should be no hand written material corrections or alterations in the offer. Technical details must be completely filled up. Correct technical information of the services being offered must be filled in. Filling up of the information using terms such as OK, ACCEPTED, NOTED, AS GIVEN IN BROCHURE/MANUAL or any Special Characters such as -, “, @, _,# is not acceptable. The Bank may treat offers not adhering to these guidelines as unacceptable.

1.17 RIGHT TO REJECT BIDS

Bank reserves the absolute and unconditional right to reject the response to this RFP if it is not in accordance with its requirements and no correspondence will be entertained by the Bank in the matter. The bid is liable to be rejected if

It is not in conformity with any of the instructions, terms & conditions mentioned in this RFP document.

It is not accompanied by the requisite Application Money & EMD.

It is not properly/duly signed.

It is received through any mode other than hand delivery to the designated officials

It is received after expiry of the due date and time.

It is incomplete including non-furnishing the required documents.

It is evasive or contains incorrect information.

There is canvassing of any kind.

It is submitted anywhere other than the place mentioned under clause 1.13.4.

1.18 PROCESS & TIMEFRAME

Selection of a successful Qualified Security Assessor(QSA) will involve a five (5) stage approach. The approach follows the Indian Government’s Central Vigilance Commission (CVC) guidelines.

The following is an indicative timeframe for the overall selection process. Bank reserves the right to vary this timeframe at its absolute and sole discretion should the need arise. Changes to the timeframe will be relayed to the affected Respondents during the process.

Receipt of RFP Bids

Evaluation of Bids

Award of Contract

STAGE 1 STAGE 2 STAGE 3 STAGE 4 STAGE 5

Pre - bid Meeting

Issue Of RFP



Bank of Baroda

Mumbai-400051



Certification


Sr.

No.

Particulars Dates and Timelines

1 Issuance of RFP document by the Bank


2 Last date of submission of any queries and Last date for reporting any error, omissions or faults in the RFP document


3 Pre-bid Meeting date/venue 15:00 hours IST on 3rd December 2010. Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051

4 Last Date of submission of RFP response

15:00 hours IST on 16th December 2010

5 Technical bid opening date / time / venue

16:00 hours IST 16th December 2010 Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051

The dates mentioned above are tentative dates and the Bidder acknowledges that it cannot hold the Bank responsible for breach of any of the dates.

Note: Bidders can depute their representative (only one) to attend the Technical bid opening process. No separate intimation will be given in this regard to the Bidders for deputing their representatives for technical bid opening.

1.19 OTHER TERMS AND CONDITIONS

The Bank reserves the right to:

Reject any and all responses received in response to the RFP.

Waive or Change any formalities, irregularities, or inconsistencies in proposal format delivery.

To negotiate any aspect of proposal with any Bidder and negotiate with more than one Bidder at a time.

Extend the time for submission of all proposals.

Select the most responsive Bidder (in case no Bidder satisfies the eligibility criteria in totality).

Select the next most responsive Bidder if negotiations with the Bidder of choice fail to result in an agreement within a specified time frame.

Share the information/ clarifications provided in response to RFP by any Bidder, with any other Bidder(s) /others, in any form.

Cancel the RFP/Tender at any stage, without assigning any reason whatsoever.



Bank of Baroda

Mumbai-400051



Certification


SECTION – II

2.1 BANK OF BARODA-INTRODUCTION

Bank of Baroda is one of the largest Public Sector Banks in India with over 33 million accounts and a Branch network of 3106 branches in India and 74 branches / offices in 25 countries overseas.

The aim of Bank of Baroda’s IT Strategy is to conduct a Technology Enabled Business Transformation of current business processes. Bank has selected Hewlett Packard India Sales Private Ltd. (HP) as the System Integrator for the Technology Enabled Business Transformation Project (Project Shikhar). Bank has implemented Core Banking Solution (CBS) in all the branches in India and in most of the overseas territories. Bank has its own Data Centre at Mumbai and Disaster Recovery Centre at Hyderabad.

Bank has expanded the installation of ATMs and issuance of Debit Cards in India and overseas territories. At present Bank has installed 1428+ ATMs and issued more than 52 lac debit cards in India.

BOBCARDS Ltd. is a 100 % subsidiary of Bank of Baroda. They are in the business of Credit Cards.

2.2 PROJECT OBJECTIVE

The Bank including BOBCARDS Ltd. intends to obtain PCI-DSS Version 2.0 certification for its entire card operations. For this, the Bank wants to appoint a competent and PCI-SSC (Payment Card Industry – Security Standards Council) – approved QSA for PCI-DSS Certification services. The QSA will be responsible for delivering the services as per the scope outlined below.

Bank may, at its full discretion, choose to avail of the services for all services or part thereof. Such decision may be advised in course of the project.

2.3 PROJECT SCOPE

A description of the envisaged scope is enumerated as under. However, the Bank reserves its right to change the scope of the RFP so as to address the need of PCI-DSS requirements.

Based on the contents of the RFP, the selected QSA shall be required to independently arrive at Methodology and Approach, based on PCI-DSS requirements and best practices, suitable for the Bank, after taking into

consideration the effort estimate for completion of the same and the resource and the equipment requirements.

The Bank expressly stipulates that the QSA’s selection under this RFP is on the understanding that this RFP contains only the principal provisions for the entire assignment and that delivery of the deliverables and the services in connection therewith are only a part of the assignment. The QSA shall be required to undertake to perform all such tasks, render requisite services and make available such resources as may be required for the successful completion of the entire assignment at no additional cost to the Bank.



Bank of Baroda

Mumbai-400051



Certification


The project scope includes the following with an objective to obtain PCI-DSS version 2.0 certification for Bank of Baroda including its overseas branches, overseas subsidiaries and BOBCARDS Ltd. The PCI-DSS Certification including Recertification should be as per the latest version of PCI-DSS currently being the version 2.0.

2.3.1 Phase I

Detailed scoping

Study the Bank’s debit card/credit card inclusive of all payment channels in issuance, POS and IPG Acquiring systems and detail the in-scope business processes and related systems comprising inter-alia, hardware, systems software, applications software, network devices, security devices etc.

The third party relationship of the Bank for card issuance, card and acquiring file processing etc has to be accounted for where the cardholder information is stored processed and/or transmitted which need to be measured against the PCI-DSS compliance requirement.

Gap Analysis:

The Bank’s systems including network components, security devices, servers, applications, business processes, third party relationships, Service providers and Merchants will be validated for compliance against PCI-DSS requirements. The coverage needs to be comprehensive during this exercise including all types of network scans, Vulnerability assessments and Penetration testing of the infrastructure, applications and processes as per the PCI-DSS requirement.

Identify and document the Gaps in Bank’s systems and processes vis-à-vis the PCI DSS requirement.

List the compliant and non-compliant elements.

Classify the non-compliant elements on the basis of priority.

Document the Gaps by providing a suitable comprehensive document to the Bank.

Deliverable for Phase I

Executive summary

Describe the Bank’s payment card business along with details of business processes, third party relationships, network diagram, data flow diagram etc.

Summary

Description of approach and methodology.



Bank of Baroda

Mumbai-400051



Certification


Details of the environment for which GAP analysis was carried out.

Observations

Documented results of the GAP analysis.

Documented results of the network scanning, VA & PT.

2.3.2 Phase II

Gap Remediation

The QSA has to conduct periodic meetings with the Bank to formulate a Gap Remediation Plan. The plan should be detailed

with low level implementation steps.

The QSA has to modify or formulate requisite policies to meet the PCI-DSS requirements.

The QSA has to provide technical expertise in identifying, procuring and evaluating product vendors for technology solutions such as encryption, file integrity that would be required to meet the PCI-DSS requirements.

The QSA has to provide necessary support and hand-holding assistance to the Bank in remediation of the gaps found, so as to meet the PCI-DSS requirements. The support has to be in the form of emails, telephone, and onsite visits etc.

Deliverables

Modified or formulated policies, documents.

Gap remediation plan.

Consultancy support and hand-holding assistance to meet the PCI-DSS requirements.

2.3.3 Phase III

Certification

Business unit wise Procedural guidelines for ongoing compliance.

Checklist for ensuring ongoing compliance

Carry out ASV scans as per PCI-DSS requirements

Vulnerability Assessment, Penetration testing and other scans besides ASV scans of in-scope infrastructure as per the PCI-DSS requirements (other than ASV scanning).

Carry out PCI DSS Certification Audit.



Bank of Baroda

Mumbai-400051



Certification


Deliverable

ASV Scan, VA,PT reports, other scans reports.

Report on compliance

Attestation of compliance

Certificate of compliance

2.3.4 Training

Required training in all the phases would need to be provided to Bank’s personnel at various levels to obtain a proper understanding of PCI-DSS requirements and compliance.

Deliverable

Training material in the form of training manuals and presentations

Conduct of trainings for Bank’s staff at various levels.

2.3.5 Phase IV

Post Certification ongoing compliance

The QSA has to conduct periodic meetings with the Bank to ensure that the post certification compliance requirements are being met by the Bank. The QSA will have to consult the Bank and advise in case of any gap found.

QSA will be required to tie-up with the PCI-SSC approved ASV (Application Scanning Vendor) for performing the quarterly ASV scans.

Vulnerability Assessment, Penetration Testing and other scans as per the PCI-DSS requirements.

QSA will be required to conduct one time recertification after initial certification, as per the PCI-DSS requirements.

Deliverable

Quarterly scan report by ASV

VA, PT, other scans reports

Report on compliance

Attestation of compliance

Certificate of compliance



Bank of Baroda

Mumbai-400051



Certification


Please note the following: The above scope is not comprehensive but indicative. The QSA will have to assist the Bank at each stage to achieve the final objective of attaining PCI-DSS certification.

2.4 BANK’S CARD RELATED BUSINESS PROCESSES/OPERATIONS

Bank has implemented Finacle Core Banking System covering all its branches in India. Majority of overseas territories are also live on CBS system. To provide 24/7 anywhere anytime banking facilities to its customers, Bank has implemented alternate delivery channels like ATMs, POS, internet Banking, credit cards, debit cards, phone Banking, payment gateway etc.

The following are the channels/business units/ systems which are in-scope with respect to this RFP.

2.4.1 ATM/Debit card/Switch operations

Debitcard infrastructure comprises the Base24 switch on the Tandem Server, DCMS(Debit Card Management System), HSM (Hardware Security Module), ATMs etc. Bank’s 1428+ ATMs are connected to the centralized switch through Leased Line and VSATs. Base24 Live site is at Bank’s DC in Mumbai with DR site in Hyderabad. Bank is issuing Visa Electron International debit cards to its customers in India and the current cardbase is above 52 Lacs. BOBCARDS Ltd. is providing debitcard issuance and other card management services for Bank of Baroda in India. Following are the salient features of ATM cum Debitcard operations.

Bank’s ATMs in India are acquiring both Mastercard and Visa card.

Bank’s Base24 Switch is connected to VISA, Mastercard, NFS switch hosted by IDRBT, Hyderabad.

Bank has deployed 3 mobile ATMs in India. Mobile ATMs are connected to the Switch through Wireless CDMA network and MPLS link.

Bank has implemented Verified by Visa through a third party service provider.

International territories are also issuing Debit Cards and they are live on Base24 Switch. Bank’s ATMs installed in overseas territories are connected to the Base24 switch through Bank’s WAN.

Card management application being used for territories live on Base24 Switch is DCMS which is installed at Bank’s DC in Mumbai with DRS at Hyderabad.

Some overseas territories are acquiring transactions of other local card issuers through arrangements with VISA, local exchanges etc.



Bank of Baroda

Mumbai-400051



Certification


For debit card operations at overseas branches and overseas subsidiaries, the QSA has to carry out the scoped work based on documentation provided by the Bank and tele-conferencing.

2.4.2 Internet Payment Gateway

Bank has implemented OPUS payment gateway for acquiring online card not present transactions. Live site is at Bank’s DC in Mumbai and DR site is in Hyderabad. Internet Payment Gateway is connected to Visa and Mastercard interchange switches. Internet Payment Gateway is VBV and Mastercard Securecode compliant.

The Internet Payment Gateway processes include but not limited to the following:

Creation of output data file for interchange agencies.

Receiving and processing of incoming files/reports from interchange agencies.

Data extraction/report generation at merchant end using Merchant Web Interface(MWI)

Transaction handling and settlement through third parties like merchant aggregators/master merchant.

Flow of data between various sub-systems through interfaces of payment gateway viz. webserver, database engine, base 24, banking accounting system.

Helpdesk access to data.

Merchant enrollment and integration.

2.4.3 Credit Cards

Bank has a wholly owned subsidiary M/s BOBCARDS Limited which is in the business of Credit cards as an issuer and acquirer. BOBCARDS is issuing both Visa and Master cards. Acquirer Switch, Installation of POS and maintenance is outsourced to a third party who have their own switch and connectivity to Visa/Master. The card issuance operations has also been outsourced to a vendor. BOBCARDS is using ECS (Electra card system) for processing of the card transactions which is installed at

Bank’s Data Centre in Mumbai and is connected to VAP (Visanet Access Point), MIP (Mastercard Interface Processor), Bank’s Base24 switch, POS maintenance agency’s switch.

All the systems, applications and processes of Bank of Baroda including BOBCARDS Ltd. related to card operations and Internet Payment Gateway located at the sites including but not limited to Data Centre in Mumbai, DR Site in Hyderabad, BOB Branches, ATM sites. BOBCARDS Limited, branches, offices, area offices, Merchant sites etc. are covered in the scope of this RFP.



Bank of Baroda

Mumbai-400051



Certification


SECTION – III

3.1 GENERAL TERMS AND CONDITIONS

3.1.1 Term of Assignment

The selected QSA under this RFP will be appointed for a period of six months for the Bank including BOBCARDS Ltd to obtain the PCI DSS Certification and further 12 months for ongoing compliance, ASV scan, Vulnerability Assessment, Penetration Testing and other scans as per PCI-DSS requirement, followed by a one time recertification.

However, if for any reason the work is not completed within the stipulated time, the period of contract would be extended at Bank’s

discretion at no extra cost.

3.1.2 Adherence to Terms and Conditions

The Bidders who wish to submit responses to this RFP should note that they should abide (in true intent and spirit) by all the terms and conditions contained in the RFP. If the responses contain any extraneous conditions put in by the Respondents, such responses may be disqualified and may not be considered for the selection process.

3.1.3 Execution of Agreement/NDA

The QSA should execute an (a) Agreement, which must include all the terms and conditions of the services to be extended as detailed herein and as may be prescribed or recommended by the Bank and (b) Non-disclosure Agreement (NDA). The QSA should execute the Agreement and NDA within -2- weeks from the date of acceptance of Work Order.

The date of agreement shall be treated as date of engagement and the time-line for completion of the assignment shall be worked out in reference to this date.

3.1.4 Period of Contract

The selected QSA is expected to complete the Phase I to Phase III resulting in PCI-DSS certification within a period of six months. This

would be followed by 12 months of ongoing compliance, ASV scans, VA & PT, other required scans and one time recertification within the stipulated time as per PCI-DSS norms. For this purpose the time would start from the date of agreement.

However, if for any reason the work is not completed within the stipulated time, the period of contract would be extended at Bank’s discretion at no extra cost.



Bank of Baroda

Mumbai-400051



Certification


3.1.5 Project Team Members

The key persons identified by the QSA should necessarily possess the following qualification/experience.

Should have in-depth knowledge of payment card system with a minimum of three years work experience in IT Security.

Should be a QSA certified by PCI-SSC council.

Should have worked on at least one PCI DSS consultancy or certification assignment for a Bank.

3.1.6 Substitution Of Project Team Members

During the assignment, the substitution of key staff identified for the assignment will not be allowed unless such substitution becomes unavoidable to overcome the undue delay or that such changes are critical to meet the obligation. In such circumstances, the QSA, as the case may be, can do so only with the prior written concurrence of the Bank and by providing the replacement staff of the same level of qualifications and competence. If the Bank is not satisfied with the substitution, the Bank reserves the right to terminate the contract and recover whatever payments(including past payments and payment made in advance) made by the Bank to the QSA during the course of the assignment pursuant to this RFP besides claiming an amount equal to the contract value as liquidated damages. However, the Bank reserves the unconditional right to insist the QSA to replace any team member with another (with the qualifications and competence as required by the Bank) during the course of assignment pursuant to this RFP.

3.1.7 Professionalism

The QSA should provide professional, objective and impartial advice at all times and hold the Bank’s interest paramount and should observe the highest standard of ethics, values, code of conduct, honesty and integrity while executing the assignment.

3.1.8 Alternative Approaches

In case the Bank is unable to rectify the gaps mentioned in the detailed Gap assessment/Remediation Plan, QSA should suggest the alternative approaches to help the Bank to comply with the PCI DSS requirements at no extra cost to the Bank.

3.1.9 Adherence To Standards

The QSA should use PCI-DSS requirements as reference while providing the consultancy service with an objective to enable the Bank including BOBCARDS Ltd to obtain PCI-DSS certification.



Bank of Baroda

Mumbai-400051



Certification


The QSA should adhere to all the applicable laws of land and rules, regulations and guidelines prescribed by various regulatory, statutory and Government authorities.

The Bank reserves the right to conduct an audit/ongoing audit of the consulting services provided by the QSA.

The Bank reserves the right to ascertain information from the other Banks and institutions to which the Bidders have rendered their services for execution of similar projects.

3.1.10 Expenses

It may be noted that Bank will not pay any amount/expenses / charges

/ fees / traveling expenses / boarding expenses / lodging expenses / conveyance expenses / out of pocket expenses other than the “Agreed Price”.

3.1.11 Payment Terms

Bank will release the payment within 3 to 4 weeks of receiving the undisputed invoice, after deduction of applicable taxes at source of the agreed price to the QSA, for which contract will be executed, in stages on completion of the phases as defined in the scope and as scheduled below. No advance payments will be made. Further, it may be noted that the below mentioned criteria is only for the purpose of effecting agreed price payment. The QSA shall cover the entire scope including deliverables mentioned in Section II.

Payment will be based on phases as detailed in the scope and progress of the PCI DSS Certification including consultancy contract.

For Phases up to the certification process:

20 % amount agreed against Serial No.1 of commercial bid format(Schedule H) on completion of Phase I.

30 % amount agreed against Serial No.1 of commercial bid format((Schedule H) on completion of Phase II.

50 % amount agreed against Serial No.1 of commercial bid format(Schedule H) on completion of Phase III.

For Post Certification Phase IV :

For ASV Scan, payment will be on quarterly basis after completion of scan in each quarter and for all other jobs the payment will be after getting recertification.

3.1.12 Contract Performance Guarantee

The selected Bidder has to provide an unconditional and irrevocable Performance Bank Guarantee for 10% of the contract value from a Public



Bank of Baroda

Mumbai-400051



Certification


Sector Bank (but not Bank of Baroda) towards due performance of the contract in accordance with the specifications, terms and conditions of this RFP document, within 15 days from the date of work order. The Performance Guarantee shall be for 21 months kept valid for the entire period of assignment and to be released at the end of the period of assignment.

3.1.13 Security Deposit

The selected Bidder has to deposit with the Bank an amount equivalent to 05(Five) % of the contract value towards security deposit for the entire period of assignment, within 15 days from the date of work order. Interest on the Security Deposit will be calculated at applicable term deposit rate for one year prevailing as on date of placing the deposit and will be credited to the term deposit.

3.1.14 Single Point Of Contact

The selected Bidder has to provide details of single point of contact viz. name, designation, address, e-mail address, telephone/mobile no., fax no. etc.

3.1.15 Applicable Law And Jurisdiction Of Court

The Contract with the selected Bidder shall be governed in accordance with the Laws of India for the time being in force and will be subject to the exclusive jurisdiction of Courts at Mumbai.

3.1.16 Liquidated Damages (LD)

If the selected Bidder fails to complete the due performance of the contract in accordance with the specifications and conditions agreed during the agreement, the Bank reserves the right to recover penalty / liquidated damages @ 0.5% of the contract value per week or part thereof, subject to a maximum of 10 % of contract value as Liquidated Damages for non-performance/delayed performance.

LD is not applicable for reasons attributable to the Bank and Force Majeure. However, it is the responsibility of the Bidder to prove that the delay is attributed to the Bank or Force Majeure. The Bidder shall submit the proof authenticated by the Bidder and Bank’s official that the delay is attributed to the Bank or Force Majeure along with the bills requesting payment.

If the delay is attributable to the Bank, or Force Majeure, or any other circumstances beyond the control of the QSA then the Bank will extend the period of contract to the extent of delay without charging any Liquidated Damage.

3.1.17 Professional Liability Insurance

The QSA shall obtain an insurance policy covering Professional Indemnity Risk to the minimum extent of @10% of the contract price and



Bank of Baroda

Mumbai-400051



Certification


endorse such policy in Banks favour and /or otherwise make the claim of any under the policy payable directly to the Bank by the Insurance Company till the completion of the project.

All the disputes arising out of or in connection with the agreement shall be deemed to have arisen in Mumbai. Only the courts/s in Mumbai shall have the jurisdiction to determine the same.

3.1.18 Force Majeure

Any failure or delay by selected Bidder or Bank in the performance of its obligations, to the extent due to any failure or delay caused by fire, flood, earthquake or similar elements of nature, or acts of God, war, terrorism, riots, civil disorders, rebellions or revolutions, acts of governmental

authorities or other events beyond the reasonable control of non-performing party, is not a default or a ground for termination. The affected party shall notify the other party of the occurrence of a Force Majeure Event forthwith.

3.1.19 Authorized Signatory

The selected Bidder shall indicate the authorized signatories who can discuss and correspond with the Bank, with regard to the obligations under the contract. The selected Bidder shall submit at the time of signing the contract, a certified copy of the resolution of their Board, authenticated by Company Secretary/Director, authorizing an official or officials of the company or a Power of Attorney copy to discuss, sign agreements/contracts with the Bank. The Bidder shall furnish proof of signature identification for above purposes as required by the Bank.

3.1.20 Indemnity

The Bidder shall indemnify Bank and keep the Bank indemnified for any loss or damage, cost or consequences that Bank may sustain, suffer or incur on account of violation of intellectual property rights of third party by the Bidder. The Bidder shall always remain liable to the Bank for any Losses suffered by the Bank due to any technical error or negligence or fault on the part of the Bidder, and the Bidder also shall indemnify the Bank for the same.

3.1.21 Non Payment Of Agreed Price

If any of the items/activities as mentioned in the price bid and as mentioned in Annexure-H are not taken up by the Bank during the course of this assignment, the Bank will not pay the contracted agreed price quoted/agreed by the selected QSA in the Price Bid against such activity/item.



Bank of Baroda

Mumbai-400051



Certification


3.1.22 Assignment

Neither the contract nor any rights granted under the contract may be sold, leased, assigned, or otherwise transferred, in whole or in part, by the QSA without advance written consent of the Bank and any such sale, lease, assignment or transfer otherwise made by the QSA shall be void and of no effect.

3.1.23 Non – Solicitation

The QSA, during the term of the contract and for a period of two years thereafter shall not without the express written consent of the Bank, directly or indirectly: a) recruit, hire, appoint or engage or attempt to recruit, hire, appoint or engage or discuss employment with or otherwise

utilize the services of any person who has been an employee or associate or engaged in any capacity, by the Bank in rendering services in relation to the contract; or b) induce any person who shall have been an employee or associate of the Bank at any time to terminate his/ her relationship with the Bank.

3.1.24 No Employer-Employee Relationship

The QSA or any of its holding/subsidiary/joint-venture/ affiliate / group / client companies or any of their employees / officers / staff / personnel / representatives/agents shall not, under any circumstances, be deemed to have any employer-employee relationship with the Bank or any of its employees/officers/ staff/representatives/ personnel/agents.

3.1.25 Vicarious Liability

The QSA shall be the principal employer of the employees, agents, contractors, subcontractors etc., engaged by the QSA and shall be vicariously liable for all the acts, deeds, matters or things, of such persons whether the same is within the scope of power or outside the scope of power, vested under the contract. No right of any employment in the Bank shall accrue or arise, by virtue of engagement of employees, agents, contractors, subcontractors etc., by the QSA, for any assignment under the contract. All remuneration, claims, wages dues etc., of such employees, agents, contractors, subcontractors etc., of the QSA shall be paid by the QSA alone and the Bank shall not have any direct or indirect

liability or obligation, to pay any charges, claims or wages of any of the QSA’s employees, agents, contractors, subcontractors etc. The QSA shall agree to hold the Bank, its successors, assigns and administrators fully indemnified, and harmless against loss or liability, claims, actions or proceedings, if any, whatsoever nature that may arise or caused to the Bank through the action of QSA’s employees, agents, contractors, subcontractors etc.



Bank of Baroda

Mumbai-400051



Certification


3.1.26 Subcontracting

The vendor shall not subcontract(except for ASV Scanning) or permit anyone other than its personnel to perform any of the work, service or other performance required of the vendor under the contract without the prior written consent of the Bank.

3.1.27 Cancellation Of Contract And Compensation

The Bank reserves the right to cancel the contract of the selected Bidder and recover expenditure incurred by the Bank in any of the following circumstances. The Bank would provide 30 days notice to rectify any breach/ unsatisfactory progress.

The selected Bidder commits a breach of any of the terms and conditions

of the bid/contract.

The Bidder becomes insolvent or goes into liquidation voluntarily or otherwise.

An attachment is levied or continues to be levied for a period of 7 days upon effects of the bid.

The progress regarding execution of the contract, made by the selected Bidder is found to be unsatisfactory.

If deductions on account of penalty and liquidated damages exceeds more than 10% of the total contract price.

If the selected Bidder fails to complete the due performance of the contract in accordance with the agreed terms and conditions.

After the award of the contract, if the selected Bidder does not perform satisfactorily or delays execution of the contract, the Bank reserves the right to get the balance contract executed by another party of its choice by giving one month’s notice for the same. In this event, the selected Bidder is bound to make good the additional expenditure, which the Bank may have to incur to carry out for the execution of the balance of the contract. This clause is also applicable, if for any reason, the contract is cancelled.

The Bank reserves the right to recover any dues payable by the selected Bidder from any amount outstanding to the credit of the selected Bidder, including the pending bills and/or invoking Bank Guarantee/Security

Deposit, if any, under this contract.

3.1.28 Dispute Resolution

If a dispute, controversy or claim arises out of or relates to the contract, or breach, termination or invalidity thereof, and if such dispute, controversy or claim cannot be settled and resolved by the Parties through discussion and negotiation, then the Parties shall refer such dispute to arbitration. Both Parties may agree upon a single arbitrator or each Party shall appoint one arbitrator and the two appointed arbitrators



Bank of Baroda

Mumbai-400051



Certification


shall thereupon appoint a third arbitrator. The arbitration shall be conducted in English and a written order shall be prepared. The venue of the arbitration shall be Mumbai. The arbitration shall be held in accordance with the Arbitration and Conciliation Act, 1996. The decision of the arbitrator shall be final and binding upon the Parties, provided that each Party shall at all times be entitled to obtain equitable, injunctive or similar relief from any court having jurisdiction in order to protect its intellectual property and confidential information.

3.1.29 Project Timelines

The selected Bidder shall furnish a schedule of assessment/implementation of the contract of PCI-DSS Certification including consultancy encompassing its entire scope, discuss the same with the Bank officials and arrive finally at a mutually agreed assessment/implementation schedule within the overall ambit of six months time for first certification. The QSA shall be bound by the Implementation schedule so agreed. For Gap remediation, QSA should provide necessary support and hand-holding assistance including consultancy services as defined in the scope till the gaps are rectified for achieving the PCI-DSS Certification.

Job Projected Timeline

Contract Execution 2 Weeks

Phase I-

Detailed Scoping and Gap assessment plan

4 Weeks

Phase II

Remediation plan

16 Weeks

Phase III

Certification

4 Weeks

Phase IV

Ongoing compliance

Quarterly scan/other scan

Recertification

As per PCI-DSS requirement

As per PCI-DSS requirement

4 weeks

The above timelines are tentative and may be extended at the discretion of the Bank at no extra cost to the Bank.



Bank of Baroda

Mumbai-400051



Certification


SECTION – IV

ANNEXURE-A : ELIGIBILITY CRITERIA

QSAs who wish to bid should conform to the following criteria.

S.No. Eligibility Criteria Documents required

1 Should be either a Government Organization/PSU/PSE/ partnership firm or a limited Company, registered under Indian Laws.

Partnership firm-Certified copy of Partnership Deed.

Limited Company-Certified copy of Certificate of Incorporation and Certificate of Commencement of Business.

For other eligible entities- Applicable documents.

2 Should have been in existence for three years as on 31-10-2010.

Partnership firm-Certified copy of Partnership Deed.

Limited Company-Certified copy of Certificate of Incorporation and Certificate of Commencement of Business.

For other eligible entities- Applicable documents.

3 Should have a minimum average annual turnover of Rs.2.00 crores (Rupees Two Crores) during last two financial years viz. 2008-09 and 2009-10.

Copy of audited Balance Sheet and P&L statement for the financial years 2008-09 and 2009-10.

4 Should have made net profits for the last 2 financial years viz. 2008-09, 2009-10.

Copy of audited Balance Sheet and P&L statement for the financial years 2008-09

and 2009-10.

5 The QSA must have a satisfactory experience of providing PCI-DSS consultancy or certification services to at least two Banks

(consultancy for this purpose should be specific assistance for compliance with PCI-DSS such as Gap Analysis, Remediation assistance.)

Appropriate documentary evidence in the form of work order copy, client references.



Bank of Baroda

Mumbai-400051



Certification


6 The Bidder must itself be a QSA certified by PCI-SSC. For this purpose a tie-up arrangement would not be considered eligible. However for ASV scanning as required by PCI-DSS, the Bidder can tie-up with the PCI-SSC approved ASVs.

Copy of QSA certificate from PCI-SSC.

Copy of ASV certificate from PCI-SSC.

7 The QSA should have at least 3 PCI- DSS certified QSAs as employees.

Appointment letters, CVs, QSA Certificate from PCI-SSC

8 The QSA should have a pool of at least 10 IT Security professionals with international accreditations like CISA, CISSP, CCNA

Appointment letters, CVs, relevant certificates

9 The firm should have never been blacklisted / barred / disqualified by any regulator / statutory body.

Self Declaration

Those who fulfill all the eligibility criteria as mentioned above are only eligible to take part in this bid exercise.

Annexure-D (Technical Bid format) to be submitted by Bidders should contain detailed responses to each of the above eligibility criteria along with documentary proofs as specified above.

The fulfillment of above eligibility criteria except items 3 & 4 above, would be ascertained as of 31-10-2010.

Selected Bidder will not be eligible to participate as vendor/partner/collaborator for any of the hardware/software solutions.

Bidder/Bidders who have been appointed by the Bank for any other project and whose contract has been terminated before completion of the project are not eligible to bid in the proposed project.

Proposals of those Bidders, who do not fulfill the Eligibility Criteria as stated above fully, will be rejected.



Bank of Baroda

Mumbai-400051



Certification


ANNEXURE-B : QSA’S SELECTION/EVALUATION PROCESS

Evaluation of Technical Bid

First, Technical bid documents will be evaluated for fulfillment of eligibility criteria. Technical bids of only those Bidders who fulfill the eligibility criteria fully as per Annexure-A will be taken up for further evaluation/selection process rejecting the remaining bids.

The evaluation/selection process will be done with combination of, technical competence and commercial aspects as detailed here below. A maximum of 100 marks will be allocated for the technical bid. The evaluation of functional and technical capabilities of the Bidders of this RFP will be completed first as per the following guidelines. The technical proposals only will be subjected for evaluation at this stage. The Bidders scoring less than 60 marks (cut-off score) out of 100 marks in the technical evaluation shall not be considered for selection process. Once the evaluation of technical proposals is completed, the Bidders who score equal to, or more than the prescribed cut-off score of 60 will only be short listed.

The evaluation of technical proposals, among other things, will be based on the following:

Prior experience of the Bidder in undertaking projects of similar nature.

Professional qualifications and experience of the key staff proposed/ identified for this assignment.

Methodology/Approach proposed for accomplishing the proposed project, Activities / tasks, project planning, resource planning, effort estimate etc.

Various stages of technical evaluation are presented below:

1. Eligibility evaluation as per the criteria prescribed in Annexure-A.

2. Paper evaluation of technical proposals of Bidders qualified in eligibility evaluation, based on response and presentation

3. Arriving at the final score on technical proposal.

Presentation-cum-Interview

The Bidders who are qualified in eligibility evaluation, have to give presentation/interactions before panel of representatives of Bank on the methodology/ approach, time frame for various activities, strengths of the

Bidders in carrying out the tasks as per the scope of the RFP detailed under paras 2.2 and 2.3 of the RFP. The technical competence and capability of the Bidder should be clearly reflected in the presentation. If any short listed Bidder fails to make such presentation, he will be eliminated from the evaluation process.

At the sole discretion and determination of the Bank, the Bank may add any other relevant criteria for evaluating the proposals received in response to this RFP.

Bank may, at its sole discretion, decide to seek more information from the Respondents in order to normalize the bids. However, Respondents will be



Bank of Baroda

Mumbai-400051



Certification


notified separately, if such normalization exercise as part of the technical evaluation is resorted to.

Technical Evaluation Criteria:

The criteria for evaluation of technical bids is as under. Credentials and other evaluation criteria mentioned below will be computed as of 31-10-2010.

CRITERIA Evaluation

Parameters

MAX.

MARKS

Documents to

be submitted

Credentials

The number of years experience as

QSA

Less than 1 year 0 Copies of QSA

certification and

recertifications

issued by PCI-

SSC

1 year & above and less

than 3 years

5

3 years & above and

less than 4 years

10

4 years & above 15

The number of PCI-DSS

certifications / recertifications carried out in India/abroad.

(For this purpose, initial certification

and subsequent recertifications if

any carried out for the same client

will be treated as only one certification).

For 1 to 3 certifications 3 Copies of PCI-

DSS certifications

issued to the

clients; or

reference letter

from clients.

For 4 to 5 certifications 6

For more than 5

certifications

10

The number of PCI-DSS certifications / recertifications

carried out in India/abroad in

BANKS

(For this purpose, initial certification

and subsequent recertifications if any carried out for the same client

will be treated as only one

certification).

For each Bank certification

2 Copies of PCI-DSS

certifications

issued to the

clients; or

reference letter from clients.

Additional marks for

certification of each

Bank in India

3

Maximum marks 10

The number of PCI-DSS consultancy

projects carried out in India/abroad

(consultancy for this purpose should

be by way of specific assistance for compliance with PCI-DSS such as

Gap Analysis, Remediation

assistance.)

For 1 to 3 clients 3 Reference letter

from client/

copies of work

order

For 4 to 5 clients 6

For more than 5 clients 10

The number of PCI-DSS consultancy

projects carried out in India/abroad

in Banks

(consultancy for this purpose should be by way of specific assistance for

compliance with PCI-DSS such as

Gap Analysis, Remediation

assistance.)

For each Bank 2 Reference letter

from client/

copies of work

order Additional marks for

each Bank in India

3

Maximum marks 10

Sub-total (Credentials) 55



Bank of Baroda

Mumbai-400051



Certification


Manpower

The number of PCI-SSC certified

QSA employees with the Bidder

For 3 QSAs 8 1. Copy of QSA

Certificate from

PCI-SSC;

2. Copy of appointment

letter:

3. CV

For 4-6 QSAs 12

For more than 6 QSAs 15

The number of CISA/CISSP/CCNA

accredited personnel employed by

the Bidder

For 10 to 15 employees 10 1. Copy of

relevant

certifications

2.Copy of appointment

letter

3. CVs

For more than 15

employees

15

Bidder should have office in

Mumbai for PCI-DSS certification &

support services

5 Proof of office

address in

Mumbai

Sub total (Manpower) 35

Methodology & Approach

Demonstration of in-depth understanding of the Bank’s project

requirements through the technical

proposal and presentation, with

detailed broken-down activities to

be performed, effort estimation, manpower to be deployed.

10 Subjective evaluation based

on technical

proposal and

presentation

Sub total (Methodology & Approach)

10

Total 100

Annexure-D (Technical Bid format) to be submitted by Bidders should contain detailed responses to each of the above evaluation criteria along with documentary proofs as specified there against.

Commercial Bid Evaluation Criteria

It may be noted that commercial bids will be subjected to following evaluation process.

Based on the technical evaluation criteria, each Bidder will be given certain marks. Only those Bidders scoring 60% (60 marks out of 100) or above in the technical evaluation will be short-listed for commercial evaluation.

Nominal quote provided by the Bidder whose Technical Bid qualifies will be discounted as per the formula given below. A comprehensive “Score (S)” will be arrived at after considering the nominal commercial quote and the marks obtained in technical evaluation with relative weights of 30% for commercial score and 70% for technical score. The Bidder with the highest score will be declared successful:



Bank of Baroda

Mumbai-400051



Certification


Computation Methodology for arriving at “Least Price / Least Quote” :

Cut - Off score for technical bid will be 60 marks.

In case there is only one bidder having technical score of 60 or more, Bank may, at its discretion, also consider the next highest technical scorer with minimum score of 50. In case, no Bidder is having technical score of 60 or more, Bank may, at its discretion, qualify 2 top scoring Bidders with minimum score of 50 in technical evaluation and compute the “Score” as per the table below.

Bank will give 70% weightage to technical score while comparing the commercial quote. The procedure is as under:

A ’Score (S)’ will be calculated for all qualified Bidders using the following formula:

Where C stands for nominal price quoted, CLow stands for the price quote of the lowest nominal bid. T stands for technical evaluation score and Thigh stands for the score of the technically highest Bidder. X is equal to 0.3. While computing the comprehensive score (S) as per above formula, the values of (CLow / C * X) and (T / THigh) * (1-X)) will be considered only upto 3 decimals and the other decimals will be ignored.

Example:

S.No. Bidder Technical Evaluation Marks

(T)

Nominal Bid Price (C)

(CLow / C) * 0.30

(T / THigh) * 0.70 Score (S)

1 ABC 95 71 (60/71) * 0.30= 0.253

(95/95) * 0.70 = 0.700

0.953

2 XYZ 85 65 (60/65) * 0.30=

0.276

(85/95) * 0.70 = 0.626

0.902

3 UVW 80 60 (60/60) * 0.30= 0.300

(80/95) * 0.70 = 0.589

0.889



Bank of Baroda

Mumbai-400051



Certification


In the above example, ABC, with the highest score of 0.953 becomes the successful Bidder.

Bank reserves the right to negotiate the price with the successful Bidder before awarding the contract. It may be noted that Bank will not entertain any price negotiations with any other Bidder, till the successful Bidder declines to accept the offer.

In the case of tie between two or more Bidders a fresh commercial bid will be called upon from these Bidders for evaluation and selection of the QSA.



Bank of Baroda

Mumbai-400051



Certification


ANNEXURE-C : COMPLIANCE CERTIFICATE

(on company’s letterhead) To, Date : The Assistant General Manager(CISO) Risk Management Dept. Bank of Baroda 2rd Floor, Baroda Corporate Centre C-26, G Block, Bandra Kurla Complex, Bandra (East) Mumbai 400 051 Dear Sir, Ref: - RFP for selection of Qualified Security Assessor(QSA) for PCI-DSS

Certification. 1. Having examined the Request for Proposal (RPF) including all annexures, the

receipt of which is hereby duly acknowledged, we, the undersigned offer to provide the desired PCI-DSS certification including consultancy services for the Bank’s payment card business including BOBCARDS Ltd. in conformity with the terms and conditions of the said RFP and in accordance with our proposal and the schedule of Prices indicated in the Price Bid and made part of this bid.

2. If our Bid is accepted, we undertake to complete the project within the scheduled time lines.

3. We confirm that this offer is valid for six months from the last date for submission of RFP to the Bank.

4. This Bid, together with your written acceptance thereof and your notification of award, shall constitute a binding Contract between us.

5. We undertake that in competing for and if the award is made to us, in executing the subject Contract, we will strictly observe the laws against fraud and corruption in force in India namely “Prevention of Corruption Act 1988”.

6. We agree that the Bank is not bound to accept the lowest or any Bid that the Bank may receive.

7. We have not been barred/black-listed by any regulatory / statutory authority and we have required approval, if any, to be appointed as a service provider.

8. We shall observe confidentiality of all the information passed on to us in course of the tendering process and shall not use the information for any other purpose than the current tender.

9. We confirm that we have obtained all necessary statutory and obligatory permission to carry out the assignment, if any.

Signed Dated Seal & Signature of the Bidder Phone No.: Fax: E-mail:



Bank of Baroda

Mumbai-400051



Certification


ANNEXURE-D : TECHNICAL BID FORMAT

Particulars to be provided by the Bidder in the technical proposal –

No

Particulars

Bidder to furnished

details

Reference Page no

of relevant

document in RFP

response

1 Name of the Bidder

2 Date of establishment and constitution. Certified copy of “Partnership Deed” or “Certificate of Incorporation/commencement of business” should be submitted. For entities other than partnership firm and limited company, other relevant documents to be submitted.

3 Location of Registered Office /Corporate Office/ Mumbai office with addresses.

4 Mailing address of the Bidder

5 Names and designations of the persons authorized to make commitments to the Bank

6 Telephone and fax numbers of contact persons

7 E-mail addresses of contact persons

8

Details of:

Description of business and business background

Service Profile & client profile

Domestic & International presence.

9

Date of obtaining QSA Certification by PCI-SSC.

Please attach copy of QSA certificate/recertification issued by PCI-SSC.

10

Name and Contact details of ASV Vendor.

Please submit PCI-SSC ASV Certificate/recertification PCI-SSC.

11 Gross annual turnover of the Bidder (not of the



Bank of Baroda

Mumbai-400051



Certification


No

Particulars

Bidder to furnished

details

Reference Page no

of relevant

document in RFP

response

group)

Year 2008-09 Audited

Year 2009-10 Audited.

(Copy of audited financial statements for above years

to be submitted)

12

Net profit of the Bidder (not of the group)

Year 2008-09 Audited

Year 2009-10 Audited.

(Copy of audited financial statements for above years to be submitted)

13

Experience of assignments executed successfully as QSA for providing PCI-DSS consultancy or certifications services to the organizations including Banks as per the following details :

(For item nos. 13a to 13d, Name of the organization, time taken for execution of the assignment and documentary proofs in the form of copy of work order, reference from client, copy of QSA certification are to be furnished)

13a PCI-DSS Certification/recertification in Banks

13b PCI-DSS Certification/recertification in organizations other than Banks

13c PCI-DSS Consultancy assignments in Banks

13d PCI-DSS Consultancy assignments in organizations other than Banks

14 Details of the similar assignments on hand as on date (Name of the Bank, time projected for execution of the assignment and documentary proofs such as work order are to be furnished)

15 Name of the Engagement Manager & Overall person responsible(team leader) identified for this



Bank of Baroda

Mumbai-400051



Certification


No

Particulars

Bidder to furnished

details

Reference Page no

of relevant

document in RFP

response

assignment and their professional qualifications and experience/expertise

Details of similar assignments handled by the said team leader. Documentary proofs for all the assertions are to be enclosed.

16

Names of the other team members identified for this assignment and their professional qualifications and experience/expertise. (Should possess qualifications as mentioned in the RFP)

Documentary proofs for all the assertions in the form of Certificates, CVs, employment letter to be enclosed.

17

Names of the staff members and their QSA or/and CISA/CISSP/CCNA certification.

Appointment letters

CVs

Copy of QSA Certificate and CISA/CISSP/CCNA certification to be enclosed.

18 Estimated work plan and time schedules for providing services for this assignment.

19 Effort estimate and elapsed time are to be furnished.

20 Details of inputs, infrastructure requirements required by the Bidder to execute this assignment.

As per Annexure-E

21

Details of the Bidder’s proposed methodology/approach with reference to the scope of work.

22

Details of deliverables, other than the deliverables with reference to the scope of work.

The Bidder should provide detailed responses for each of the above items along with documentary proofs as prescribed there against and also as



Bank of Baroda

Mumbai-400051



Certification


specified in Annexure-A (eligibility criteria) & Annexure B (QSA’s

Selection/Evaluation Process).

Declaration:

1. We confirm that we will abide by all the terms and conditions contained in the RFP.

2. We hereby unconditionally accept that Bank can at its absolute discretion apply whatever criteria it deems appropriate, not just limiting to those criteria set out in the RFP, in short listing of Bidders.

3. All the details mentioned by us are true and correct and if Bank observes any misrepresentation of facts on any matter at any stage, Bank has the absolute right to reject the proposal and disqualify us from the selection process.

4. We confirm that this response, for the purpose of short-listing, is valid for a period of six months, from the date of expiry of the last date for submission of response to RFP.

5. We confirm that we have noted the contents of the RFP and have ensured that there is no deviation in filing our response to the RFP and that the Bank will have the right to disqualify us in case of any such deviations.

Place:

Date: Seal & Signature of the Bidder



Bank of Baroda

Mumbai-400051



Certification


ANNEXURE-E : ESTIMATED EFFORT AND ELAPLSED TIME

Sl No

Activities

Elapsed

Time

Effort in Man days

Number of team

members who will

be deployed

Remarks

1

Detailed scoping

2 Gap Analysis

3 Gap Remediation

4 ASV Scan, vulnerability assessment, penetration testing, other scans as per the PCI-DSS requirement

5 PCI-DSS Certification

6. Post certification ASV Scanning for 1 year

7. Post certification Vulnerability Assessment, Penetration testing and other scans (excluding ASV scanning) as per PCI-DSS requirements for 1 year

8. Consultancy for ongoing compliance for -1- year

9. Recertification audit- one time

Place: Date: Seal and Signature of Bidder:



Bank of Baroda

Mumbai-400051



Certification


ANNEXURE-F : PROPOSED TEAM PROFILE

Sl No

Name of Proposed Engagement Manager /Proposed Team Member

Prof. Qualifications

Certifications/ Accreditations

Experience in PCI-DSS consultancy and certification

IT Security Expertise In terms of years and areas of expertise

Number of similar assignments involved In Banks/others in India or abroad

Documentary proofs are to be enclosed to substantiate the claims made. Place:

Date: Seal and signature of the Bidder



Bank of Baroda

Mumbai-400051



Certification


ANNEXURE-G : COMMENTS ON TERMS & CONDITIONS & SERVICES

Please provide your comments on the Terms & conditions in this section. You are requested to categorize your comments under appropriate headings such as those pertaining to the Scope of work, Terms & Conditions etc. You are also requested to provide a reference of the page number, state the clarification point and the comment/ suggestion/ deviation that you propose as shown below.

Sr. No.

Page #

Point / Section #

Clarification point as stated in the tender document

Comment/ Suggestion/ Deviation

1

2

3

4

5

6

7

8

9

Place: Date: Seal and signature of the Bidder



Bank of Baroda

Mumbai-400051



Certification


ANNEXURE-H : COMMERCIAL BID FORMAT

Commercial Bid Format

Sr. No.

Major Activities

Quoted Price inclusive of all taxes,

levies, cess and duties

except service tax (in Rupees)

1

PCI-DSS Certification including consultancy

services as defined in the scope of work, ASV scanning,Vulnerability assessment, Penetration testing and other scans as per the

PCI-DSS requirements.

2. ASV scanning by ASV as per the PCI-DSS

requirement on quarterly basis for one year after PCI-DSS certification.

3. Vulnerability Assessment, Penetration testing and other scans (excluding ASV scanning) for -1- year after PCI-DSS certification as per the

PCI DSS requirements.

4. Consultancy services for ongoing compliance for -1-year and one time recertification.

Total Cost

The prices quoted above should be inclusive of all taxes, levies, cess, and duties except service tax. The service tax is payable on actual basis.

Place: Date : Seal & Signature of the Bidder

Bank Of Baroda, IT Security Cell, Risk Management Department 2nd Floor, Bank Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Bandra (East), MUMBAI – 400051.

End of Document