BANK OF BARODA - RFP for Selection of Qualified Security Assessor (QSA) for PCI-DSS Certification Replies / Clarifications to Queries

Transcription

1 1 No.of IP Addresses: BANK OF BARODA - RFP for Selection of Qualified Security Assessor (QSA) for PCI-DSS Certification i. No.of ip s for ASV Scans (External VA) -- Indicative range of no. of public Ips is However, the actual number may vary during the course of assignment. ii. No.of ip s for Internal Vulnerability Assessment) -- Vendors need to make their own assessment based on the details provided in the RFP. iii. No.of ip s for Internal Penetration Testing)-- Vendors need to make their own assessment based on the details provided in the RFP. iv. No.of ip s for External Penetration Testing)-- Indicative range of no. of public Ips is However, the actual number may vary during the course of assignment. 2 Is it going to be one report whether it be gap analysis, ASV Two separate sets of reports have to be submitted, one for Bank of Baroda report or ROC(Report on Compliance) for all entities which including overseas territories and another for BOBCARDS Ltd. If there is any includes BOB, BOB Cards, BOB Overseas entities if any. change in the constitution or name of BOBCARDS Ltd. during the course of assignment, the assignment needs to be carried out for the new entity. 3 Procedures and policies for PCI DSS will be drafted as per the The procedural guidelines for ongoing compliance should be as per the requirements of the standard during the entire engagement requirements of PCI-DSS. However, the guidelines should be drafted which is sufficient for complying with the standard. By the business-unit wise. term Business Unit wise procedural guidelines, is the bank referring to any separate guideline in addition to the aforementioned ones? If so, please provide more details (Please refer Page 16 of 43 under Gap Analysis section of the Page 1 of 5

2 4 Will the third parties to whom card related services has been outsourced be restricted for BOB Compliance to requirement 12.8 alone or third parties have to be taken in scope for PCI- DSS of Bank of Baroda 5 Section of the RFP mentions the bank s service providers and merchants will be validated for compliance against PCI DSS requirements as a part of the gap analysis. Does the QSA need to conduct separate assessments on bank s merchants and service providers? Kindly provide the list of service providers and merchants who are required to be validated for PCI DSS, and whether the same is to be included in the cost. PCI-DSS Compliance assessment of Third parties should be limited to requirement 12.8 of PCI DSS for service providers. The service providers and merchants should be assessed as per the PCI-DSS compliance requirements for Bank of Baroda including BOBCARDS Ltd. No separate assessments need to be carried out for service providers and merchants. 6 Does Bank of Baroda wish to include Merchants, Service The service providers, merchants and other third parties should be assessed providers & other third parties under the scope of final as per the PCI-DSS compliance requirements for Bank of Baroda including certification audit, in addition to gap analysis? If so, please BOBCARDS Ltd. No separate assessments need to be carried out for service provide details of each of the above along with the IT providers and merchants. infrastructure details, locations, type of activity done at each of their locations separately (Please refer Page 15 of 43 under Gap Analysis section of the Note: Sampling size of the aforementioned entities will be different for gap analysis and certification audit activities Page 2 of 5

3 7 Scope requires to cover 74 branches/ offices in 25 countries. The list of overseas terrirories would be provided to the successful bidder. As per RFP section 2.4.1, some overseas territories are As on date, 9 overseas territories are having debit card operations, out of acquiring transactions of other local card issuers through which 6 overseas territories are having acquiring business. Some more arrangements with VISA, local exchanges etc. territories are in the process of commencing card operations. Besides the Kindly provide list of all international territories, and existing overseas territories with card operations, all other existing and new whether they have common operations which can be overseas territories which will start card operations during the course of considered assignment should be considered in the scope of work. Most of the overseas territories are having card operations through Bank's BASE24 switch and DCMS application, located at its DC & DR in India. 8 Gap analysis for debit transactions at overseas branches & The successful bidder has to carry out the scoped work based on subsidiaries can be done through teleconferencing. documentation provided by the Bank and teleconferencing, without any However, certification audit has to be conducted through physical visits to the overseas locations. physical visits to sampled locations. Sampling of locations for audit will be done based on QSA's judgment and best practices (Please refer Page 19 of 43 under Gap Analysis section of the Page 3 of 5

4 9 Please provide the total number of following devices that Vendors need to make their own assessment based on the details provided would form a part of the scope.i.e. which store, process or in the RFP document. The requisite granular details of the infrastructure facilitate transmission of card holder data (16 digit card would be shared with the successful bidder only. numbers, PINs, CVV, CVV2 ) Windows Server X Nos. Linux Server X Nos. HP UX Server X Nos. MS SQL database server X Nos Oracle database server X Nos MySQL database servers X Nos DB2 database servers X Nos. SAP servers X Nos Firewalls X Nos. IDS / IPS X Nos Routers X Nos L2 Switches X Nos L3 Switches X Nos Log monitoring product File integrity monitoring product Page 4 of 5

5 10 Please provide the number of applications which store, accept or transmit 16 digit card numbers and/or PIN/CVV/CVV2 Can you provide the List of cardholder applications, if any, storing, processing transmitting cardholder data (apart from the applications mentioned in the within Bank of Baroda network. Can you provide the list of cardholder applications, if any, storing, processing transmitting cardholder data (apart from the applications mentioned in the within BOB Cards network. 11 Can you give the location details of BOB Cards Ltd. to be considered in scope. 12 Does the bank need Merchant Compliance Program as an additional service which will enable bank to manage compliances of all its merchants/ service providers centrally? 13 Has any of the third party associated with Bank of Baroda been certified as PCI DSS compliant? If yes, please provide details 14 Has the bank outsourced any activity to a call center which requires accepting debit card numbers, credit card numbers, PINs, CVV2 etc. from the customer? If yes, please provide names, locations, number of such third party service Indicative list of card applications within Bank of Baroda network and BOBCARDS network is as under. Base24 Switch, Debit Card Management System (DCMS), DCIS of ISGL, Debit Card Reconciliation System (DCRS of ISGL), Opus Electra Card Host, Electra Card System(comprising CCMS, MMS, CMS), Data Card Application of CMS Ltd., Opus Electra PG, HSMs, Finacle-CBS, CRM system, phone banking application, internet banking application, Interfaces, etc. It should be noted that the above is only an indicative list and the scope will include other applications as assessed by successful bidder during the course of assignment for PCI-DSS compliance. As on date, BOBCARDS offices in Jogeshwari(W), Mumbai; Colaba, Mumbai; Bank of Baroda DC in Mumbai, Bank of Baroda DRS in Hyderabad, 35 area offices of BOBCARDS including one in Mumbai. No merchant compliance program is required as an additional service. The merchants should be assessed as per the PCI-DSS compliance requirements for Bank of Baroda including BOBCARDS Ltd. Some third parties associated with Bank of Baroda are certified for PCI-DSS compliance. However, the details will be shared with the successful bidder only. At present Bank doesn't have call centre. However, 24/7 in-house help desk is available. If any call centres are set up during the course of assignment, the same should be considered as part of the scope of work. Page 5 of 5