Request for Information_ by bestt571


More Info
									Request for Information (RFI)

Electronic Payment Capability for Identity Cards

                                       Request for Information:
                  Electronic Payment Capability for Identity Cards
                                United States Department of Defense

Version                                                               0.7

                                                   Page 1 of 9
Request for Information (RFI)

Electronic Payment Capability for Identity Cards

1.0 Introduction
1.1 Purpose and scope
This Request for Information (RFI) seeks input from qualified parties on the concept of adding
electronic payment functionality to the latest generation of Federal identity credentials. The
responses provided may guide the future development and deployment of electronic payment
capability on existing smart card-based identity credentials using the Common Access Card
(CAC)/Personal Identity Verification (PIV) card architecture.

1.2 Vision
The United States Department of Defense is focused on simplifying the lives of the American
Service Member, their Dependant families, and the civilians supporting the uniformed services.
To that end, DoD is examining innovative and non-traditional tools, methods and processes to
achieve that goal. One avenue under consideration expands the use of the CAC/PIV card
beyond logical and physical access to include world-wide payment functionality, ATM access for
management of funds, access to public transit services and management of Federal transit
Advancements in contact and contactless chip technology present in the current CAC/PIV card
offers an opportunity to add value and functionality to the current card.
Development of general purpose payment capability on the CAC/PIV card based on a pre-paid
debit platform would allow the card to be used for general purpose payments on and off-base,
based on availability of funds in the card holder accounts. Payment capability would not be
credit-based and would include capacity to restrict where and when the card is used at the
geographical, merchant and product levels.
Further, the CAC/PIV card could be used to manage transportation benefits and act as a
contactless smart card for fare payment in US-based transit systems where open-payments
architecture is used in the fare system. This transit application would capture efficiencies and
improve accountability in the management of transit benefits to ensure that the right benefit is
delivered to the right card and subsequently used by the right person for transit fare payment.
Development and deployment of these tools would ease the Service Member’s life by
expanding capability of the existing credential and, over time, reduce the number of separate
cards currently needed to perform the same functionality.

1.3 Background
Under this RFI, DoD is exploring options to provide an end-to-end enterprise solution by adding
electronic payment functionality to identity cards using commercially-adopted, standards-based
systems to enable the CAC/PIV card to act as an open loop, pre-paid, payment card. Further,
this payments solution could be federated across the Government and cascade throughout the
entire PIV family of cards.
DoD operates a world-wide identity management program providing smart card-based identity
credentials to over three million people. The credentials are created through the Real-Time
                                                   Page 2 of 9
Request for Information (RFI)

Electronic Payment Capability for Identity Cards

Automated Personnel Identification System (RAPIDS) that centrally manages all card issuance,
which includes personalization and the instantiation of multiple Public Key Infrastructure (PKI)
certificates. There are approximately 2,500 RAPIDS stations operating world-wide. The smart
card-based CAC/PIV credentials, issued through RAPIDS, can also be updated using stand-
alone kiosks and web-based user-maintenance portal for post-issuance card management.
The CAC/PIV card has both contact and contactless interfaces, and must comply with Federal
Information Processing Standards (FIPS) 140.2 (soon to become 140.3) and FIPS 201. The
DoD has a strong process for revocation through physical collection and electronic means
through a centrally managed Credential Revocation List.
DoD is seeking information on payment solutions that can execute payments as a pre-paid
product, funded from a single or multiple sources. The payment solution must be EMV-
compliant on both the contact and contactless interfaces and fully functional at all EMV point of
sale terminals or ATMs world-wide, where EMV is adopted.
Further, the card should be fully functional in US public transportation environments where the
system architecture is compatible. Within the transportation environment, the card should be
able to perform as a pre-paid debit card decrementing either personal funds or qualified
transportation benefits from the appropriate account. At all times, the payment solution must
have the ability to be restricted from use in certain geographical (regional) zones or within
certain merchant category codes; capacity for product-level code restrictions is preferred.
The CAC/PIV card is envisioned to be the payment vehicle with a payment application either
resident on the chip within the card or linked by the chip within the card via the host operating
system. In that the CAC/PIV card acts as a Geneva Convention card, no branding or personally
identifiable information, beyond that allowed in the card topology standards, may be printed on
the card or freely read from the card’s chips.

2.0 Request for Information
2.1      Framework
Respondents should factor-in the following points in development of their responses:
1. DoD requires innovative, standards-based, commercially available, cost-effective
   approaches to providing electronic payment capability in online and offline environments
   using existing smart card-based identity credentials and related infrastructure; and,

2. Solutions proposed by vendors responding to this RFI may include general considerations,
   areas of concern, best practices, solution components, end-to-end solutions and any other
   information that may be relevant to the implementation of an electronic payment solution.

                                                   Page 3 of 9
Request for Information (RFI)

Electronic Payment Capability for Identity Cards

2.2      Operating Environment
Respondents should consider the following factors related to the payment system operating
environment in development of their responses:
1. Electronic Payment capability must build upon commercially-adopted standards-based
   payment programs when expanding functionality of CAC/PIV card;

2. Performance on 24/7/365 basis and service availability world-wide;

3. Live agent access for account management and customer service on a global basis, toll

4. EMV compliance on both contact and contactless interfaces;

5. Offline/online payment capability is required with transaction risk reduction measures in-

6. Payment solution must be compliant with current FIPS 140, FIPS 201 and EMV standards;

7. Payment solution should be sufficiently flexible that it could be funded from single or multiple
   sources and have the flexibility to be easily changed over time;

8. Proposed solution should be functional in US public transportation environments with
   compatible account-based architectures; and,

9. Solution should have the ability to restrict payment authorization from certain geographical
   (regional) zones, merchant category codes; merchant terminal IDs; and product-level code

2.3      Core Requirements
Respondents are requested to submit the following information regarding technical capabilities,
industry information, and industry recommendations:

1. Provide high level explanation of vendor solution including information relating to what data
   must be resident on each card; recommendations on where to instantiate any said data,
   advantages and disadvantages in the solution approach;

2. Identify any and all software and or hardware required by both DoD and system supplier to
   implement, operate and maintain the payment solution;

                                                   Page 4 of 9
Request for Information (RFI)

Electronic Payment Capability for Identity Cards

3. Outline the difficulty level of installing and maintaining the proposed product or solution;
   identify if the solution requires consulting services for installation; or, if the solution requires
   full time employee(s) to maintain the service;

4. Outline how end-user cards and accounts will be managed and updated through your
   solution; provide information on optimized solutions for post-issuance personalization,
   management and updating;

5. Provide examples of use in Government and Industry to include volume deployed, period of
   time product has been in use, and references that DoD may contact for further information;

6. Outline any limitations to the population of cardholders that your solution can accommodate;
   express the scalability of the solution across users and locations; identify any restrictions or

7. Outline integration and interface(s) approach to the CAC/PIV on-card credentials; use high
   level Unified Modeling Language (UML) sequence diagrams depicting data flow among on-
   card components and supporting off-card components; and,

8. Describe end-user experience in terms of expected performance (in seconds, or fractions
   thereof) for common transactions in the general purpose or transit payments environments
   and the end-to-end method of measurement used to gauge the performance.

2.4      Question Set
Responses to the question set below will significantly assist DoD in refining long-term
requirements and shape the development of the anticipated RFP. If your area of expertise is
outside of certain questions presented below, please let us know and identify those questions
1. Describe constraints or boundaries envisioned in designing, developing and deploying the
   payment solution; does your solution provide worldwide interoperability; are there any known
   constraints, and if so, describe the mitigation measures to overcome said constraints.
2. Discuss all industry-adopted standards to which your product or solution complies and
   describe the relevance of that to the solution; given the highly defined ICC real estate on
   the CAC/PIV card, outline any constraints which must be supported to comply with
3. Describe an optimized process for both EMV and FIPS certification; discuss if the solution is
   FIPS 140-2 certified (note that a revision to FIPS140 is underway); if not, is it capable of
   being certified; all applications resident on the CAC/PIV card must be FIPS-certified and that
   process must be aligned and rationalized with the EMV certification process.

                                                   Page 5 of 9
Request for Information (RFI)

Electronic Payment Capability for Identity Cards

4. Discuss the optimal payment solution structure; e.g., is there a single vendor solution that
   works end-to-end; or are teaming arrangements required to achieve the goal; provide an
   overview of the types of firms required to achieve an optimized implementation.
5. Outline the various card technologies supported by your firm; e.g., contact, contactless, etc.
   and provide a synopsis of the functionality on the card.
6. Outline any constraints or challenges in changing the type of application on cards
   (prepaid/general payment); describe how the solution can be adapted to meet specific
   needs, e.g., location-based, transaction type, etc.
7. Describe business model possibilities to allow this program to be cost neutral to the
   Government and outline steps or structures that should be considered to optimize that
8. Outline the scalability of the solution to expand to other Federal agencies within the United
   States and abroad; describe the technical and business requirements to support that
   expansion; describe if your product performance would be impacted by the size of the
   population administered.
9. Describe the reissuance model for a payment application on the CAC/PIV card; describe the
   approximate timeframe and steps required to recover funds and resume normal operations
   from the back-office system and customer-facing perspectives.
10. Describe payment systems security as part of a recommended approach outlining the pros
    and cons; what steps should be considered for protection of personally identifiable
    information (PII); how is PII security and integrity optimally implemented and managed.
11. Describe recommended approaches for development of a Payment Card Industry (PCI)
    compliant system; identify PCI-related issues which may arise in the development,
    management or operational phases of the program; describe compliance measures which
    should be incorporated into the approach and what party would be responsible for achieving
    and maintaining compliance.
12. Describe how a general purpose prepaid product aligns with advancements made in the US
    transit marketplace to accept and process open-loop payments; describe how the solution
    could manage and optimize distribution and updating of transit benefits for DoD and Federal
13. Describe various business models available to support this initiative noting card branding
    limitations; discuss advantages or disadvantages of encoding the payment application by
    DoD or another Federal agency, card manufacturer or trusted third party entity.
14. Describe various pre-paid product platforms including pre-paid debit, both signature and
    PIN-based; discuss the impact of driving payments from the contact and contactless chips;
    describe any impact on the goal of world-wide interoperability.
15. Describe ATM access, domestically and internationally; discuss options as work around for
    loss of the start sentinel on the magnetic stripe in gated ATMs; discuss any identified impact
                                                   Page 6 of 9
Request for Information (RFI)

Electronic Payment Capability for Identity Cards

    regarding the loss of the magnetic stripe for US-based and foreign ATM transactions;
    discuss the use of contact and contactless use in ATMs domestically and internationally;
    what is the strategy and timing for EMV in US-based ATMs.
16. Outline tools available to restrict use of the card to certain merchant category codes on a
    geographic basis; discuss how granular the restrictions can become; i.e., at the merchant
    terminal or product (SKU) level.
17. Discuss the role that EMVCo plays in the payments industry; discuss the importance of EMV
    standards to reduce fraud; discuss EMV certification for contact and contactless chip
    systems; discuss the concept of ‘full’ EMV for certain geographic regions and EMV ‘lite’ for
    the US; is there any impact on operations for payments at any level; is that approach fully
    backward and forward compatible; describe what impacts EMV updates would have on the
    payments platform, the existing application or infrastructure; discuss the concept of e-Purse
    capability within an EMV framework.
18. Describe the technical requirements of the payment application proposed to operate on the
    card’s contact and contactless interfaces; what are the technical features, functionality and
    requirements; is there a difference if one goes full EMV versus EMV ‘lite.’
19. Describe the roles of issuer and acquirer in the general payments environment; describe the
    role of DoD or another Federal Agency in the payments scenario outlined under this RFI.
20. Outline the infrastructure requirements for terminals, communications networks and host
    systems to support this payment solution; how are global updates handled; how is backward
    and forward compatibility assured.
21. Outline the initialization and personalization process; how are account and card initialization
    and personalization functions performed today; what are the account and card initialization
    and personalization options one could consider in adding payment functionality on the
    CAC/PIV card; provide commentary on each approach outlined.
22. Describe capacity for Web-based interfaces for transaction management, control and
    reporting; outline features and functionality for transaction analysis from the card level to roll-
    up at agency-levels; describe the reporting systems for audit, control and management of
    payments and transit benefits.
23. Describe options for customer service functions via live agents on a global basis; address
    service time restrictions and customer toll-free access; describe alternatives which could
    achieve the same functionality.
24. Describe options for use of the magnetic stripe on the card; while cards are manufactured
    today with the multi-track magnetic stripe, DoD would like to consider options as part of a
    go-forward strategy.
25. Identify potential areas of risk in development and operation of this program; outline
    recommended measures to mitigate the identified risks.

                                                   Page 7 of 9
Request for Information (RFI)

Electronic Payment Capability for Identity Cards

26. Do you feel that you have a clear understanding of the goals and objectives of this initiative
    to successfully respond to a solicitation issued for this requirement? If not, what additional
    information would you require?

3.0 Summary
Responses to this RFI should be no more than 85 pages in length; single sided with 1 inch
margins using no less than 12 point font using 8-1/2 x 11 inch paper. An allowance of no more
than 15 pages in either 8-1/2 x 14 or 11x17 inch format paper and used for diagrams or process
flows will be allowed as part of the package for a total of 100 pages inclusive of title pages,
executive summaries, conclusions or any other ancillary writings, including appendixes.

Please provide five printed copies of your response in three-ring binders with the name of your
firm (or team) and the title of this RFI clearly identified on the cover to the address below on the
required date by 3:00 PM, local time. Concurrently, also provide a soft copy of your response in
.pdf format on a CD with the name of your firm (or team) and the title of this RFI clearly
identified. Include the CD in the package with the printed materials on the required date by 3:00
PM. Note that USB-based portable data storage devices (thumb drives) are not permitted in the
DoD environment and cannot be used to electronically transfer responses to this RFI.

This RFI is being issued for Government planning purposes only. This RFI shall neither be
construed as a Request for Proposal (RFP), nor as an obligation on the part of the Government
to acquire any products or services. Further, based on the responses to this round of the
process, there may be a second round of responses requested. If, at the conclusion of this
process, an RFP is issued, it will be officially issued by the appropriate Government contracting
If proprietary information is provided, please mark as Proprietary for Government use Only.
Any questions regarding this RFI shall be in writing and transmitted either electronically via e-
mail or mailed to the address below to the attention of the designated point of contact.
Qualified sources may be invited to discuss their responses, product offerings and suggestions
with key government planners and decision makers.
Questions     regarding this   RFI    should    be   addressed    via   e-mail  to no later than 3:00 p.m. Eastern Standard Time (EST)
October 1, 2010.
Interested parties shall submit their responses to Matthew Poole, no later than October 25,
2010 in the data formats identified above. All inquiries and responses must be submitted as
instructed above – Telephone and FAX responses to this RFI will not be accepted.

                                                   Page 8 of 9
Request for Information (RFI)

Electronic Payment Capability for Identity Cards

Federal Information Processing Standards (FIPS) -
    140-2         Security Requirements for Cryptographic Modules
    201-1         Personal Identity Verification (PIV) of Federal Employees and Contractors
PIV Data Model v6.1 End-point
DoD Implementation Guide for Transitional PIV II SP 800-73 v1

DoD Implementation Guide for CAC/PIV End-point v1.22

Mailing Address:
Attn: Matthew Poole
4040 N. Fairfax Drive, Suite 120
Arlington, VA 22203

                                                   Page 9 of 9

To top