E-commerce shopping e-wallet is a commonly used payment instrument, as its suitable for small purchases. In the electronic wallet storing electronic money, such as electronic cash, electronic coins, electronic credit cards. Use of electronic purse shopping. Usually in the service system for electronic wallet. E-commerce activities in the electronic wallet software is usually free of charge. The world has VISA Cash and Mondex electronic wallet services, two-line system.
Request for Information (RFI) Electronic Payment Capability for Identity Cards Request for Information: Electronic Payment Capability for Identity Cards United States Department of Defense Version 0.7 Page 1 of 9 Request for Information (RFI) Electronic Payment Capability for Identity Cards 1.0 Introduction 1.1 Purpose and scope This Request for Information (RFI) seeks input from qualified parties on the concept of adding electronic payment functionality to the latest generation of Federal identity credentials. The responses provided may guide the future development and deployment of electronic payment capability on existing smart card-based identity credentials using the Common Access Card (CAC)/Personal Identity Verification (PIV) card architecture. 1.2 Vision The United States Department of Defense is focused on simplifying the lives of the American Service Member, their Dependant families, and the civilians supporting the uniformed services. To that end, DoD is examining innovative and non-traditional tools, methods and processes to achieve that goal. One avenue under consideration expands the use of the CAC/PIV card beyond logical and physical access to include world-wide payment functionality, ATM access for management of funds, access to public transit services and management of Federal transit benefits. Advancements in contact and contactless chip technology present in the current CAC/PIV card offers an opportunity to add value and functionality to the current card. Development of general purpose payment capability on the CAC/PIV card based on a pre-paid debit platform would allow the card to be used for general purpose payments on and off-base, based on availability of funds in the card holder accounts. Payment capability would not be credit-based and would include capacity to restrict where and when the card is used at the geographical, merchant and product levels. Further, the CAC/PIV card could be used to manage transportation benefits and act as a contactless smart card for fare payment in US-based transit systems where open-payments architecture is used in the fare system. This transit application would capture efficiencies and improve accountability in the management of transit benefits to ensure that the right benefit is delivered to the right card and subsequently used by the right person for transit fare payment. Development and deployment of these tools would ease the Service Member’s life by expanding capability of the existing credential and, over time, reduce the number of separate cards currently needed to perform the same functionality. 1.3 Background Under this RFI, DoD is exploring options to provide an end-to-end enterprise solution by adding electronic payment functionality to identity cards using commercially-adopted, standards-based systems to enable the CAC/PIV card to act as an open loop, pre-paid, payment card. Further, this payments solution could be federated across the Government and cascade throughout the entire PIV family of cards. DoD operates a world-wide identity management program providing smart card-based identity credentials to over three million people. The credentials are created through the Real-Time Page 2 of 9 Request for Information (RFI) Electronic Payment Capability for Identity Cards Automated Personnel Identification System (RAPIDS) that centrally manages all card issuance, which includes personalization and the instantiation of multiple Public Key Infrastructure (PKI) certificates. There are approximately 2,500 RAPIDS stations operating world-wide. The smart card-based CAC/PIV credentials, issued through RAPIDS, can also be updated using stand- alone kiosks and web-based user-maintenance portal for post-issuance card management. The CAC/PIV card has both contact and contactless interfaces, and must comply with Federal Information Processing Standards (FIPS) 140.2 (soon to become 140.3) and FIPS 201. The DoD has a strong process for revocation through physical collection and electronic means through a centrally managed Credential Revocation List. DoD is seeking information on payment solutions that can execute payments as a pre-paid product, funded from a single or multiple sources. The payment solution must be EMV- compliant on both the contact and contactless interfaces and fully functional at all EMV point of sale terminals or ATMs world-wide, where EMV is adopted. Further, the card should be fully functional in US public transportation environments where the system architecture is compatible. Within the transportation environment, the card should be able to perform as a pre-paid debit card decrementing either personal funds or qualified transportation benefits from the appropriate account. At all times, the payment solution must have the ability to be restricted from use in certain geographical (regional) zones or within certain merchant category codes; capacity for product-level code restrictions is preferred. The CAC/PIV card is envisioned to be the payment vehicle with a payment application either resident on the chip within the card or linked by the chip within the card via the host operating system. In that the CAC/PIV card acts as a Geneva Convention card, no branding or personally identifiable information, beyond that allowed in the card topology standards, may be printed on the card or freely read from the card’s chips. 2.0 Request for Information 2.1 Framework Respondents should factor-in the following points in development of their responses: 1. DoD requires innovative, standards-based, commercially available, cost-effective approaches to providing electronic payment capability in online and offline environments using existing smart card-based identity credentials and related infrastructure; and, 2. Solutions proposed by vendors responding to this RFI may include general considerations, areas of concern, best practices, solution components, end-to-end solutions and any other information that may be relevant to the implementation of an electronic payment solution. Page 3 of 9 Request for Information (RFI) Electronic Payment Capability for Identity Cards 2.2 Operating Environment Respondents should consider the following factors related to the payment system operating environment in development of their responses: 1. Electronic Payment capability must build upon commercially-adopted standards-based payment programs when expanding functionality of CAC/PIV card; 2. Performance on 24/7/365 basis and service availability world-wide; 3. Live agent access for account management and customer service on a global basis, toll free; 4. EMV compliance on both contact and contactless interfaces; 5. Offline/online payment capability is required with transaction risk reduction measures in- place; 6. Payment solution must be compliant with current FIPS 140, FIPS 201 and EMV standards; 7. Payment solution should be sufficiently flexible that it could be funded from single or multiple sources and have the flexibility to be easily changed over time; 8. Proposed solution should be functional in US public transportation environments with compatible account-based architectures; and, 9. Solution should have the ability to restrict payment authorization from certain geographical (regional) zones, merchant category codes; merchant terminal IDs; and product-level code restrictions. 2.3 Core Requirements Respondents are requested to submit the following information regarding technical capabilities, industry information, and industry recommendations: 1. Provide high level explanation of vendor solution including information relating to what data must be resident on each card; recommendations on where to instantiate any said data, advantages and disadvantages in the solution approach; 2. Identify any and all software and or hardware required by both DoD and system supplier to implement, operate and maintain the payment solution; Page 4 of 9 Request for Information (RFI) Electronic Payment Capability for Identity Cards 3. Outline the difficulty level of installing and maintaining the proposed product or solution; identify if the solution requires consulting services for installation; or, if the solution requires full time employee(s) to maintain the service; 4. Outline how end-user cards and accounts will be managed and updated through your solution; provide information on optimized solutions for post-issuance personalization, management and updating; 5. Provide examples of use in Government and Industry to include volume deployed, period of time product has been in use, and references that DoD may contact for further information; 6. Outline any limitations to the population of cardholders that your solution can accommodate; express the scalability of the solution across users and locations; identify any restrictions or limitations; 7. Outline integration and interface(s) approach to the CAC/PIV on-card credentials; use high level Unified Modeling Language (UML) sequence diagrams depicting data flow among on- card components and supporting off-card components; and, 8. Describe end-user experience in terms of expected performance (in seconds, or fractions thereof) for common transactions in the general purpose or transit payments environments and the end-to-end method of measurement used to gauge the performance. 2.4 Question Set Responses to the question set below will significantly assist DoD in refining long-term requirements and shape the development of the anticipated RFP. If your area of expertise is outside of certain questions presented below, please let us know and identify those questions accordingly. 1. Describe constraints or boundaries envisioned in designing, developing and deploying the payment solution; does your solution provide worldwide interoperability; are there any known constraints, and if so, describe the mitigation measures to overcome said constraints. 2. Discuss all industry-adopted standards to which your product or solution complies and describe the relevance of that to the solution; given the highly defined ICC real estate on the CAC/PIV card, outline any constraints which must be supported to comply with standards. 3. Describe an optimized process for both EMV and FIPS certification; discuss if the solution is FIPS 140-2 certified (note that a revision to FIPS140 is underway); if not, is it capable of being certified; all applications resident on the CAC/PIV card must be FIPS-certified and that process must be aligned and rationalized with the EMV certification process. Page 5 of 9 Request for Information (RFI) Electronic Payment Capability for Identity Cards 4. Discuss the optimal payment solution structure; e.g., is there a single vendor solution that works end-to-end; or are teaming arrangements required to achieve the goal; provide an overview of the types of firms required to achieve an optimized implementation. 5. Outline the various card technologies supported by your firm; e.g., contact, contactless, etc. and provide a synopsis of the functionality on the card. 6. Outline any constraints or challenges in changing the type of application on cards (prepaid/general payment); describe how the solution can be adapted to meet specific needs, e.g., location-based, transaction type, etc. 7. Describe business model possibilities to allow this program to be cost neutral to the Government and outline steps or structures that should be considered to optimize that relationship. 8. Outline the scalability of the solution to expand to other Federal agencies within the United States and abroad; describe the technical and business requirements to support that expansion; describe if your product performance would be impacted by the size of the population administered. 9. Describe the reissuance model for a payment application on the CAC/PIV card; describe the approximate timeframe and steps required to recover funds and resume normal operations from the back-office system and customer-facing perspectives. 10. Describe payment systems security as part of a recommended approach outlining the pros and cons; what steps should be considered for protection of personally identifiable information (PII); how is PII security and integrity optimally implemented and managed. 11. Describe recommended approaches for development of a Payment Card Industry (PCI) compliant system; identify PCI-related issues which may arise in the development, management or operational phases of the program; describe compliance measures which should be incorporated into the approach and what party would be responsible for achieving and maintaining compliance. 12. Describe how a general purpose prepaid product aligns with advancements made in the US transit marketplace to accept and process open-loop payments; describe how the solution could manage and optimize distribution and updating of transit benefits for DoD and Federal employees. 13. Describe various business models available to support this initiative noting card branding limitations; discuss advantages or disadvantages of encoding the payment application by DoD or another Federal agency, card manufacturer or trusted third party entity. 14. Describe various pre-paid product platforms including pre-paid debit, both signature and PIN-based; discuss the impact of driving payments from the contact and contactless chips; describe any impact on the goal of world-wide interoperability. 15. Describe ATM access, domestically and internationally; discuss options as work around for loss of the start sentinel on the magnetic stripe in gated ATMs; discuss any identified impact Page 6 of 9 Request for Information (RFI) Electronic Payment Capability for Identity Cards regarding the loss of the magnetic stripe for US-based and foreign ATM transactions; discuss the use of contact and contactless use in ATMs domestically and internationally; what is the strategy and timing for EMV in US-based ATMs. 16. Outline tools available to restrict use of the card to certain merchant category codes on a geographic basis; discuss how granular the restrictions can become; i.e., at the merchant terminal or product (SKU) level. 17. Discuss the role that EMVCo plays in the payments industry; discuss the importance of EMV standards to reduce fraud; discuss EMV certification for contact and contactless chip systems; discuss the concept of ‘full’ EMV for certain geographic regions and EMV ‘lite’ for the US; is there any impact on operations for payments at any level; is that approach fully backward and forward compatible; describe what impacts EMV updates would have on the payments platform, the existing application or infrastructure; discuss the concept of e-Purse capability within an EMV framework. 18. Describe the technical requirements of the payment application proposed to operate on the card’s contact and contactless interfaces; what are the technical features, functionality and requirements; is there a difference if one goes full EMV versus EMV ‘lite.’ 19. Describe the roles of issuer and acquirer in the general payments environment; describe the role of DoD or another Federal Agency in the payments scenario outlined under this RFI. 20. Outline the infrastructure requirements for terminals, communications networks and host systems to support this payment solution; how are global updates handled; how is backward and forward compatibility assured. 21. Outline the initialization and personalization process; how are account and card initialization and personalization functions performed today; what are the account and card initialization and personalization options one could consider in adding payment functionality on the CAC/PIV card; provide commentary on each approach outlined. 22. Describe capacity for Web-based interfaces for transaction management, control and reporting; outline features and functionality for transaction analysis from the card level to roll- up at agency-levels; describe the reporting systems for audit, control and management of payments and transit benefits. 23. Describe options for customer service functions via live agents on a global basis; address service time restrictions and customer toll-free access; describe alternatives which could achieve the same functionality. 24. Describe options for use of the magnetic stripe on the card; while cards are manufactured today with the multi-track magnetic stripe, DoD would like to consider options as part of a go-forward strategy. 25. Identify potential areas of risk in development and operation of this program; outline recommended measures to mitigate the identified risks. Page 7 of 9 Request for Information (RFI) Electronic Payment Capability for Identity Cards 26. Do you feel that you have a clear understanding of the goals and objectives of this initiative to successfully respond to a solicitation issued for this requirement? If not, what additional information would you require? 3.0 Summary Responses to this RFI should be no more than 85 pages in length; single sided with 1 inch margins using no less than 12 point font using 8-1/2 x 11 inch paper. An allowance of no more than 15 pages in either 8-1/2 x 14 or 11x17 inch format paper and used for diagrams or process flows will be allowed as part of the package for a total of 100 pages inclusive of title pages, executive summaries, conclusions or any other ancillary writings, including appendixes. Please provide five printed copies of your response in three-ring binders with the name of your firm (or team) and the title of this RFI clearly identified on the cover to the address below on the required date by 3:00 PM, local time. Concurrently, also provide a soft copy of your response in .pdf format on a CD with the name of your firm (or team) and the title of this RFI clearly identified. Include the CD in the package with the printed materials on the required date by 3:00 PM. Note that USB-based portable data storage devices (thumb drives) are not permitted in the DoD environment and cannot be used to electronically transfer responses to this RFI. This RFI is being issued for Government planning purposes only. This RFI shall neither be construed as a Request for Proposal (RFP), nor as an obligation on the part of the Government to acquire any products or services. Further, based on the responses to this round of the process, there may be a second round of responses requested. If, at the conclusion of this process, an RFP is issued, it will be officially issued by the appropriate Government contracting office. If proprietary information is provided, please mark as Proprietary for Government use Only. Any questions regarding this RFI shall be in writing and transmitted either electronically via e- mail or mailed to the address below to the attention of the designated point of contact. Qualified sources may be invited to discuss their responses, product offerings and suggestions with key government planners and decision makers. Questions regarding this RFI should be addressed via e-mail to Matthew.Poole@osd.pentagon.mil no later than 3:00 p.m. Eastern Standard Time (EST) October 1, 2010. Interested parties shall submit their responses to Matthew Poole, no later than October 25, 2010 in the data formats identified above. All inquiries and responses must be submitted as instructed above – Telephone and FAX responses to this RFI will not be accepted. Page 8 of 9 Request for Information (RFI) Electronic Payment Capability for Identity Cards Attachments: Federal Information Processing Standards (FIPS) - 140-2 Security Requirements for Cryptographic Modules 201-1 Personal Identity Verification (PIV) of Federal Employees and Contractors PIV Data Model v6.1 End-point DoD Implementation Guide for Transitional PIV II SP 800-73 v1 DoD Implementation Guide for CAC/PIV End-point v1.22 Mailing Address: DHRA PSO Attn: Matthew Poole 4040 N. Fairfax Drive, Suite 120 Arlington, VA 22203 Page 9 of 9
Pages to are hidden for
"Request for Information_"Please download to view full document