Docstoc

Proposal Executive Summary Samples

Document Sample
Proposal Executive Summary Samples Powered By Docstoc
					PCI QSA Selection   Evaluator:




                                 a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Jason P. Rusch




                 a90f1b32-db7b-40e3-903c-34780b392ce4.xls
PCI Questionnaire Response Evaluation
Evaluator:                                                Evaluation section                     Total Score   Possible   Completed
Date:             0                  A. General Evaluation - Subjective Impression                    0           60          0
                                 0   B. Questionnaire Response Evaluation                             0          185          0
Company           QSA Firm 1         C. RFP Response Evaluation                                       0          215          0
Primary Contact                  0   D. Interview Response Evaluation                                 0          185          0
                                 0   E. Pricing Evaluation                                            0           40          0
                                 0   F. References Evaluation                                         0          170          0
                                 0                                                   Total score      0          855         0%




Evaluator:                                               Evaluation section                     Total Score    Possible   Completed




                                                              a90f1b32-db7b-40e3-903c-34780b392ce4.xls
    <> Services & Deliverables                                                Totals
    PCI Assessment & Report On Compliance                                      $0.00
    Asset Inventory Worksheet
    Gap report



    QSA estimated travel/incidentals                                              $0
                                            Total                             $0.00
Billing & Payment Options

0



    <> Services & Deliverables                                                Totals




                                                    a90f1b32-db7b-40e3-903c-34780b392ce4.xls
PCI Questionnaire Response Evaluation
Evaluator:                                                                  Evaluation section                         Total Score     Possible    Completed
Date:                                                   A. General Evaluation - Subjective Impression                       0            60          0.0%
                                                        B. Questionnaire Response Evaluation                               0             185          0.0%
Company           QSA Firm 1                            C. RFP Response Evaluation                                         0             215          0.0%
Primary Contact                                         D. Interview Response Evaluation                                   0             185          0.0%
                                                        E. Pricing Evaluation                                              0              40          0.0%
                                                        F. References Evaluation                                           0             170          0.0%
                                                                                                         Total score       0             855          0.0%




Base Score:                                                                                                            Weight:
       1          Very uncomfortable/disliked response / Unacceptable                                                       1        Low / Moderately Important
       2          Uncomfortable with response / Not a quality response                                                      2        Medium / Important
       3          Neutral response / Wasn't good or bad response / Meets basic requirements                                 3        High / Very Important
       4          Liked response / Quality response / Exceeds basic requirements
       5          Highly comfortable with response / High quality response / Well above basic requirements




                                                                                   a90f1b32-db7b-40e3-903c-34780b392ce4.xls
SECTION A                                              QSA Firm 1
General Evaluation - Subjective Impression

Reference        Criterion                             Evaluation considerations                                       Base Score        Weight      Final Score
(none)           Groundwork                            Did the QSA vendor actively stay engaged with <merchant>
                                                       during the selection process?                                        0               3             0

(none)           Responsiveness                        Did the QSA vendor respond in a reasonable amount of time
                                                       to meeting requests, questions and document requests                 0               2             0
                                                       during the selection process.
(none)           Appearance / presentation             What was the overall professionalism, experience and
                                                       knowledge of the QSA and its team members during
                                                                                                                            0               3             0
                                                       meetings leading up to the RFP?

(none)           Appearance / presentation             Does the QSA appear that they will be a partner in assisting
                                                       <merchant> with developing remediation options and/ or
                                                       strategies in the remediation of potential gaps and control          0               3             0
                                                       weaknesses.

(none)           Attitude                              What is the apparent degree of enthusiasm of the vendor to
                                                       conduct the PCI assessment and partner with <merchant>?              0               1             0

                                                                                                                      Total score for this section        0



SECTION B                                              QSA Firm 1
Questionnaire Response Evaluation

Questionnaire # Question                               Evaluation considerations                                      Base Score      Weight         Final Score
                Has your firm ever been in or is       Has the company ever been cited during the PCI-SSC QA
       1        currently in remediation status with   process.                                                             0               2             0
                the PCI-SSC?
                Year your firm was founded             How long has the company been in existence?
       2                                                                                                                    0               1             0
                 Number of total employees             What is the total size of the company'?
         3                                                                                                                  0               1             0

                 Number of trained and certified PCI   What is the company's ability to adequately staff project?
         4       assessors within your firm.                                                                                0               3             0



                                                                                 a90f1b32-db7b-40e3-903c-34780b392ce4.xls
     List members that will be assigned to Do the qualifications of the principals, project manager, and
     this project, organization description, project staff indicate that the firm can complete the tasks in a
     roles, and assigned project manager? professional and satisfactory manner? Does the response
5                                            indicate that the principals of the firm will be heavily involved   0   2   0
                                             in the actual performance of the contract or only marginally
                                             involved in an administrative or overview capacity?


     Are the members assigned to the          Assess the background and skills sets of the members that
     team that will conduct this project      will be assessing I.T. deliverables, they need to have a solid
     have a solid background in 1 or more     background in some of the listed skill sets to be most
     of the following backgrounds; audit,     affective in accurately assessing deliverables.
6    I.T. security, forensics, I.T.                                                                              0   3   0
     compliance, I.T. risk management,
     vulnerability management?


     Does your firm use subcontractors        Does the bidder indicate that the work will be done by its
     when conducting PCI assessment           employees, or is the specialized work to be done by
     and/ or for the assessment of            subcontractors or other outsourced support?
7                                                                                                                0   1   0
     deliverables?


     What practical hands on experience       Does the QSA and/ or any of the team members have direct
     does your firm and the members           experience with our internal POS systems (i.e.
8    assigned to this engagement have         vendor/product Simphony/Opera)                                     0   3   0
     with payment system?


     Number of on-site assessments the        What is the company's depth of practical PCI knowledge and
     QSA's that would be assigned to this     experience?
9    engagement have performed for                                                                               0   3   0
     Merchant level 1 and 2's?


     What guarantee of continuity of    What guarantees has the QSA vendor made in supporting
10   assigned team members can you firm the continuity of the project?                                           0   1   0
     promise?

     What is the number of offices and        Does the company have remote offices in many areas where
11   locations does your firm have in the     cafe's reside and does the company have an international           0   1   0
     US and international?                    presence?



                                                                         a90f1b32-db7b-40e3-903c-34780b392ce4.xls
     What background in audit & PCI             How long has your firm offered onsite PCI assessments to
     onsite assessment experience does          level 1 and 2 merchants? Do they arise from a base of
12                                                                                                                    0               3        0
     your firm have?                            consulting / auditing experience?

     Explain your businesses                    Does the company provide products that could be sold as
     organizational structure.                  remediation solutions to QSA discovered control
13                                                                                                                    0               1        0
                                                weaknesses or gaps?

     What other compliance-related              What is the company's breadth of compliance experience?
14   services does your firm offer?             Does the firm limit its work to specialized areas?                    0               2        0

     What was your firms revenue for last       To what degree does the firm demonstrate financial stability?
15   2 years?                                                                                                         0               1        0

     What is your firms customer retention How does this compare with other bidders? How reasonable
     rate and calculation?                 and realistic is the means of calculation? What is the degree
16                                         of demonstrated customer loyalty?                                          0               2        0


     Have you work with <MERCHANT               Has <MERCHANT NAME> had prior experience with the
     NAME> in the past, please explain?         QSA vendor and if so, what was the overall quality and
17                                              satisfaction of the project?                                          0               1        0


     What if any previous involvement in        What is revealed about past disagreements / problems with
     litigation, arbitration or mediation has   clients and the means by which they were resolved?
18                                                                                                                    0               2        0
     your company experienced in the last
     5 years?
     Please list similar merchants that your    Has the QSA listed merchants that it has performed onsite
     firm has provided similar services for.    assessments for that might have similarities to <merchant>,
19   Please explain in detail why the           for example industry, geography, POS, ect.                            0               3        0
     merchants are similar.


     Have any merchants or service           Has any company the firm has assessed as being compliant
     providers your firm has provided an     ever suffered a data breach?
     onsite PCI-DSS assessment where a
     compliant ROC was produced, ever
20                                                                                                                    0               3        0
     suffered a CHD data breach or loss
     within 1 year of the completion of that
     ROC?
                                                                                                                Total score for this section   0
                                                                          a90f1b32-db7b-40e3-903c-34780b392ce4.xls
SECTION C                                           QSA Firm 1
RFP Response Evaluation

Reference      Section Name                        Evaluation considerations                                         Base Score   Weight   Final Score
Section 1.2    Information Security and Compliance Where the following statements replied to and what was the
               Services Companies Qualifications   quality of the responses?

                                                    1.2 The successful QSA firm will have experience
                                                    conducting payment/credit card security program
                                                                                                                          0           2         0
                                                    assessments in large, geographical dispersed and complex
                                                    merchant environments, consistent with applicable industry
                                                    standards and requirements, including, but not limited to, the
                                                    Payment Card Industry Data Security Standard (“PCI DSS”).

Section 1.5    Information Security and Compliance Where the following statements replied to and what was the
               Services Companies Qualifications   quality of the responses?

                                                    1.5 If the QSA firm is currently in or has been in the past
                                                                                                                          0           2         0
                                                    remediation status with the Payment Card Industry Security
                                                    Standards Council (PCI-SSC), please note the date, duration
                                                    and high level cause or causes for the remediation status
                                                    and QA review.
Section 2.0    Purpose and High Level Goals         Where the following statements replied to and what was the
                                                    quality of the responses?

                                                    Did the RFP response speak to the RFP's high level goals
                                                    and objectives?

                                                    2.1 Conduct a onsite PCI-DSS assessment.

                                                    2.2.1 Strengthen security within its credit card data
                                                    environment and payment card processes                                0           3         0

                                                    2.2.2 Reduce risk surface and overall risk exposure to
                                                    information technology resources and data related with
                                                    <MERCHANT NAME>’s credit card data and process
                                                    environment.

                                                    2.2.3 File a complaint “Report on Compliance” (ROC) by no
                                                    later than <> to <MERCHANT NAME>’s acquiring bank.
                                                                               a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 3.0    Business and Assessment Scope   Did the RFP response show that the firm understood the
                                               business?
                                                                                                              0     2   0


Section 4.0    PCI-DSS Onsite Assessment       Did the RFP response show that the firm understood the
               Objectives                      scope of the assessment?                                       0     2   0

Section 5.1    Deliverables                    Did the RFP response speak to the content and framework
                                               of the ROC?                                                    0     1   0

Section 5.2+   Deliverables                    Did the RFP response speak to all of the requested
                                               deliverables?

                                               5.3 Post assessment executive report for <MERCHANT             0     3   0
                                               NAME> management.

                                               5.3.2 High level summary of applied compensating controls
Section 6.1    RFP Response Inclusions         Did the RFP response should include the following:
                                                                                                              0     2   0
                                               6.1 Consultant Qualifications
Section 6.2    RFP Response Inclusions         Did the RFP response include the following:

                                               6.2 Project Plan and Fixed Fee Estimate

                                               6.2.1 Present a project based fixed fee bid, from planning
                                               and preparation through a post-assessment review of the
                                               results, which identifies resources (including <MERCHANT
                                               NAME>resources required, and identifying any other
                                               expected impact on <MERCHANT NAME>), costs and
                                               milestones.

                                               6.2.2 The project timetable should include a 1 day lessons     0     3   0
                                               learned / post-mortem sessions to be conducted after the
                                               completion of the assessment.

                                               6.2.3 Provide a description of the steps you would take to
                                               achieve the proposed timetable, including the assumptions
                                               supporting it, and the formal communication and status
                                               update mechanisms you intend to use.

                                               6.2.4 Provide hourly rates, by resource type, to be used if
                                               additional work is required.
                                                                         a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 6.3   RFP Response Inclusions   Did the RFP response should include the following:

                                        6.3 Deliverables Management and Reporting

                                        6.3.1 QSA firms management of the following items;               0    3   0
                                        6.3.1.1 Schedule and meeting management
                                        6.3.1.2 Deliverables management
                                        6.3.1.3 High level assessment status reporting

Section 6.4   RFP Response Inclusions   Did the RFP response should include the following:

                                        6.4 Sample Deliverables and Reports
                                                                                                         0    2   0
                                        6.4.1 Redacted samples or extracts of;

Section 9.1   Proposal Requirements     Was the RFP response in the requested format and layout
                                        as requested?

                                        9.1 QSA consulting firms are requested to submit their           0    3   0
                                        proposal in the general format outlined in this section of the
                                        document.


Section 9.2   Proposal Requirements     Does the RFP response speak to terms and conditions?

                                        9.2 QSA consulting firms must explicitly state in their
                                        proposal the terms and conditions under which contracts for
                                        services may be terminated. Each proposal shall include a
                                        letter of transmittal, which bears the signature of an
                                        authorized representative of the QSA consulting firm             0    3   0
                                        Company. The letter of transmittal must also include the
                                        name(s) of the individual(s) authorized to negotiate with
                                        <MERCHANT NAME>, as well as the names of sales
                                        representatives of the consulting firm.




                                                                   a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 10     Detailed Response Requirements   Was the RFP response in the requested format and layout
                                                as requested?

                                                The QSA consulting firm’s proposal in response is required
                                                to be submitted in the following format:

                                                10.1 EXECUTIVE SUMMARY

                                                10.2 PROJECT APPROACH, METH-MANAGEMENT

                                                10.3 DETAILED AND ITEMIZED PRICING
                                                                                                              0     3   0
                                                10.4 DELIVERABLES

                                                10.5 RFP INCLUSION AND ATTACHEMENT REQUESTS

                                                10.5.1 REFERENCES

                                                10.5.2 TEAM STAFFING

                                                10.5.3 SAMPLES AND EXAMPLES


Doc Request 1.0 Documents                       Were sample ROC;s submitted as requested?

                                                And what was the quality of the requested item?
                                                                                                              0     1   0



Doc Request 2.0 Documents                       Were sample of deliverables management and tracking
                                                documentation submitted as requested?

                                                And what was the quality of the requested item?               0     3   0



Doc Request 3.0 Documents                       Were sample executive reports submitted as requested?

                                                And what was the quality of the requested item?
                                                                                                              0     2   0




                                                                         a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Doc Request 4.0 Documents   Was a proposed timeline including assessment phases
                            submitted as requested?

                            And what was the quality of the requested item?               0               2        0



Doc Request 5.0 Documents   Were samples of weekly and/ or monthly status reports
                            submitted as requested?
                                                                                          0               1        0
                            And what was the quality of the requested item?
                                                                                    Total score for this section   0




                                                     a90f1b32-db7b-40e3-903c-34780b392ce4.xls
 <> Services & Deliverables                                                Totals
 PCI Assessment & Report On Compliance                                      $0.00
 Asset Inventory Worksheet
 Gap report




 QSA estimated travel/incidentals                                              $0
                                         Total                             $0.00
Billing & Payment Options




                                                 a90f1b32-db7b-40e3-903c-34780b392ce4.xls
QSA Vendor Response   Merchant Comments




QSA Vendor Response   Merchant Comments




                                      a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
QSA Vendor Response   Merchant Comments




                                      a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
PCI Questionnaire Response Evaluation
Evaluator:                                                                  Evaluation section                         Total Score     Possible    Completed
Date:                                                   A. General Evaluation - Subjective Impression                       0            60          0.0%
                                                        B. Questionnaire Response Evaluation                               0             185          0.0%
Company           QSA Firm 2                            C. RFP Response Evaluation                                         0             215          0.0%
Primary Contact                                         D. Interview Response Evaluation                                   0             185          0.0%
                                                        E. Pricing Evaluation                                              0              40          0.0%
                                                        F. References Evaluation                                           0             170          0.0%
                                                                                                         Total score       0             855          0.0%




Base Score:                                                                                                            Weight:
       1          Very uncomfortable/disliked response / Unacceptable                                                       1        Low / Moderately Important
       2          Uncomfortable with response / Not a quality response                                                      2        Medium / Important
       3          Neutral response / Wasn't good or bad response / Meets basic requirements                                 3        High / Very Important
       4          Liked response / Quality response / Exceeds basic requirements
       5          Highly comfortable with response / High quality response / Well above basic requirements


SECTION A                                               QSA Firm 2




                                                                                   a90f1b32-db7b-40e3-903c-34780b392ce4.xls
General Evaluation - Subjective Impression

Reference        Criterion                             Evaluation considerations                                       Base Score        Weight      Final Score
(none)           Groundwork                            Did the QSA vendor actively stay engaged with <merchant>
                                                       during the selection process?                                        0               3             0

(none)           Responsiveness                        Did the QSA vendor respond in a reasonable amount of time
                                                       to meeting requests, questions and document requests
                                                       during the selection process.                                        0               2             0


(none)           Appearance / presentation             What was the overall professionalism, experience and
                                                       knowledge of the QSA and its team members during
                                                       meetings leading up to the RFP?                                      0               3             0


(none)           Appearance / presentation             Does the QSA appear that they will be a partner in assisting
                                                       <merchant> with developing remediation options and/ or
                                                       strategies in the remediation of potential gaps and control          0               3             0
                                                       weaknesses.

(none)           Attitude                              What is the apparent degree of enthusiasm of the vendor to
                                                       conduct the PCI assessment and partner with <merchant>?
                                                                                                                            0               1             0


                                                                                                                      Total score for this section        0



SECTION B                                              QSA Firm 2
Questionnaire Response Evaluation
Questionnaire # Question                               Evaluation considerations                                      Base Score      Weight         Final Score
       1        Has your firm ever been in or is       Has the company ever been cited during the PCI-SSC QA                0               2             0
                Year yourin remediation status with
                currently firm was founded             process.
                                                       How long has the company been in existence?
         2                                                                                                                  0               1             0

                 Number of total employees             What is the total size of the company'?
         3                                                                                                                  0               1             0

                 Number of trained and certified PCI   What is the company's ability to adequately staff project?
         4       assessors within your firm.                                                                                0               3             0



                                                                                 a90f1b32-db7b-40e3-903c-34780b392ce4.xls
     List members that will be assigned to Do the qualifications of the principals, project manager, and
     this project, organization description, project staff indicate that the firm can complete the tasks in a
     roles, and assigned project manager? professional and satisfactory manner? Does the response
                                             indicate that the principals of the firm will be heavily involved
5                                            in the actual performance of the contract or only marginally        0   2   0
                                             involved in an administrative or overview capacity?



     Are the members assigned to the          Assess the background and skills sets of the members that
     team that will conduct this project      will be assessing I.T. deliverables, they need to have a solid
     have a solid background in 1 or more     background in some of the listed skill sets to be most
     of the following backgrounds; audit,     affective in accurately assessing deliverables.
6    I.T. security, forensics, I.T.                                                                              0   3   0
     compliance, I.T. risk management,
     vulnerability management?

     Does your firm use subcontractors        Does the bidder indicate that the work will be done by its
     when conducting PCI assessment           employees, or is the specialized work to be done by
7    and/ or for the assessment of            subcontractors or other outsourced support?                        0   1   0
     deliverables?

     What practical hands on experience       Does the QSA and/ or any of the team members have direct
     does your firm and the members           experience with our internal POS systems (i.e.
8    assigned to this engagement have         vendor/product Simphony/Opera)                                     0   3   0
     with payment system?

     Number of on-site assessments the        What is the company's depth of practical PCI knowledge and
     QSA's that would be assigned to this     experience?
9    engagement have performed for                                                                               0   3   0
     Merchant level 1 and 2's?

     What guarantee of continuity of    What guarantees has the QSA vendor made in supporting
     assigned team members can you firm the continuity of the project?
10   promise?                                                                                                    0   1   0


     What is the number of offices and        Does the company have remote offices in many areas where
     locations does your firm have in the     cafe's reside and does the company have an international
11   US and international?                    presence?                                                          0   1   0



                                                                         a90f1b32-db7b-40e3-903c-34780b392ce4.xls
     What background in audit & PCI         How long has your firm offered onsite PCI assessments to
12   onsite assessment experience does      level 1 and 2 merchants? Do they arise from a base of             0             3       0
     your firm have?                        consulting / auditing experience?

     Explain your businesses                Does the company provide products that could be sold as
     organizational structure.              remediation solutions to QSA discovered control
13                                          weaknesses or gaps?                                               0             1       0


     What other compliance-related          What is the company's breadth of compliance experience?
     services does your firm offer?         Does the firm limit its work to specialized areas?
14                                                                                                            0             2       0


     What was your firms revenue for last   To what degree does the firm demonstrate financial stability?
15   2 years?                                                                                                 0             1       0

     What is your firms customer retention How does this compare with other bidders? How reasonable
16   rate and calculation?                 and realistic is the means of calculation? What is the degree      0             2       0
                                           of demonstrated customer loyalty?

     Have you work with <MERCHANT           Has <MERCHANT NAME> had prior experience with the
     NAME> in the past, please explain?     QSA vendor and if so, what was the overall quality and
17                                          satisfaction of the project?                                      0             1       0


     What if any previous involvement in      What is revealed about past disagreements / problems with
     litigation, arbitration or mediation has clients and the means by which they were resolved?
18   your company experienced in the last                                                                     0             2       0
     5 years?


     Please list similar merchants that your Has the QSA listed merchants that it has performed onsite
     firm has provided similar services for. assessments for that might have similarities to <merchant>,
19   Please explain in detail why the        for example industry, geography, POS, ect.                       0             3       0
     merchants are similar.
     Have any merchants or service           Has any company the firm has assessed as being compliant
     providers your firm has provided an     ever suffered a data breach?
     onsite PCI-DSS assessment where a
     compliant ROC was produced, ever
20   suffered a CHD data breach or loss                                                                       0             3       0
     within 1 year of the completion of that
     ROC?


                                                                                                     Total score for this section   0
                                                                      a90f1b32-db7b-40e3-903c-34780b392ce4.xls
SECTION C                                           QSA Firm 2
RFP Response Evaluation

Reference      Section Name                        Evaluation considerations                                         Base Score   Weight   Final Score
Section 1.2    Information Security and Compliance Where the following statements replied to and what was the
               Services Companies Qualifications   quality of the responses?

                                                    1.2 The successful QSA firm will have experience
                                                    conducting payment/credit card security program
                                                    assessments in large, geographical dispersed and complex              0           2         0
                                                    merchant environments, consistent with applicable industry
                                                    standards and requirements, including, but not limited to, the
                                                    Payment Card Industry Data Security Standard (“PCI DSS”).


Section 1.5    Information Security and Compliance Where the following statements replied to and what was the
               Services Companies Qualifications   quality of the responses?

                                                    1.5 If the QSA firm is currently in or has been in the past
                                                    remediation status with the Payment Card Industry Security            0           2         0
                                                    Standards Council (PCI-SSC), please note the date, duration
                                                    and high level cause or causes for the remediation status
                                                    and QA review.




                                                                              a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 2.0   Purpose and High Level Goals    Where the following statements replied to and what was the
                                              quality of the responses?

                                              Did the RFP response speak to the RFP's high level goals
                                              and objectives?

                                              2.1 Conduct a onsite PCI-DSS assessment.

                                              2.2.1 Strengthen security within its credit card data
                                              environment and payment card processes
                                                                                                              0     3   0

                                              2.2.2 Reduce risk surface and overall risk exposure to
                                              information technology resources and data related with
                                              <MERCHANT NAME>’s credit card data and process
                                              environment.

                                              2.2.3 File a complaint “Report on Compliance” (ROC) by no
                                              later than <> to <MERCHANT NAME>’s acquiring bank.


Section 3.0   Business and Assessment Scope   Did the RFP response show that the firm understood the
                                              business?                                                       0     2   0

Section 4.0   PCI-DSS Onsite Assessment       Did the RFP response show that the firm understood the
              Objectives                      scope of the assessment?


                                              4.1 Conduct a complete a PCI-DSS onsite assessment
                                              consistent with all applicable PCI standards, requirements
                                              and testing procedures by <DATE>.
                                                                                                              0     2   0
                                              4.2 Author and complete a compliant Report On Compliance
                                              (ROC) by <date>.

                                              4.3 Assist <MERCHANT NAME> in strengthening its card
                                              holder data environment by consulting on remediation and/
                                              or compensating controls to address all discovered areas of
                                              non-compliance and control weaknesses during the
                                              assessment.
Section 5.1   Deliverables                    Did the RFP response speak to the content and framework
                                              of the ROC?                                                     0     1   0


                                                                         a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 5.2+   Deliverables              Did the RFP response speak to all of the requested
                                         deliverables?                                                    0     3   0

Section 6.1    RFP Response Inclusions   Did the RFP response should include the following:
                                                                                                          0     2   0
                                         6.1 Consultant Qualifications
Section 6.2    RFP Response Inclusions   Did the RFP response include the following:

                                         6.2 Project Plan and Fixed Fee Estimate

                                         6.2.1 Present a project based fixed fee bid, from planning
                                         and preparation through a post-assessment review of the
                                         results, which identifies resources (including <MERCHANT
                                         NAME>resources required, and identifying any other
                                         expected impact on <MERCHANT NAME>), costs and
                                         milestones.

                                         6.2.2 The project timetable should include a 1 day lessons       0     3   0
                                         learned / post-mortem sessions to be conducted after the
                                         completion of the assessment.

                                         6.2.3 Provide a description of the steps you would take to
                                         achieve the proposed timetable, including the assumptions
                                         supporting it, and the formal communication and status
                                         update mechanisms you intend to use.

                                         6.2.4 Provide hourly rates, by resource type, to be used if
                                         additional work is required.
Section 6.3    RFP Response Inclusions   Did the RFP response should include the following:

                                         6.3 Deliverables Management and Reporting

                                         6.3.1 QSA firms management of the following items;               0     3   0
                                         6.3.1.1 Schedule and meeting management
                                         6.3.1.2 Deliverables management
                                         6.3.1.3 High level assessment status reporting

Section 6.4    RFP Response Inclusions   Did the RFP response should include the following:

                                         6.4 Sample Deliverables and Reports
                                                                                                          0     2   0
                                         6.4.1 Redacted samples or extracts of;

                                                                     a90f1b32-db7b-40e3-903c-34780b392ce4.xls
                                         6.4.1.1 3 final representative reports from prior PCI onsite
Section 9.1   Proposal Requirements            Was the RFP response in the requested format and layout
                                               as requested?

                                               9.1 QSA consulting firms are requested to submit their           0    3   0
                                               proposal in the general format outlined in this section of the
                                               document.

Section 9.2   Proposal Requirements            Does the RFP response speak to terms and conditions?

                                               9.2 QSA consulting firms must explicitly state in their
                                               proposal the terms and conditions under which contracts for
                                               services may be terminated. Each proposal shall include a
                                               letter of transmittal, which bears the signature of an
                                               authorized representative of the QSA consulting firm             0    3   0
                                               Company. The letter of transmittal must also include the
                                               name(s) of the individual(s) authorized to negotiate with
                                               <MERCHANT NAME>, as well as the names of sales
                                               representatives of the consulting firm.


Section 10    Detailed Response Requirements   Was the RFP response in the requested format and layout
                                               as requested?

                                               The QSA consulting firm’s proposal in response is required
                                               to be submitted in the following format:

                                               10.1 EXECUTIVE SUMMARY

                                               10.2 PROJECT APPROACH, METH-MANAGEMENT

                                               10.3 DETAILED AND ITEMIZED PRICING                               0    3   0

                                               10.4 DELIVERABLES

                                               10.5 RFP INCLUSION AND ATTACHEMENT REQUESTS

                                               10.5.1 REFERENCES

                                               10.5.2 TEAM STAFFING

                                               10.5.3 SAMPLES AND EXAMPLES

                                                                          a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Doc Request 1.0 Documents   Were sample ROC;s submitted as requested?

                            And what was the quality of the requested item?               0               1        0



Doc Request 2.0 Documents   Were sample of deliverables management and tracking
                            documentation submitted as requested?
                                                                                          0               3        0
                            And what was the quality of the requested item?


Doc Request 3.0 Documents   Were sample executive reports submitted as requested?

                            And what was the quality of the requested item?               0               2        0



Doc Request 4.0 Documents   Was a proposed timeline including assessment phases
                            submitted as requested?
                                                                                          0               2        0
                            And what was the quality of the requested item?


Doc Request 5.0 Documents   Were samples of weekly and/ or monthly status reports
                            submitted as requested?
                                                                                          0               1        0
                            And what was the quality of the requested item?


                                                                                    Total score for this section   0




                                                     a90f1b32-db7b-40e3-903c-34780b392ce4.xls
 <> Services & Deliverables                                                Totals
 PCI Assessment & Report On Compliance                                      $0.00
 Asset Inventory Worksheet
 Gap report




 QSA estimated travel/incidentals                                              $0
                                         Total                             $0.00
Billing & Payment Options




                                                 a90f1b32-db7b-40e3-903c-34780b392ce4.xls
QSA Vendor Response   Merchant Comments




QSA Vendor Response   Merchant Comments




                                      a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
QSA Vendor Response   Merchant Comments




                                      a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
PCI Questionnaire Response Evaluation
Evaluator:                                                                  Evaluation section                         Total Score     Possible    Completed
Date:                                                   A. General Evaluation - Subjective Impression                       0            60          0.0%
                                                        B. Questionnaire Response Evaluation                               0             185          0.0%
Company           QSA Firm 3                            C. RFP Response Evaluation                                         0             215          0.0%
Primary Contact                                         D. Interview Response Evaluation                                   0             185          0.0%
                                                        E. Pricing Evaluation                                              0              40          0.0%
                                                        F. References Evaluation                                           0             170          0.0%
                                                                                                         Total score       0             855          0.0%




Base Score:                                                                                                            Weight:
          1       Very uncomfortable/disliked response / Unacceptable                                                       1        Low / Moderately Important
          2       Uncomfortable with response / Not a quality response                                                      2        Medium / Important
          3       Neutral response / Wasn't good or bad response / Meets basic requirements                                 3        High / Very Important
          4       Liked response / Quality response / Exceeds basic requirements
          5       Highly comfortable with response / High quality response / Well above basic requirements




                                                                                a90f1b32-db7b-40e3-903c-34780b392ce4.xls
SECTION A                                                  QSA Firm 3
General Evaluation - Subjective Impression

Reference           Criterion                              Evaluation considerations                                       Base Score        Weight      Final Score
(none)              Groundwork                             Did the QSA vendor actively stay engaged with <merchant>
                                                           during the selection process?                                        0               3             0

(none)              Responsiveness                         Did the QSA vendor respond in a reasonable amount of time
                                                           to meeting requests, questions and document requests                 0               2             0
                                                           during the selection process.
(none)              Appearance / presentation              What was the overall professionalism, experience and
                                                           knowledge of the QSA and its team members during
                                                                                                                                0               3             0
                                                           meetings leading up to the RFP?

(none)              Appearance / presentation              Does the QSA appear that they will be a partner in assisting
                                                           <merchant> with developing remediation options and/ or
                                                           strategies in the remediation of potential gaps and control          0               3             0
                                                           weaknesses.
(none)              Attitude                               What is the apparent degree of enthusiasm of the vendor to
                                                           conduct the PCI assessment and partner with <merchant>?              0               1             0

                                                                                                                          Total score for this section        0



SECTION B                                                  QSA Firm 3
Questionnaire Response Evaluation

  Questionnaire #   Question                               Evaluation considerations                                      Base Score      Weight         Final Score
                    Has your firm ever been in or is       Has the company ever been cited during the PCI-SSC QA
                    currently in remediation status with   process.
         1          the PCI-SSC?                                                                                                0               2             0


                    Year your firm was founded             How long has the company been in existence?
         2                                                                                                                      0               1             0

                    Number of total employees              What is the total size of the company'?
         3                                                                                                                      0               1             0
                    Number of trained and certified PCI    What is the company's ability to adequately staff project?
         4          assessors within your firm.                                                                                 0               3             0


                                                                                 a90f1b32-db7b-40e3-903c-34780b392ce4.xls
     List members that will be assigned to Do the qualifications of the principals, project manager, and
     this project, organization description, project staff indicate that the firm can complete the tasks in a
     roles, and assigned project manager? professional and satisfactory manner? Does the response
                                             indicate that the principals of the firm will be heavily involved
5                                            in the actual performance of the contract or only marginally        0   2   0
                                             involved in an administrative or overview capacity?




     Are the members assigned to the          Assess the background and skills sets of the members that
     team that will conduct this project      will be assessing I.T. deliverables, they need to have a solid
     have a solid background in 1 or more     background in some of the listed skillets to be most affective
6    of the following backgrounds; audit,     in accurately assessing deliverables.                              0   3   0
     I.T. security, forensics, I.T.
     compliance, I.T. risk management,
     vulnerability management?
     Does your firm use subcontractors        Does the bidder indicate that the work will be done by its
     when conducting PCI assessment           employees, or is the specialized work to be done by
7    and/ or for the assessment of            subcontractors or other outsourced support?                        0   1   0
     deliverables?

     What practical hands on experience       Does the QSA and/ or any of the team members have direct
     does your firm and the members           experience with our internal POS systems (i.e.
8    assigned to this engagement have         vendor/product Simphony/Opera)                                     0   3   0
     with payment system?
     Number of on-site assessments the        What is the company's depth of practical PCI knowledge and
     QSA's that would be assigned to this     experience?
9    engagement have performed for                                                                               0   3   0
     Merchant level 1 and 2's?

     What guarantee of continuity of    What guarantees has the QSA vendor made in supporting
10   assigned team members can you firm the continuity of the project?                                           0   1   0
     promise?

     What is the number of offices and        Does the company have remote offices in many areas where
11   locations does your firm have in the     cafe's reside and does the company have an international           0   1   0
     US and international?                    presence?

     What background in audit & PCI           How long has your firm offered onsite PCI assessments to
     onsite assessment experience does        level 1 and 2 merchants? Do they arise from a base of
12   your firm have?                          consulting / auditing experience?                                  0   3   0


                                                                     a90f1b32-db7b-40e3-903c-34780b392ce4.xls
     Explain your businesses                Does the company provide products that could be sold as
     organizational structure.              remediation solutions to QSA discovered control
13                                          weaknesses or gaps?                                              0             1       0


     What other compliance-related          What is the company's breadth of compliance experience?
     services does your firm offer?         Does the firm limit its work to specialized areas?
14                                                                                                           0             2       0



     What was your firms revenue for last   To what degree does the firm demonstrate financial stability?
     2 years?
15                                                                                                           0             1       0

     What is your firms customer retention How does this compare with other bidders? How reasonable
     rate and calculation?                 and realistic is the means of calculation? What is the degree
16                                         of demonstrated customer loyalty?                                 0             2       0



     Have you work with <MERCHANT           Has <MERCHANT NAME> had prior experience with the
     NAME> in the past, please explain?     QSA vendor and if so, what was the overall quality and
17                                          satisfaction of the project?                                     0             1       0


     What if any previous involvement in      What is revealed about past disagreements / problems with
     litigation, arbitration or mediation has clients and the means by which they were resolved?
18   your company experienced in the last                                                                    0             2       0
     5 years?

     Please list similar merchants that your Has the QSA listed merchants that it has performed onsite
     firm has provided similar services for. assessments for that might have similarities to <merchant>,
19   Please explain in detail why the        for example industry, geography, POS, ect.                      0             3       0
     merchants are similar.

     Have any merchants or service           Has any company the firm has assessed as being compliant
     providers your firm has provided an     ever suffered a data breach?
     onsite PCI-DSS assessment where a
20   compliant ROC was produced, ever                                                                        0             3       0
     suffered a CHD data breach or loss
     within 1 year of the completion of that
     ROC?
                                                                                                    Total
                                                                  a90f1b32-db7b-40e3-903c-34780b392ce4.xlsscore for this section   0
SECTION C                                              QSA Firm 3
RFP Response Evaluation

Reference         Section Name                        Evaluation considerations                                         Base Score   Weight   Final Score
Section 1.2       Information Security and Compliance Where the following statements replied to and what was the
                  Services Companies Qualifications   quality of the responses?

                                                       1.2 The successful QSA firm will have experience
                                                       conducting payment/credit card security program
                                                                                                                             0           2         0
                                                       assessments in large, geographical dispersed and complex
                                                       merchant environments, consistent with applicable industry
                                                       standards and requirements, including, but not limited to, the
                                                       Payment Card Industry Data Security Standard (“PCI DSS”).

Section 1.5       Information Security and Compliance Where the following statements replied to and what was the
                  Services Companies Qualifications   quality of the responses?

                                                       1.5 If the QSA firm is currently in or has been in the past
                                                       remediation status with the Payment Card Industry Security            0           2         0
                                                       Standards Council (PCI-SSC), please note the date, duration
                                                       and high level cause or causes for the remediation status
                                                       and QA review.




                                                                             a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 2.0   Purpose and High Level Goals    Where the following statements replied to and what was the
                                              quality of the responses?

                                              Did the RFP response speak to the RFP's high level goals
                                              and objectives?

                                              2.1 Conduct a onsite PCI-DSS assessment.

                                              2.2.1 Strengthen security within its credit card data
                                              environment and payment card processes
                                                                                                                0   3   0

                                              2.2.2 Reduce risk surface and overall risk exposure to
                                              information technology resources and data related with
                                              <MERCHANT NAME>’s credit card data and process
                                              environment.

                                              2.2.3 File a complaint “Report on Compliance” (ROC) by no
                                              later than <> to <MERCHANT NAME>’s acquiring bank.


Section 3.0   Business and Assessment Scope   Did the RFP response show that the firm understood the
                                              business?
                                                                                                                0   2   0


Section 4.0   PCI-DSS Onsite Assessment       Did the RFP response show that the firm understood the
              Objectives                      scope of the assessment?


                                              4.1 Conduct a complete a PCI-DSS onsite assessment
                                              consistent with all applicable PCI standards, requirements
                                              and testing procedures by <DATE>.

                                              4.2 Author and complete a compliant Report On Compliance          0   2   0
                                              (ROC) by <date>.

                                              4.3 Assist <MERCHANT NAME> in strengthening its card
                                              holder data environment by consulting on remediation and/
                                              or compensating controls to address all discovered areas of
                                              non-compliance and control weaknesses during the
                                              assessment.


                                                                     a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 5.1    Deliverables   Did the RFP response speak to the content and framework
                              of the ROC?

                              5.1 Report on Compliance – A formal ROC should be
                              prepared, in accordance with Visa’s published PCI Security
                              Audit Procedures, containing:
                                                                                              0   1   0
                              5.1.1 Contact Information and Report Date
                              5.1.2 Executive Summary
                              5.1.3 Description of Scope of Work and Approach Taken
                              5.1.4 Quarterly Scan Results
                              5.1.5 Penetration Test Results
                              5.1.6 Findings and Observations

Section 5.2+   Deliverables   Did the RFP response speak to all of the requested
                              deliverables?

                              5.3 Post assessment executive report for <MERCHANT
                              NAME> management.

                              5.3.2 High level summary of applied compensating controls
                              that were put in place to address areas of non-compliance       0   3   0
                              and recommended long term solutions.

                              5.4 QSA authored documentation related to;
                              5.4.1 Card Holder Data (CHD) flow
                              5.4.2 Network and/ or CHD topology
                              5.4.3 Documented non-compliance, gaps.
                              5.4.4 Remediation and/ or compensating controls.




                                                   a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 6.1   RFP Response Inclusions   Did the RFP response should include the following:

                                        6.1 Consultant Qualifications

                                        6.1.1 Provide a statement of QSA firm’s consultant
                                        qualifications to complete the project.

                                        6.1.2 Submit an organization chart highlighting key persons
                                        who will be part of the assessment team.

                                        This also includes person or persons within your organization    0   2   0
                                        involved with your internal quality assurance (QA) process.

                                        6.1.3 Provide detailed resumes of the team members
                                        expected to work with <MERCHANT NAME>on this
                                        assessment.

                                        6.1.3.1 List the specific roles each of these team members.

                                        6.1.3.2 List team member’s security certification numbers.




                                                              a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 6.2   RFP Response Inclusions   Did the RFP response include the following:

                                        6.2 Project Plan and Fixed Fee Estimate

                                        6.2.1 Present a project based fixed fee bid, from planning
                                        and preparation through a post-assessment review of the
                                        results, which identifies resources (including <MERCHANT
                                        NAME>resources required, and identifying any other
                                        expected impact on <MERCHANT NAME>), costs and
                                        milestones.

                                        6.2.2 The project timetable should include a 1 day lessons       0   3   0
                                        learned / post-mortem sessions to be conducted after the
                                        completion of the assessment.

                                        6.2.3 Provide a description of the steps you would take to
                                        achieve the proposed timetable, including the assumptions
                                        supporting it, and the formal communication and status
                                        update mechanisms you intend to use.

                                        6.2.4 Provide hourly rates, by resource type, to be used if
                                        additional work is required.


Section 6.3   RFP Response Inclusions   Did the RFP response should include the following:

                                        6.3 Deliverables Management and Reporting

                                        6.3.1 QSA firms management of the following items;               0   3   0
                                        6.3.1.1 Schedule and meeting management
                                        6.3.1.2 Deliverables management
                                        6.3.1.3 High level assessment status reporting




                                                              a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 6.4   RFP Response Inclusions   Did the RFP response should include the following:

                                        6.4 Sample Deliverables and Reports

                                        6.4.1 Redacted samples or extracts of;

                                        6.4.1.1 3 final representative reports from prior PCI onsite      0   2   0
                                        assessments completed within the last 12 months where a
                                        ROC was authored by your QSA firm.

                                        6.4.1.2 Weekly and/ or monthly status reports
                                        6.4.1.3 Report On Compliance
                                        6.4.1.4 Post assessment executive report
Section 9.1   Proposal Requirements     Was the RFP response in the requested format and layout
                                        as requested?

                                        9.1 QSA consulting firms are requested to submit their
                                        proposal in the general format outlined in this section of the    0   3   0
                                        document.



Section 9.2   Proposal Requirements     Does the RFP response speak to terms and conditions?

                                        9.2 QSA consulting firms must explicitly state in their
                                        proposal the terms and conditions under which contracts for
                                        services may be terminated. Each proposal shall include a
                                        letter of transmittal, which bears the signature of an
                                        authorized representative of the QSA consulting firm              0   3   0
                                        Company. The letter of transmittal must also include the
                                        name(s) of the individual(s) authorized to negotiate with
                                        <MERCHANT NAME>, as well as the names of sales
                                        representatives of the consulting firm.




                                                               a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 10        Detailed Response Requirements   Was the RFP response in the requested format and layout
                                                   as requested?

                                                   The QSA consulting firm’s proposal in response is required
                                                   to be submitted in the following format:

                                                   10.1 EXECUTIVE SUMMARY

                                                   10.2 PROJECT APPROACH, METH-MANAGEMENT

                                                   10.3 DETAILED AND ITEMIZED PRICING                              0             3       0

                                                   10.4 DELIVERABLES

                                                   10.5 RFP INCLUSION AND ATTACHEMENT REQUESTS

                                                   10.5.1 REFERENCES

                                                   10.5.2 TEAM STAFFING

                                                   10.5.3 SAMPLES AND EXAMPLES
Doc Request 1.0   Documents                        Were sample ROC;s submitted as requested?
                                                                                                                   0             1       0
                                                   And what was the quality of the requested item?

Doc Request 2.0   Documents                        Were sample of deliverables management and tracking
                                                   documentation submitted as requested?
                                                                                                                   0             3       0
                                                   And what was the quality of the requested item?
Doc Request 3.0   Documents                        Were sample executive reports submitted as requested?
                                                                                                                   0             2       0
                                                   And what was the quality of the requested item?
Doc Request 4.0   Documents                        Was a proposed timeline including assessment phases
                                                   submitted as requested?
                                                                                                                   0             2       0
                                                   And what was the quality of the requested item?
Doc Request 5.0   Documents                        Were samples of weekly and/ or monthly status reports
                                                   submitted as requested?
                                                                                                                   0             1       0
                                                   And what was the quality of the requested item?

                                                                                                          Total score for this section   0
                                                                        a90f1b32-db7b-40e3-903c-34780b392ce4.xls
SECTION D                       QSA Firm 3
Interview Response Evaluation

Reference          Category     Question                                       Base Score   Weight   Final Score




                                             a90f1b32-db7b-40e3-903c-34780b392ce4.xls
 <> Services & Deliverables                                                Totals
 PCI Assessment & Report On Compliance                                      $0.00
 Asset Inventory Worksheet
 Gap report




 QSA estimated travel/incidentals                                              $0
                                         Total                             $0.00
Billing & Payment Options




                                                 a90f1b32-db7b-40e3-903c-34780b392ce4.xls
QSA Vendor Response   Merchant Comments




QSA Vendor Response   Merchant Comments




                                      a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
QSA Vendor Response   Merchant Comments




                                      a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
QSA Vendor Response   Merchant Comments




                                      a90f1b32-db7b-40e3-903c-34780b392ce4.xls
PCI Questionnaire Response Evaluation
Evaluator:                                                                  Evaluation section                         Total Score     Possible    Completed
Date:                                                   A. General Evaluation - Subjective Impression                       0            60          0.0%
                                                        B. Questionnaire Response Evaluation                               0             185          0.0%
Company           QSA Firm Name                         C. RFP Response Evaluation                                         0             215          0.0%
Primary Contact                                         D. Interview Response Evaluation                                   0             185          0.0%
                                                        E. Pricing Evaluation                                              0              40          0.0%
                                                        F. References Evaluation                                           0             170          0.0%
                                                                                                         Total score       0             855          0.0%




Base Score:                                                                                                            Weight:
          1       Very uncomfortable/disliked response / Unacceptable                                                       1        Low / Moderately Important
          2       Uncomfortable with response / Not a quality response                                                      2        Medium / Important
          3       Neutral response / Wasn't good or bad response / Meets basic requirements                                 3        High / Very Important
          4       Liked response / Quality response / Exceeds basic requirements
          5       Highly comfortable with response / High quality response / Well above basic requirements




                                                                                a90f1b32-db7b-40e3-903c-34780b392ce4.xls
SECTION A                                                  QSA Firm Name
General Evaluation - Subjective Impression

Reference           Criterion                              Evaluation considerations                                       Base Score        Weight      Final Score
(none)              Groundwork                             Did the QSA vendor actively stay engaged with <merchant>
                                                           during the selection process?                                        0               3             0

(none)              Responsiveness                         Did the QSA vendor respond in a reasonable amount of time
                                                           to meeting requests, questions and document requests                 0               2             0
                                                           during the selection process.
(none)              Appearance / presentation              What was the overall professionalism, experience and
                                                           knowledge of the QSA and its team members during
                                                                                                                                0               3             0
                                                           meetings leading up to the RFP?

(none)              Appearance / presentation              Does the QSA appear that they will be a partner in assisting
                                                           <merchant> with developing remediation options and/ or
                                                           strategies in the remediation of potential gaps and control          0               3             0
                                                           weaknesses.
(none)              Attitude                               What is the apparent degree of enthusiasm of the vendor to
                                                           conduct the PCI assessment and partner with <merchant>?              0               1             0

                                                                                                                          Total score for this section        0



SECTION B                                                  QSA Firm Name
Questionnaire Response Evaluation

  Questionnaire #   Question                               Evaluation considerations                                      Base Score      Weight         Final Score
                    Has your firm ever been in or is       Has the company ever been cited during the PCI-SSC QA
                    currently in remediation status with   process.
         1          the PCI-SSC?                                                                                                0               2             0


                    Year your firm was founded             How long has the company been in existence?
         2                                                                                                                      0               1             0

                    Number of total employees              What is the total size of the company'?
         3                                                                                                                      0               1             0
                    Number of trained and certified PCI    What is the company's ability to adequately staff project?
         4          assessors within your firm.                                                                                 0               3             0


                                                                                 a90f1b32-db7b-40e3-903c-34780b392ce4.xls
     List members that will be assigned to Do the qualifications of the principals, project manager, and
     this project, organization description, project staff indicate that the firm can complete the tasks in a
     roles, and assigned project manager? professional and satisfactory manner? Does the response
                                             indicate that the principals of the firm will be heavily involved
5                                            in the actual performance of the contract or only marginally        0   2   0
                                             involved in an administrative or overview capacity?




     Are the members assigned to the          Assess the background and skills sets of the members that
     team that will conduct this project      will be assessing I.T. deliverables, they need to have a solid
     have a solid background in 1 or more     background in some of the listed skill sets to be most
6    of the following backgrounds; audit,     affective in accurately assessing deliverables.                    0   3   0
     I.T. security, forensics, I.T.
     compliance, I.T. risk management,
     vulnerability management?
     Does your firm use subcontractors        Does the bidder indicate that the work will be done by its
     when conducting PCI assessment           employees, or is the specialized work to be done by
7    and/ or for the assessment of            subcontractors or other outsourced support?                        0   1   0
     deliverables?

     What practical hands on experience       Does the QSA and/ or any of the team members have direct
     does your firm and the members           experience with our internal POS systems (i.e.
8    assigned to this engagement have         vendor/product Simphony/Opera)                                     0   3   0
     with payment system?
     Number of on-site assessments the        What is the company's depth of practical PCI knowledge and
     QSA's that would be assigned to this     experience?
9    engagement have performed for                                                                               0   3   0
     Merchant level 1 and 2's?

     What guarantee of continuity of    What guarantees has the QSA vendor made in supporting
10   assigned team members can you firm the continuity of the project?                                           0   1   0
     promise?

     What is the number of offices and        Does the company have remote offices in many areas where
11   locations does your firm have in the     cafe's reside and does the company have an international           0   1   0
     US and international?                    presence?

     What background in audit & PCI           How long has your firm offered onsite PCI assessments to
     onsite assessment experience does        level 1 and 2 merchants? Do they arise from a base of
12   your firm have?                          consulting / auditing experience?                                  0   3   0


                                                                     a90f1b32-db7b-40e3-903c-34780b392ce4.xls
     Explain your businesses                Does the company provide products that could be sold as
     organizational structure.              remediation solutions to QSA discovered control
                                            weaknesses or gaps?


13                                                                                                           0   1   0




     What other compliance-related          What is the company's breadth of compliance experience?
     services does your firm offer?         Does the firm limit its work to specialized areas?
14                                                                                                           0   2   0



     What was your firms revenue for last   To what degree does the firm demonstrate financial stability?
15   2 years?                                                                                                0   1   0

     What is your firms customer retention How does this compare with other bidders? How reasonable
     rate and calculation?                 and realistic is the means of calculation? What is the degree
16                                         of demonstrated customer loyalty?                                 0   2   0



     Have you work with <MERCHANT           Has <MERCHANT NAME> had prior experience with the
     NAME> in the past, please explain?     QSA vendor and if so, what was the overall quality and
17                                          satisfaction of the project?                                     0   1   0


     What if any previous involvement in      What is revealed about past disagreements / problems with
     litigation, arbitration or mediation has clients and the means by which they were resolved?
18   your company experienced in the last                                                                    0   2   0
     5 years?

     Please list similar merchants that your Has the QSA listed merchants that it has performed onsite
     firm has provided similar services for. assessments for that might have similarities to <merchant>,
19   Please explain in detail why the        for example industry, geography, POS, ect.                      0   3   0
     merchants are similar.




                                                                  a90f1b32-db7b-40e3-903c-34780b392ce4.xls
                  Have any merchants or service           Has any company the firm has assessed as being compliant
                  providers your firm has provided an     ever suffered a data breach?
                  onsite PCI-DSS assessment where a
         20       compliant ROC was produced, ever                                                                            0               3             0
                  suffered a CHD data breach or loss
                  within 1 year of the completion of that
                  ROC?
                                                                                                                        Total score for this section        0


SECTION C                                              QSA Firm Name
RFP Response Evaluation

Reference         Section Name                        Evaluation considerations                                         Base Score      Weight         Final Score
Section 1.2       Information Security and Compliance Where the following statements replied to and what was the
                  Services Companies Qualifications   quality of the responses?

                                                       1.2 The successful QSA firm will have experience
                                                       conducting payment/credit card security program
                                                                                                                              0               2             0
                                                       assessments in large, geographical dispersed and complex
                                                       merchant environments, consistent with applicable industry
                                                       standards and requirements, including, but not limited to, the
                                                       Payment Card Industry Data Security Standard (“PCI DSS”).

Section 1.5       Information Security and Compliance Where the following statements replied to and what was the
                  Services Companies Qualifications   quality of the responses?

                                                       1.5 If the QSA firm is currently in or has been in the past
                                                       remediation status with the Payment Card Industry Security             0               2             0
                                                       Standards Council (PCI-SSC), please note the date, duration
                                                       and high level cause or causes for the remediation status
                                                       and QA review.




                                                                             a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 2.0   Purpose and High Level Goals    Where the following statements replied to and what was the
                                              quality of the responses?

                                              Did the RFP response speak to the RFP's high level goals
                                              and objectives?

                                              2.1 Conduct a onsite PCI-DSS assessment.

                                              2.2.1 Strengthen security within its credit card data
                                              environment and payment card processes
                                                                                                                0   3   0

                                              2.2.2 Reduce risk surface and overall risk exposure to
                                              information technology resources and data related with
                                              <MERCHANT NAME>’s credit card data and process
                                              environment.

                                              2.2.3 File a complaint “Report on Compliance” (ROC) by no
                                              later than <> to <MERCHANT NAME>’s acquiring bank.


Section 3.0   Business and Assessment Scope   Did the RFP response show that the firm understood the
                                              business?
                                                                                                                0   2   0


Section 4.0   PCI-DSS Onsite Assessment       Did the RFP response show that the firm understood the
              Objectives                      scope of the assessment?


                                              4.1 Conduct a complete a PCI-DSS onsite assessment
                                              consistent with all applicable PCI standards, requirements
                                              and testing procedures by <DATE>.

                                              4.2 Author and complete a compliant Report On Compliance          0   2   0
                                              (ROC) by <date>.

                                              4.3 Assist <MERCHANT NAME> in strengthening its card
                                              holder data environment by consulting on remediation and/
                                              or compensating controls to address all discovered areas of
                                              non-compliance and control weaknesses during the
                                              assessment.


                                                                     a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 5.1    Deliverables   Did the RFP response speak to the content and framework
                              of the ROC?

                              5.1 Report on Compliance – A formal ROC should be
                              prepared, in accordance with Visa’s published PCI Security
                              Audit Procedures, containing:
                                                                                              0   1   0
                              5.1.1 Contact Information and Report Date
                              5.1.2 Executive Summary
                              5.1.3 Description of Scope of Work and Approach Taken
                              5.1.4 Quarterly Scan Results
                              5.1.5 Penetration Test Results
                              5.1.6 Findings and Observations

Section 5.2+   Deliverables   Did the RFP response speak to all of the requested
                              deliverables?

                              5.3 Post assessment executive report for <MERCHANT
                              NAME> management.

                              5.3.2 High level summary of applied compensating controls
                              that were put in place to address areas of non-compliance       0   3   0
                              and recommended long term solutions.

                              5.4 QSA authored documentation related to;
                              5.4.1 Card Holder Data (CHD) flow
                              5.4.2 Network and/ or CHD topology
                              5.4.3 Documented non-compliance, gaps.
                              5.4.4 Remediation and/ or compensating controls.




                                                   a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 6.1   RFP Response Inclusions   Did the RFP response should include the following:

                                        6.1 Consultant Qualifications

                                        6.1.1 Provide a statement of QSA firm’s consultant
                                        qualifications to complete the project.

                                        6.1.2 Submit an organization chart highlighting key persons
                                        who will be part of the assessment team.

                                        This also includes person or persons within your organization    0   2   0
                                        involved with your internal quality assurance (QA) process.

                                        6.1.3 Provide detailed resumes of the team members
                                        expected to work with <MERCHANT NAME>on this
                                        assessment.

                                        6.1.3.1 List the specific roles each of these team members.

                                        6.1.3.2 List team member’s security certification numbers.




                                                              a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 6.2   RFP Response Inclusions   Did the RFP response include the following:

                                        6.2 Project Plan and Fixed Fee Estimate

                                        6.2.1 Present a project based fixed fee bid, from planning
                                        and preparation through a post-assessment review of the
                                        results, which identifies resources (including <MERCHANT
                                        NAME>resources required, and identifying any other
                                        expected impact on <MERCHANT NAME>), costs and
                                        milestones.

                                        6.2.2 The project timetable should include a 1 day lessons       0   3   0
                                        learned / post-mortem sessions to be conducted after the
                                        completion of the assessment.

                                        6.2.3 Provide a description of the steps you would take to
                                        achieve the proposed timetable, including the assumptions
                                        supporting it, and the formal communication and status
                                        update mechanisms you intend to use.

                                        6.2.4 Provide hourly rates, by resource type, to be used if
                                        additional work is required.


Section 6.3   RFP Response Inclusions   Did the RFP response should include the following:

                                        6.3 Deliverables Management and Reporting

                                        6.3.1 QSA firms management of the following items;               0   3   0
                                        6.3.1.1 Schedule and meeting management
                                        6.3.1.2 Deliverables management
                                        6.3.1.3 High level assessment status reporting




                                                              a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 6.4   RFP Response Inclusions   Did the RFP response should include the following:

                                        6.4 Sample Deliverables and Reports

                                        6.4.1 Redacted samples or extracts of;

                                        6.4.1.1 3 final representative reports from prior PCI onsite      0   2   0
                                        assessments completed within the last 12 months where a
                                        ROC was authored by your QSA firm.

                                        6.4.1.2 Weekly and/ or monthly status reports
                                        6.4.1.3 Report On Compliance
                                        6.4.1.4 Post assessment executive report
Section 9.1   Proposal Requirements     Was the RFP response in the requested format and layout
                                        as requested?

                                        9.1 QSA consulting firms are requested to submit their
                                        proposal in the general format outlined in this section of the    0   3   0
                                        document.



Section 9.2   Proposal Requirements     Does the RFP response speak to terms and conditions?

                                        9.2 QSA consulting firms must explicitly state in their
                                        proposal the terms and conditions under which contracts for
                                        services may be terminated. Each proposal shall include a
                                        letter of transmittal, which bears the signature of an
                                        authorized representative of the QSA consulting firm              0   3   0
                                        Company. The letter of transmittal must also include the
                                        name(s) of the individual(s) authorized to negotiate with
                                        <MERCHANT NAME>, as well as the names of sales
                                        representatives of the consulting firm.




                                                               a90f1b32-db7b-40e3-903c-34780b392ce4.xls
Section 10        Detailed Response Requirements   Was the RFP response in the requested format and layout
                                                   as requested?

                                                   The QSA consulting firm’s proposal in response is required
                                                   to be submitted in the following format:

                                                   10.1 EXECUTIVE SUMMARY

                                                   10.2 PROJECT APPROACH, METH-MANAGEMENT

                                                   10.3 DETAILED AND ITEMIZED PRICING                              0             3       0

                                                   10.4 DELIVERABLES

                                                   10.5 RFP INCLUSION AND ATTACHEMENT REQUESTS

                                                   10.5.1 REFERENCES

                                                   10.5.2 TEAM STAFFING

                                                   10.5.3 SAMPLES AND EXAMPLES
Doc Request 1.0   Documents                        Were sample ROC;s submitted as requested?
                                                                                                                   0             1       0
                                                   And what was the quality of the requested item?

Doc Request 2.0   Documents                        Were sample of deliverables management and tracking
                                                   documentation submitted as requested?
                                                                                                                   0             3       0
                                                   And what was the quality of the requested item?
Doc Request 3.0   Documents                        Were sample executive reports submitted as requested?
                                                                                                                   0             2       0
                                                   And what was the quality of the requested item?
Doc Request 4.0   Documents                        Was a proposed timeline including assessment phases
                                                   submitted as requested?
                                                                                                                   0             2       0
                                                   And what was the quality of the requested item?
Doc Request 5.0   Documents                        Were samples of weekly and/ or monthly status reports
                                                   submitted as requested?
                                                                                                                   0             1       0
                                                   And what was the quality of the requested item?

                                                                                                          Total score for this section   0
                                                                        a90f1b32-db7b-40e3-903c-34780b392ce4.xls
SECTION D                       QSA Firm Name
Interview Response Evaluation

Reference          Category     Question                                          Base Score   Weight   Final Score




                                                a90f1b32-db7b-40e3-903c-34780b392ce4.xls
 <> Services & Deliverables                                                Totals
 PCI Assessment & Report On Compliance                                      $0.00
 Asset Inventory Worksheet
 Gap report




 QSA estimated travel/incidentals                                              $0
                                         Total                             $0.00
Billing & Payment Options




                                                 a90f1b32-db7b-40e3-903c-34780b392ce4.xls
QSA Vendor Response   Merchant Comments




QSA Vendor Response   Merchant Comments




                                      a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
QSA Vendor Response   Merchant Comments




                                      a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
a90f1b32-db7b-40e3-903c-34780b392ce4.xls
QSA Vendor Response   Merchant Comments




                                      a90f1b32-db7b-40e3-903c-34780b392ce4.xls

				
DOCUMENT INFO
Description: Proposal Executive Summary Samples document sample