Event 317 - Merchant Card Services Statement of Work A. Overview: It is the intent of the Bexar County Tax Assessor-Collector to solicit proposals to establish a contract with a vendor to provide merchant services, software and terminals (encrypted card swipes), to process e-checks, credit cards, debit cards and recurring payments (and /or automatic payments). These services must meet PCI Data Security Standards and use point to point encryption and any other PCI standard requirements. Respondents will be required to document their compliance in the RFP response relative to these PCI standards. Successful respondent may be issued a contract that will be awarded for a three (3) year period with the Tax Assessor-Collector and the awarded company with an option of three (3) one year renewals The vendor selected will be required to accept (but is not limited to), credit cards issued by: MasterCard, Visa, American Express, and Discover/Novus including debit cards issued by these credit card companies. The vendor will also be able to process e-checks by internet and interactive voice response and the above cards through the internet, IVR (interactive voice response), and POS (point of sale). The vendor shall be responsible for maintaining the standards of acceptance required by each individual credit card company at all times during the term of the contract. The proposer must meet PCI (payment card industry) compliance requirements. There will be no fees, costs, or charges to the County for any services performed under this RFP. B. Fees 1. Convenience Fees may be charged to the public. All respondents must provide by separate attachment a list of and amount of transactional fees charged to the public user (payer) of the merchant card services. The State of Texas Local Government Code does establish guidelines on fees that can be charged and gives Bexar County Commissioners Court the final say on how the fees are charged to the consumer. 2. See attachment labeled RFP EVENT 317 Cost/Pricing Fee Matrix that must be completed, signed and returned with RFP response. Respondents shall provide fee structure either as a % of transaction amount or flat fee as outlined in the attachment labeled RFP EVENT 317 Cost/Pricing Fee Matrix. For the evaluation RFP scoring of the pricing section of RFP EVENT 317, respondent s fees will be evaluated and scored only on the responses on this completed Fee Matrix. Respondents may provide separate fee schedules for additional services for information purposes for the County.
3. Proposer should have a uniform fee structure for credit card payments whether they are face-to-face, IVR or web based. 4. Currently, the Tax Assessor-Collector s Office standard is no charge for e- check transactions. C. Background Information Historical transaction information For informational purposes the following information was the transaction volume in number of transactions over the last six months: (Oct 2012 Sept2013) Category of Transaction No. of Trans Amount of Transaction $ Web Credit Cards 15,030 $ 25,648,590 POS TAX Credit Cards 5,044 $ 3,651,051 POS Auto Credit Cards 67,951 $ 7,443,298 IVR 5,938 $ 5,805,065 E-check 35,401 $ 103,732,576 Totals 129,364 $ 146,280,580 Oct 2013 May 2014 Category of Transaction No. of Trans Amount of Transaction $ Web Credit Cards 15,389 $ 24,365,401 POS TAX Credit Cards 9,061 $ 6,737,318 POS Auto Credit Cards 69,736 $ 8,210,637 IVR 6,155 $ 7,343,729 E-check 38,151 $ 105,047,578 Totals 138,492 $ 151,704,662
D. Minimum Qualifications Technical and Operational Requirements: 1. Proposer must be able to process credit, debit, and e-check payments via the web, IVR, and face-to-face. 2. Proposer shall have a minimum of five (5) years experience in the development, installation, and operation of credit and debit card processing, as well as e-check services. 3. Proposer must be based in the United States. 4. Proposer s Customer Service Support (Help Desk) must be based in the United States. Help desk services should cover technical support and general customer support. 5. Proposer s Customer Service Support (Help Desk) must be available 24/7. 6. Proposer must be able to service/process 1) Visa and MasterCard, 2) debit cards (PIN (personal identification number) and PIN-less), 3) Discover, and 4) American Express. Proposers should provide education and training to County staff on various issues, including security risks. Please document your client education program in these areas. 7. The IVR must have a dedicated line for Bexar County (toll free). 8. Proposer must be capable of providing electronic authorization services 24 hours a day, 7 days per week. 9. Proposer must be able to verify bank routing number on all e-check transactions. 10. The preferred method, but not required, would be to verify the bank account number on all e-check transactions. 11. Proposer must require the taxpayer to enter all account, bank, credit card, etc. information through a dual entry process to ensure accuracy of information. 12. Proposer must offer online recurring payment options for credit cards, debit cards, and e-checks. Taxpayer must be allowed to set up different payment plans (i.e. weekly, biweekly, monthly, etc.), and the proposer must process the payment automatically according to our payment plan. 13. Proposer must offer on-line recurring payment plan creation methods by both the internet and face-to-face for both taxpayers and county staff.
14. Proposer must send confirmation and or denial e-mails to our taxpayers immediately upon completion of transaction. Email wording shall be approved by the Tax Assessor-Collector s Office. 15. Proposer shall pass all convenience fees on to the taxpayer customer. Respondents must define and describe all convenience fees. 16. The convenience fee must be presented to the taxpayer and approved before moving forward with payment. Once the transaction is completed, the total of the transaction and the convenience fee must be approved by the taxpayer. 17. Proposer must require taxpayer to acknowledge that there are returned check fees, late fees, data entry error rejection fees, etc. 18. County will not pay any charge back fees to the proposer. 19. Proposer credit, debit, and e-check software must be able to interface with our current third party system (Appraisal and Collection Technologies, LLC) for tax collection and motor vehicle software vendors. 20. Proposer shall not, at any time, store any credit, debit, or e-check data on the Bexar County Computer Network. 21. Proposer shall provide accuracy, quality, and timeliness of information for the product being delivered. 22. All reports for credit cards, debit cards, and e-check payments must be emailed and available by 7:00 a.m. CST the next day for the prior day s transactions in a secure format. 23. Proposer shall provide an on-line method for the Tax Office to view/print daily, weekly, and monthly reports by payment type, collection mode, cashier, check returns, declined transactions, credits, payment detail, payment summary, etc. 24. Proposer must be able to process credit, debit, and e-check payments via the web, IVR, and POS. 25. Payment for all POS credit and debit transactions must be settled (wired into the Tax Assessor-Collector s account) by 10:00 a.m. CST on the next business day following the payment transaction. 26. Proposer shall deposit all payments made through the web and IVR for credit, debit, and e-check transactions within forty-eight (48) hours after
their respective dates of submission. Money will be deposited into the bank account designated by the Bexar County Tax Assessor-Collector. 27. Proposer shall provide, at no cost to Bexar County, all software, software licenses, hosting services, and terminals (card swipes), and replacements as needed. All equipment purchased for use at any Bexar County Tax Assessor-Collector Office shall be PCI compliant and use P2PE and remain the property of the Proposer. E. Additional P2PE requirements: i. According to "PCI Point-to-Point Encryption: Solutions Requirements, v1.0 (September 2011)", the responsibilities of a P2PE solution provider (i.e., credit card processor, acquirer or payment gateway) are: Validation of encryption and decryption devices Secure device management Secure encryption and decryption operations and management of cryptographic keys Secure application management Maintenance of a PCI Data Security Standards (DSS)-compliant decryption environment Appropriate monitoring of controls Compliance of third-party organizations, such as certification authorities and key-injection facilities, to the requirements set in the solutions requirements standards. Development, maintenance, and distribution of a P2PE instruction manual that covers all applicable requirements to all merchants deploying the solution. F. Payment Card Industry Security (PCI) Standards Proposer shall maintain a Payment Card Industry Security (PCI) Level acceptable to Bexar County and be fully compliant with applicable current PCI and DSS standards. This must include tokenization and end-to-end encryption. Compliance to include: Network architecture, including firewalls and use of network segmentation to enforce security Protection of cardholder data in temporary storage Protection of any cardholder data in transit Anti-virus software usage and management Security of systems and applications that transmit, process, or store cardholder data Enforcement of need to know access models Employee user account management procedures and practices Physical security of data location
Integrate network intrusion detection system (IDS) into [customer name] network meeting with Bexar County Tax Assessor-Collector s collection software license vendor and/or Bexar County s Information Technology.