Central Procurement Dept.

of Service and Estate Division

Tender Document
Proposal for Consultancy, Gap Analysis, Remediation Plan and Rectification
of Gaps, Implementation and Certification of PCI-PIN for IFIC Bank Limited.

Ref: IFIC/HO/S&ED/CP/RTM_Tender/PCI-PIN/2023/003
 Proposal for Consultancy, Gap Analysis, Remediation Plan and Rectification of Gaps, Implementation 1
and Certification of PCI PIN for IFIC Bank Limited

PART – D: DETAILED SCOPE OF WORK AND TECHNICAL SPECIFICATION

D.01 : SCOPE OF WORK

This section briefly outlines the scope which should be considered by the bidders while designing their offerings. Since it is an
outline, the detail scope may vary for any particular group.

▪ Conduct PCI PIN gap analysis based on requirements

▪ Develop policies, Procedure, standard & other documents required for PCI PIN
▪ Preparation of Statement of Applicability
▪ Remediation support to implement controls by proven consultant
▪ Conduct risk assessment
Details scope of work ▪ Support internal audit & MRM
▪ Certification audit by Certification body
▪ Perform surveillance audit
▪ Awareness Training for 100 personnel
▪ VA/PT/ASV Scan, Network segmentation testing and remediation
▪ PCI PIN implementation training for 10 personnel

D.02 : SCOPING INFORMATION

Gap Analysis, remediation plan and rectification of identified gaps, implementation and getting certification for PCI PIN,
IFIC Bank Limited intends to achieve PCI PIN Certification for securing the Card Holder Data (CHD) environment. In respect with that,
the Bank needs to perform a gap analysis exercise on card holder data (CHD) environment as per PCI PIN requirements before
considering a certification audit.

IFIC Bank has implemented Finastra Core Banking System covering all its branches in Bangladesh. To provide 24/7 anywhere anytime
banking facilities to its customers, Bank has implemented alternate delivery channels like ATMs, POS, internet banking, credit cards,
debit cards, phone banking, payment gateway etc. The following are the channels/business units/systems which are in-scope to this
RFP.

Component wise detail scoping information:

Component Name Details

ATM 59 in count. Accepts IFIC Cards, Local Cards, VISA Cards and CUP Cards. Running in Windows 7.
Debit, Prepaid & Credit Card 275K. Supports in IFIC ATMs, Q-Cash, VISA & NPSB Channel. All are CHIP Cards
Switching Operations SmartVista Suite (PA-DSS Certified). Includes, Card Management, Transaction processing with
VISA, NPSB, Q-Cash, Card Personalization, PIN Generation, Access Control Server, Reporting,
Fraud Management. Integration Services.
Internet Payment Gateway In house. Supports VISA VBV and COF
Internet Banking Manages Cards and Payments
Core Banking Finastra Equation (Core Banking System - CBS):
Card management system (CMS) sends request to Equation to Debit Customer Account and
Credit GL (Card) account for Cash withdrawal from ATM Booth.
This request traverse through ATM Subsystem of CBS.
CMS sends only CBS account information and amount, not Card Number or Card related any
information
IVR Gplex. Uses for PIN Generations, Card Details, Payments blocking, activation etc.
Customer Experience System Card Requisition, Payment etc.
Branch Operations, Cards Card Requisition, Personalization, Delivery, PIN Generation, card blocking, limit change etc.
Operations & Customer Care
Operations
 Proposal for Consultancy, Gap Analysis, Remediation Plan and Rectification of Gaps, Implementation 2
and Certification of PCI PIN for IFIC Bank Limited

Sites to be considered for gap analysis process:

a. Data Center (DC), 61 purana paltan Dhaka

b. Disaster Recovery (DR) site, Uttara, Dhaka.
c. Cards & ADC Division, 61 purana paltan Dhaka
d. Call Center
e. Information Security Division
f. Sample ATM (Onsite & Offsite) & Branch (To be decided mutually after giving the work order)
g. Sample POS Location (To be decided mutually after giving the work order)

D.02.01 : VA/PT/ASV Scan and Remediation

Task Schedule
Penetration Test (PT) and Remediation Yearly
Vulnerability Assessments (VA) and Remediation Quarterly
ASV (NST) Scan and Remediation Quarterly
Network Segmentation testing Half yearly

D.3 : STATEMENT OF WORK (SOW)

Project implementation
The project shall be implemented by the following 03 (Three) phases:
Phase 1: Scoping, Planning and Gap Assessment
Phase 2: PCI PIN Implementation and Operation
Phase 3: Certification

Phase 1: Scoping, Planning, Gap Assessment, Asset Evaluation and Risk Assessment
Key Activities:
• Project Kick off and discuss on project approach, timing.
• Establish project governance, project plans, roadmap and team
• Understand IFIC Business, IT Service, IT Systems, Infrastructure and operations
• Identify legal requirements for PCI PIN certification for the organization
• Conduct PCI PIN gap analysis based on requirements
• Understand IT & Operations landscape
• Before the assessment, QSA should confirm the accuracy of the Bank’s PCI PIN scope by identifying all locations and
flows of cardholder data and identify all systems that are connected to or, if compromised, could impact the Cardholder
Data Environment (CDE).
• Review all the existing policy and procedure document of IFIC Bank limited related to Information Security, Asset
Management, Risk Management, Access Control, Operating procedures, Communication Policy, Card policy and any
other related documents with PCI PIN.
• If any gap detects on above mentioned policy and procedures according to PCI PIN, bidder will correct those
procedures/Policies.
• The bidder must conduct Risk Assessment and Gap Analysis according to the scope of PCI PIN.
• Make recommendations on suitable and cost-effective risk mitigation controls and strategies.
• The bidder must provide a Gap analysis report that contains compliant and non-compliant elements of IFIC Bank card
and related system & network which they find during the assessment.
• Review and finalize data flow diagram with IFIC Team
• Review and validate network diagram for CDE (cardholder data environment) with IFIC Team
• All internal and VA scans, Network Segmentation testing, Configuration review, annual penetration testing must be
done on Site from Bank’s premises.
• External VA/PT will be done by bidder from outsight if rquired.
 Proposal for Consultancy, Gap Analysis, Remediation Plan and Rectification of Gaps, Implementation 3
and Certification of PCI PIN for IFIC Bank Limited

• The Qualified Security Assessor (QSA) must provide a Gap Remediation Plan (Policy & Procedure formulation &
implementation).

Activities for Accreditation Body:

• General Awareness training for 150 people regarding PCI PIN Standard and Requirements.
• PCI PIN QSA/ Implementer training for 10 People for project support.

Key Deliverables:
• Project Team Identification and Resource Requirements
• PCI PIN Scope Document (Physical and Logical and Technology)
• Detailed Project plan
• PCI PIN Policy Document (List of Applicable Policies, Procedures and best practice documents)
• Gap Analysis combined Report, featuring gaps, recommendations, priority and owner
• Risk Assessment Report & Risk Treatment Plan
• Internal and external VA/PT report with remediation plan.

Phase 2: PCI PIN Implementation and Operation

Key Activities
• QSA Organization has to modify or formulate requisite policies to meet the PCI PIN requirements. The policy and procedure
should meet the latest standard of Bangladesh Bank ICT Security Guideline, PCI PIN, PCI DSS, SWIFT CSCF, ISO 27001 and
each control of this policy should have specific references like which standard’s / control’s which clause it is covering
• Design and implement PCI PIN framework communication
• Implementation of the requirements identified from the risk treatment plan
• Operate PCI PIN framework
• The QSA must provide the necessary support and hand-holding assistance to the Bank in remediation of the gaps found to
meet the PCI PIN requirements
• The bidder shall sit with the respective departments/ divisions of IFIC Bank Limited to work with the implementation plan
as well as resolve the detected Gaps.
• The bidder shall evaluate the necessary compensating controls (if required) and review the remediation life cycle and
confirm the Bank once the remediation is compiled
• Corrective action plan for remediation of gaps
• For the initial certification process, the QSA must conduct the following activities:
i) Review Business unit wise current practice for ongoing compliance.
ii) Carry out ASV (NST) scans as per PCI-PIN requirements.
iii) Vulnerability Assessment, Penetration Testing and ASV scans of in-scope infrastructure as per the PCI-PIN
requirements
iv) Carry out PCI PIN Compliance validation/Certification Audit.
• The bidder shall arrange all the necessary arrangements for the Report on Compliance (ROC), Attestation of Compliance
(AOC) and Certification of Compliance.
• The QSA must conduct periodic meetings with the Bank to ensure that the post-certification compliance requirements are
being met by the Bank. The QSA will have to consult the Bank and advice in case of any gap found.
• Assuring the administrative control of data and its confidentiality.
• Assist for Certification Audit

Key Deliverables: Policies and Mandatory Documents

1. All mandatory required documents for PCI PIN Compliance are applicable to meet the PCI PIN Scope of the Bank.
2. Reports of quarterly Vulnerability Assessment scan, ASV scan (As applicable) and re-validation scan (As needed)
3. Half-yearly Network Segmentation testing report and re-validation testing report (As needed)
4. Annual Penetration testing report and re-validation testing report (As needed)
5. Report on Compliance (ROC)
6. Attestation of Compliance (when compliant)
7. Compliance certification
 Proposal for Consultancy, Gap Analysis, Remediation Plan and Rectification of Gaps, Implementation 4
and Certification of PCI PIN for IFIC Bank Limited

Preparation for Certification:

▪ Internal audit report
▪ NC Report and Corrective Action Report
▪ NCCA tracker
▪ Certification audit readiness report

Phase 3: Certification
Certification Body will perform following activity for the purpose of certification:
▪ Pre-Certification Audit: Review Documentation and process required for certification
▪ Certification Audit: Review the Implementation controls and effectiveness of process
▪ Certification Audit for 1st Year

D.04 : PRICING FORMAT

Please submit price of individual activity and milestone in separate papers.

Total Price
Sl. No Particulars
(Including VAT & TAX)
Implementation of PCI PIN including gap assessment, documents preparation,
01
remediation consultancy and awareness & Implementation training.
02 Certification audit, Certification and Training
 Proposal for Consultancy, Gap Analysis, Remediation Plan and Rectification of Gaps, Implementation 5
and Certification of PCI PIN for IFIC Bank Limited

PART – E: FORM OF PERFORMANCE BOND

The following draft form to be used while issuing the performance bond.

To
Head of Service & Estate Division
IFIC Bank Ltd.
IFIC Tower, 61 Purana Paltan,
Dhaka-1000

Ref: Bank Guarantee No. _______ Dated_______ for Tk.____________ (Taka_______________)

WHEREAS, IFIC Bank Ltd. (hereinafter called as Client intents to enter into a Contract for dated _______ 2022 for Consultancy, Gap
Analysis, Remediation Plan and Rectification of Gaps, Implementation and Certification of PCI PIN for IFIC Bank Limited
_________________ with M/S ___________ (hereinafter called the Bidder) on the Terms & Conditions governing the Contract and
whereas the Bidder has requested us to issue a Guarantee/Bond for an amount of Tk. _______________________ (Taka
__________________) only being performance Bond in consideration aforesaid, we _______________________(Name & Address of
the Bank).

Do hereby undertake and Guarantee due Performance of the Contract by the Bidder and we hereby agree:

1. To make unconditional payment of Tk. ______________ (Taka ________________________) only to the Client immediately
on receipt of demand from the Client in writing without any question whatsoever and without reference to the Bidder and
irrespective of whether the Bidder has or has not acted in breach of the said Contract.
2. To keep this Guarantee/Bond valid and in force till ________ or completion of the contracted work to the full satisfaction of
the Client and on issuance of completion certificate by the Client whichever is later.
3. To extend the validity of this Guarantee for a further period as may be required for the completion of the contract works at
the instance of the Client, without making any reference to the Bidder.

NOT WITHSTANDING anything contained hereinbefore, our liability under the Guarantee/Bond is restricted to
_________________________________________ (mention amount) only.

This Guarantee/Bond will expire on ___________________________ (as aforesaid).

Any claim under this Guarantee/Bond must be received by us by the aforesaid expiry date, and if no such claim is received by us by
that date, all claims under this Guarantee/Bond will cease. But in case the validity of Guarantee/Bond is extended for further period
as stated under para-3 above all claims under this Guarantee/Bond shall be duly accepted and honored up to extended date of validity
of this Guarantee/Bond.

Bankers Name & Address

__________________________ __________________________
Authorized Signature Authorized Signature
Date & Seal Date & Seal

Note: This form Performance Bond may be changed at the convenience of the Client before final execution of the Agreement.