| Ministry/Division |
: |
Ministry of Finance |
| Agency |
: |
Bangladesh Bank |
| Procuring Entity Name |
: |
Information and Communication Technology Department, Bangladesh Bank |
| Procuring Entity Code |
: |
|
| Procuring Entity District |
: |
Dhaka |
| Expression of Interest for Selection of |
: |
Consulting Firm (National) (Lump-Sump) |
| Title Of Service |
: |
Selection of consulting firm for PCI DSS Consultation, Compliance and PCI DSS Certification for National Payment Switch of Bangladesh (NPSB) |
| EOI Ref. No. |
: |
ICTD-2(3)/190R2/2025 |
| Date |
: |
12/02/2025 |
KEY INFORMATION
|
| Procurement Sub-Method |
: |
Quality and Cost Based Selection(QCBS) |
FUNDING INFORMATION
|
| Budget and Source of Funds |
: |
Own Funds Own Funds |
| Development Partners |
: |
|
PARTICULAR INFORMATION
|
| Project/Programme Name |
: |
|
| EOI Closing Date and Time |
: |
13/03/2025 3:00 PM
|
| Publication Date |
: |
13/02/2025
|
INFORMATION FOR APPLICANT
|
| Brief Description of Assignment |
: |
Tasks and responsibilities of the Joint venture of Consulting Firm and Certification Body will include followings:
1. Identify Card Holder Data Environment (CDE) for PCI DSS compliance and Protecting Cardholder Data, etc.
2. Submit a work plan on the basis of above TORs within10 working days of joining and provide monthly written progress report, in addition to final report.
3. Review of existing network diagram, data flow diagram and perform network segmentation testing as required by PCI DSS.
4. Submission of all testing tools generated logs and test results in raw and processed format in electronic media.
5. Conduct adequate training and awareness on PCI DSS for internal stakeholders.
6. Conduct relevant audit pre-audit to identify PCI DSS readiness and produce the report.
7. All software or tools required to deliver the service shall be deployed at devices owned by Bangladesh Bank. After completion of the service, the Firm may uninstall all installed software or tools.
8. Conduct gap analysis on existing ICT infrastructure and platform for National Payment Switch Bangladesh (NPSB) against PCI DSS latest version.
9. Provide end to end support for meeting all functional requirements under all Domains (goals) for achieving PCI DSS compliance accreditation for NPSB of Bangladesh Bank.
10. Evaluate compensating controls on an annual basis, any compensating controls must be documented, reviewed, and validated by the assessor and included with the Report on Compliance.
11. Develop remediation plan for PCI DSS compliance and Implementing Strong Control Measures. Also provide support and guidance during the compliance process.
12. Prepare document on “Protect Card holder Data” such as encrypt transmission of card holder data and sensitive information across open public networks through NPSB.
13. Monitor the progress of remediation and provide update to management.
14. Use non-disruptive systems and data scanning solution for scanning systems/infrastructure related to NPSB regularly. Scanning solution should be the scanning tool(s), the associated scanning report, and the process for exchanging information between the vendor and the bank.
15. Be onsite for the validation of the assessment or duration as required.
16. Monitoring and Testing Networks on a regular basis for maintaining a Secure Network.
17. Prepare the document on “Maintain a vulnerability management program” for NPSB.
18. Define and analysis strong access controls needs to be measured for NPSB i.e. assist enforcing restrictions to access Card Holder Data (CHD) by business need to know (logical), use of unique IDs and also assist to restrict physically access to CHD.
19. Prepare regular network monitoring activities report for NPSB network i.e. assist testing and monitoring all access to Network Resources & CHD, regularly test security, system and processes.
20. Findings and Observations (detailed findings on each requirement and sub-requirement, including explanations of all N/A responses and validation of all compensating controls).
21. Prepare and provide various reports (as required by BB) on maintaining information security policy and Best Practices for NPSB system (including people, process and infrastructure etc.
22. Prepare and provide various report on different stages of PCI DSS implementation (i.e Executive Summary report, Quarterly scanning (VA) report, PT report, Scope definition report, Reviewed Environment report, Gap Analysis and fixing report, etc.).
23. Provide security needs of internal and external systems for achieving certification.
24. Provide security and safety measure guideline to enhance domestic transactions for both magnetic stripe and EMV card data routed through NPSB.
25. Conduct PCI DSS compliance audit/final audit and produce the final report (Report on Compliance).
26. Provide attestation of compliance when fully complied.
27. Performing all other relevant activities for achieving PCI DSS Certification as necessary. |
| Experience, Resources and Delivery Capacity Required |
: |
A. Each member of Joint Venture should have minimum five (05) years overall business experience and all legal notarized documents related to Joint Venture or local partnership should be submitted.
B. The following minimum Experience, Resources & Delivery Capacity are required for the Consulting Firm:
1. Should have satisfactory experience of providing consultation in achieving PCI DSS certification at least for two (02) organizations (Banks/Financial Institutions) in last five (05) years.
2. Should have minimum one (01) Certified Information Systems Security Professional (CISSP), minimum one (01) Certified Information Security Manager (CISM) and minimum one (01) Certified Information Systems Auditor (CISA) enrolled from last one (01) years and each professional should have minimum five (5) years of relevant experience.
3. Should have minimum specific experience of conducting PCI DSS assessment, Security Consultancy Gap Analysis, VAPT and documentation for last five (05) years.
4. The Project Manager should be PCI QSA or CISSP/CISM and/or CISA/ISO 27001:2013 Lead Auditor certified professional with minimum five (5) years of experience.
5. Average Annual Turn Over of the firm(s) should be minimum USD 150,000 (USD One Hundred Fifty Thousand) during the last five (05) years (Summary sheet of Turnover statement and year wise Audited financial reports of the firm(s) should be enclosed).
6. Certificate of Incorporation, valid Trade license, VAT/BIN certificate, latest Income Tax clearance certificates (if applicable).
C. The following minimum Experience, Resources & Delivery Capacity are required for the PCI-DSS Certification Body:
1. Should have valid insurance coverage as required by PCI SSC.
2. Certificate of Incorporation, valid Trade license, VAT/BIN certificate, latest Income Tax clearance certificates (if applicable).
3. Should have satisfactory experience of providing PCI DSS certification services to at least two (02) organizations (Banks/Financial Institutions) in last five (05) years.
4. The Project Manager should be PCI QSA or CISSP/CISM and/or CISA/ISO 27001:2013 Lead Auditor certified professional with minimum five (5) years of experience.
5. PCI DSS accredited qualified security assessor (QSA) should have the following minimum qualification: (a) Bachelor’s degree in Information Technology or related subject with at least ten (10) years work experience in similar or related field. (b) Experience of providing consultation in achieving PCI DSS certification at least for two (02) organizations.
6. Should have minimum two (02) PCI DSS accredited qualified security assessor (QSA) enrolled as employee from last two (02) years.
7. Experience of providing PCI DSS Certification to any international payment switching system will be preferred.
8. Should have satisfactory certificate of completion for PCIDSS certification services of a single contract having minimum contract value of BDT 50,00,000.00 (Bangladeshi Taka Fifty Lac) or US Dollar Forty Thousand (USD 40,000) or equivalent. |
| Other Details (if applicable) |
: |
No data and information will be allowed to be taken outside Bangladesh Bank premises in any form (e.g. paper Or electronic). |
| Association with foreign firms is |
: |
Encouraged |
| Eoi Detail Information |
|---|
| Ref No |
Phasing Of Services |
Location |
Start Date |
Completion Date |
| ICTD-2(3)/190R2/2025 |
Phase-1 (Onsite Service: Scoping, documentation, training and Gap assessment by QSA with the Assistance from Bangladesh Bank) |
Dhaka |
|
Duration: 02 weeks |
| ICTD-2(3)/190R2/2025 |
Phase-2 (Onsite Service: Remediation by Bangladesh Bank with the guidance of CISSP and/or CISA and/or CISM of the Firm after Phase-1 completion.) |
Dhaka |
|
Duration: 26 weeks |
| ICTD-2(3)/190R2/2025 |
Phase-3 (Onsite Service: PCI DSS Compliance Audit and PCI DSS Certification by QSA who is not The same QSA who has performed Gap assessment in Phase-1) |
Dhaka |
|
Duration: 01 week |
| ICTD-2(3)/190R2/2025 |
Phase-4 ( Onsite Service: After Phase-3, Quarterly ASVs can by PCI SSC approved Application Scanning Vendor who is partnered with the Firm and Remediation by CISSP and /or CISA and/or CISM |
Dhaka |
|
Duration: 01 week |
| ICTD-2(3)/190R2/2025 |
Phase-5 (Onsite Service: After Phase-4, Quarterly ASV scan by PCI SSC approved Application Scanning Vendor who is partnered with the Firm and VAPT, Gap Assessment and Remediation by CISSP and/or CISA and/or CISM |
Dhaka |
|
Duration: 01 week |
| ICTD-2(3)/190R2/2025 |
Phase-6 (Onsite Service: After Phase-5, Quarterly ASV scan by PCI SSC approved Application Scanning Vendor who is partnered with the Firm and Remediation by CISSP and /or CISA and /or CISM |
Dhaka |
|
Duration: 01 week |
| ICTD-2(3)/190R2/2025 |
Phase-7 ( Onsite Service: After Phase-6, Quarterly ASV scan by PCI SSC approved Application Scanning Vendor who is partnered with the Firm and VAPT, Gap Assessment and Remediation by CISSP and/or CISA and/or CISM |
Dhaka |
|
Duration: 01 week |
| ICTD-2(3)/190R2/2025 |
Phase-8 ( Onsite Service: PCI DSS Compliance Audit and Recertification (one year after achieving initial PCIDSS Certificate) by QSA who is not the same QSA who has performed PCI DSS Certification in Phase-3) |
Dhaka |
|
Duration: 01 week |
| ICTD-2(3)/190R2/2025 |
Onsite Service: After Phase-8, PCI DSS Compliance Audit by QSA who is not the same QSA who has performed PCI DSS Certification in Phase-4 |
Dhaka |
|
Duration: 01 week |
| ICTD-2(3)/190R2/2025 |
Onsite Service: After Phase-9, PCI DSS Recertification (one year after achieving initial PCIDSS Certificate) by QSA who is not the same QSA who has performed PCI DSS Certification in Phase-4 |
Dhaka |
|
Duration: 01 week |
|
PROCURING ENTITY DETAILS
|
| Name of Official Inviting EOI |
: |
Md. Amir Hossain Pathan |
| Designation of Official Inviting EOI |
: |
Director (ICT) |
| Address of Official Inviting EOI |
: |
Information and Communication Technology Department, Bangladesh Bank, 28th Floor,Head Office, Motijheel, Dhaka |
| Contact details of Official Inviting EOI |
: |
Phone : Tel:+88029530161, Fax : Fax:+88029530481 , Email : amir.pathan@bb.org.bd |
| The procuring entity reserves the right to accept or reject all tenders |
