County of Los Angeles E-commerce Program Section I – Assessment Questionnaire County of Los Angeles, E-commerce Readiness Governance (ERG) 1 of 26 Version 3.0 - Updated: 02/28/2017 __________ Introduction & Background Electronic Commerce (E-commerce) is defined as the buying and selling of goods and services, and the transmitting of funds and data over an electronic network, such as the Internet. The County of Los Angeles (County) Board of Supervisors approved an agreement with Fidelity Information Services, LLC (FIS) to provide electronic payment processing services or E-commerce (credit/debit cards, electronic checks, Point of Sale Terminals [POS], Interactive Voice Response [IVR], etc.) to County departments, agencies, and districts. This established E-commerce program was initially under the stewardship of the Office of the Chief Information Officer (OCIO), which acted as the chair of the County’s E-commerce Readiness Governance (ERG). However, due to the re-organization of the OCIO, this responsibility was transferred to the Internal Services Department (ISD), which now acts as the ERG Chair. The ERG is made up of representatives from the Internal Services Department, Chief Executive Office, OCIO Security, County Counsel, Treasurer and Tax Collector, Auditor-Controller, and FIS. The ERG manages the FIS contract and assists departments/agencies/districts by providing governance, guidance, advice, and assistance to ensure successful implementations of their E- commerce solutions/applications. ERG’s primary functions includes, but are not limited to: a readiness assessment, ongoing consultations, and oversight throughout the projects’ procurement and implementation life cycles. Additional details of each ERG member’s role and responsibilities can be found in Section II of this document. Purpose The purpose of the readiness assessment is to enable the ERG to evaluate how well prepared or equipped and/or how far along an organization’s proposed E- commerce solution/application is, and to assist with the solicitation, documentation, and implementation process. The purpose of the Assessment Questionnaire is to assist organizations with gathering relevant information about their proposed E-commerce solution. The completed Assessment Questionnaire will provide the ERG with information to determine whether or not the organization is ready to begin the solicitation (RFB, RFP, etc.), development, and/or implementation process. The ERG Meeting Upon ERG’s review of your Assessment Questionnaire, you and/or your team may be invited to an ERG meeting to present your E-commerce business proposal/case, where potentially additional details, questions, concerns, options, etc., will be discussed, and further assessments will be made. Please contact the County E-commerce Program Manager/Advisor below for more information on the E-commerce program, the Assessment Questionnaire, implementation process and requirements, and/or the ERG monthly meeting, etc. The ERG meets on the fourth Thursday of every month from 1:30-3:30 p.m. From ERG’s assessment of your questionnaire and discussion at the meeting, the governance committee will decide whether or not to recommend moving forward with the proposed project, or placing it on hold until sufficient requirements have been met. Upon completion of your E-commerce solution/application, ERG will conduct a final assessment through a system demo or walkthrough, prior to sign off for go-live or implementation. Once implemented, your E-commerce application will be added in the “Popular Services” area of the County website, http://www.lacounty.gov. As the standards and processes for E-commerce change often, approval of a go-live or implementation does not preclude the ERG from re-evaluating your application in the case of changes in law or the E-commerce
Transcript
County of Los Angeles E-commerce Program Section I – Assessment Questionnaire
County of Los Angeles, E-commerce Readiness Governance (ERG) 1 of 26 Version 3.0 - Updated: 02/28/2017 __________
Introduction & BackgroundElectronic Commerce (E-commerce) is defined as the buying and selling of goods and services, and the transmitting of funds and data over an electronic network, such as the Internet. The County of Los Angeles (County) Board of Supervisors approved an agreement with Fidelity Information Services, LLC (FIS) to provide electronic payment processing services or E-commerce (credit/debit cards, electronic checks, Point of Sale Terminals [POS], Interactive Voice Response [IVR], etc.) to County departments, agencies, and districts. This established E-commerce program was initially under the stewardship of the Office of the Chief Information Officer (OCIO), which acted as the chair of the County’s E-commerce Readiness Governance (ERG). However, due to the re-organization of the OCIO, this responsibility was transferred to the Internal Services Department (ISD), which now acts as the ERG Chair. The ERG is made up of representatives from the Internal Services Department, Chief Executive Office, OCIO Security, County Counsel, Treasurer and Tax Collector, Auditor-Controller, and FIS. The ERG manages the FIS contract and assists departments/agencies/districts by providing governance, guidance, advice, and assistance to ensure successful implementations of their E-commerce solutions/applications. ERG’s primary functions includes, but are not limited to: a readiness assessment, ongoing consultations, and oversight throughout the projects’ procurement and implementation life cycles. Additional details of each ERG member’s role and responsibilities can be found in Section II of this document.
PurposeThe purpose of the readiness assessment is to enable the ERG to evaluate how well prepared or equipped and/or how far along an organization’s proposed E-commerce solution/application is, and to assist with the solicitation, documentation, and implementation process.
The purpose of the Assessment Questionnaire is to assist organizations with gathering relevant information about their proposed E-commerce solution. The completed Assessment Questionnaire will provide the ERG with information to determine whether or not the organization is ready to begin the solicitation (RFB, RFP, etc.), development, and/or implementation process.
The ERG MeetingUpon ERG’s review of your Assessment Questionnaire, you and/or your team may be invited to an ERG meeting to present your E-commerce business proposal/case, where potentially additional details, questions, concerns, options, etc., will be discussed, and further assessments will be made.
Please contact the County E-commerce Program Manager/Advisor below for more information on the E-commerce program, the Assessment Questionnaire, implementation process and requirements, and/or the ERG monthly meeting, etc. The ERG meets on the fourth Thursday of every month from 1:30-3:30 p.m. From ERG’s assessment of your questionnaire and discussion at the meeting, the governance committee will decide whether or not to recommend moving forward with the proposed project, or placing it on hold until sufficient requirements have been met. Upon completion of your E-commerce solution/application, ERG will conduct a final assessment through a system demo or walkthrough, prior to sign off for go-live or implementation. Once implemented, your E-commerce application will be added in the “Popular Services” area of the County website, http://www.lacounty.gov. As the standards and processes for E-commerce change often, approval of a go-live or implementation does not preclude the ERG from re-evaluating your application in the case of changes in law or the E-commerce
County of Los Angeles E-commerce Program Section I – Assessment Questionnaire
County of Los Angeles, E-commerce Readiness Governance (ERG) 2 of 26 Version 3.0 - Updated: 02/28/2017 __________
industry. In addition, if your application is subject to misuse or negatively impacts other County E-commerce applications, the ERG may ask to re-review your application and in rare cases, withdraw its approval of your application after go-live.
The ERG works to fully support all County organizations with E-commerce. However, you should be aware that issues with E-commerce applications may impact the County as a whole and, in all cases, the ERG acts in the best interest of the County.
ContactKevy Ly ERG Chair & E-commerce Program Manager/Advisor(562) [email protected]
InstructionsPlease answer the questions to the best of your knowledge. If you need clarification of any question, contact the County E-commerce Program Manager/Advisor. Only answer the non-shaded questions about your E-commerce application or proposal, and leave the shaded parts of the questionnaire blank where indicated “for ERG use only”.
The E-commerce Readiness Assessment contains two sections:
Section I – Assessment QuestionnaireThis section consists of four parts, (1) E-commerce Application Description, (2) Funding, (3) Application Development, Security, and Hosting, and (4) Application Costs and Transaction Fees, to be completed by your organization. The detailed information provided enables the ERG to:
a. Thoroughly assess the proposed E-commerce solution’s readiness for solicitation/development b. Provide assistance where necessary to all requirements in order to implement the solution.
Section II – Approvals for Development and ImplementationThis section outlines the approval processes and requirements for all pre and post development/implementation. Your organization must have a clear project plan and dedicated resources to work on the following areas, but are not limited to: Develop Required Documentations, Store Front Development or Configuration, Funding Sources, Payment Options and Fees, Fidelity Information Systems (FIS) Integrations, Security Requirements, Maintenance & Support, etc. Each governing County ERG member will determine whether all solicitation requirements and development activities have been met and completed, and approve the E-commerce application/solution prior to implementation.
Submit an electronic copy of the E-commerce Assessment Questionnaire (department head signature not required) at least one (1) week or sooner prior to your scheduled ERG meeting to the County E-commerce Program Manager/Advisor. This will allow the ERG ample time to review your questionnaire, and note any area(s) for further discussions prior to the meeting. Please bring a hardcopy of this completed E-commerce Program & Assessment Document with your
County of Los Angeles E-commerce Program Section I – Assessment Questionnaire
County of Los Angeles, E-commerce Readiness Governance (ERG) 3 of 26 Version 3.0 - Updated: 02/28/2017 __________
department head’s or designee’s signature to the ERG meeting. Your Department may consult with the County E-commerce Program Manager/Advisor on any areas of this document and whether another signature besides the department head or designee can be accepted.
County of Los Angeles E-commerce Program Section I – Assessment Questionnaire
County of Los Angeles, E-commerce Readiness Governance (ERG) 7 of 26 Version 3.0 - Updated: 02/28/2017 __________
1) Europay, MasterCard, and Visa (EMV) - a global standard for credit and debit payment cards based on chip card technology.
2) Encryption – data must be encrypted prior to transferring it over a network.
3) Tokenization - the process of substituting a sensitive data element (card #, verification codes, expire date, etc.) with a non-sensitive equivalent, referred to as a token.
It is the responsibilities of the Departments to ensure that vendor’s device/equipment must be in compliance with the above requirements. Are you aware of your responsibilities in meeting these requirements?
Yes No
l. Are you aware that your department will be responsible for all chargebacks and/or refunds if the cardholder disputes the credit/debit card transaction?
Yes No Need more information
m. Do you have a need for a periodic Merchant Activity File (MAF) that lists the daily credit/debit, and e-check transaction processing activities?
Yes No
If “Yes”, please explain:
n. Does your business solution/application require data validations (e.g. customer information) prior to making a payment? Yes No
If “Yes”, please describe the various validation points/fields:
County of Los Angeles E-commerce Program Section I – Assessment Questionnaire
County of Los Angeles, E-commerce Readiness Governance (ERG) 8 of 26 Version 3.0 - Updated: 02/28/2017 __________
o. Do you have a need for Electronic Bill Presentment and Payment (EBPP – See below for definition)? Yes No
Electronic Bill Presentment and Payment (EBPP) is the process by which companies send customers a hardcopy bill, and payments would be conducted electronically over the Internet.
p. Do you have a need for recurrent credit/debit cards or e-check payments? Yes No
Recurring Credit/Debit Card or e-check payments require an initial charge/payment to occur on the credit/debit card or checking account before automatic recurring charges/payments can occur. These transactions will show up immediately online on the cardholder’s account or typically on a monthly statement basis.
(For ERG use only)
Application and its logistical costs are well understood:
County of Los Angeles E-commerce Program Section I – Assessment Questionnaire
County of Los Angeles, E-commerce Readiness Governance (ERG) 10 of 26 Version 3.0 - Updated: 02/28/2017 __________
3. Application Development, Security, and Hostinga. Will your E-commerce application have the following layer(s):
Internet/Website (Public Facing Store Front) Intranet (Internal for Admin Staff) Both
b. FIS has a limited configurable out-of-the-box public facing store front available to County at no cost. Would you like to explore this limited application layer?
Yes No
c. How will the Store Front/Website, or Application Layer (Layer 1) be built/developed?
In-House by Department Vendor/Contractor Commercial Off-The-Shelf (COTS) ISD Other/Unsure:
If you are not planning to use FIS for your application’s store front, please explain why and how long it will take you to complete the development:
d. Are you issuing/soliciting your store front or website layer?
Yes No
If yes, ERG suggests that you use the following paragraph in your solicitation.
Fidelity Information Services, LLC, together with Fidelity National Information Services, Inc., its parent and guarantor, (hereinafter, collectively, “FIS”) currently provides credit card processing, e-check and related E-commerce services to the County of Los Angeles ("County"). FIS is the preferred processor for E-commerce transactions at the County. However, if a proposer prefers to use an alternative vendor for E-commerce transactions, the proposer must so state in its proposal. The Proposer shall provide: (a) an explanation of the reason(s) for the exception; (b) any technical/functional impact of such exception; and (c) a description of the impact, if any, to the Proposer’s price, if Proposer is required to use FIS. Any alternative processor (i) must be approved by County in writing and may subject the vendor to additional contractual obligations; and (ii) must meet all PCI, County and related security requirements.
County of Los Angeles E-commerce Program Section I – Assessment Questionnaire
County of Los Angeles, E-commerce Readiness Governance (ERG) 11 of 26 Version 3.0 - Updated: 02/28/2017 __________
e. If FIS does not develop your store front or website (Layer 1):
1. You are responsible for ensuring that Payment Card Industry (PCI) Standards and County Application Development Security requirements are met. An assessment will be performed by your Department Information Security Officer (DISO) and/or the County Chief Information Security Officer (CISO) on your application before initial development and prior to deployment as well as on-going annual security re-assessment. Are you aware of your responsibilities in meeting the following standards?
Payment Card Industry Data Security Standards: Yes No
County Application Security Standards: Yes No
2. Will your application store front or website be adaptive and responsive (Compatible to Windows, Apple iOS, or Android, and with browsers such as Edge, Internet Explorer, Chrome, Firefox, Safari, etc. Viewable on desktops, laptops, tablets, and smart phones)?
Yes No
If your answer is no, please explain why and how long it will take to enhance the application to be adaptive and responsive:
3. Your application’s public facing website (Internet) needs to meet, at a minimum, U.S. Access Board’s Section 508 Website Accessibility Standards or the Web Content Accessibility Guidelines (WCAG2.0). Are you aware of your responsibilities in meeting these guidelines?
Yes No
d. Confidential and Personally Identifiable Information (PII):
1. Will the application require the use of confidential/sensitive data (e.g. driver’s license numbers, social security numbers, date of birth, etc.)?
Yes No
2. Is there a requirement to store PII? Yes No
If you answered “Yes” to either question above, please explain why:
County of Los Angeles E-commerce Program Section I – Assessment Questionnaire
County of Los Angeles, E-commerce Readiness Governance (ERG) 12 of 26 Version 3.0 - Updated: 02/28/2017 __________
e. Where will the store front application layer be hosted? FIS ISD Vendor Other/Unsure
If hosted by entity other than FIS, please briefly explain the Service Level Agreement:
f. Address Verification Standard (AVS) security feature should be defaulted to “on” for all County E-commerce applications.
Will the business application need the AVS feature turned “off”? Yes No
If you answered “Yes”, please explain why:
There are three AVS levels: 1) Low: Address match based on zip code (default)2) Medium: Address match based on street address without zip code.3) Strict: Address match based on street address with zip code.
g. Does your business application accept international payments? Yes No
County of Los Angeles E-commerce Program Section I – Assessment Questionnaire
County of Los Angeles, E-commerce Readiness Governance (ERG) 13 of 26 Version 3.0 - Updated: 02/28/2017 __________
h. Card Verification Validation (CVV) is a three (3) digit number typically located on the back of the credit card. The three digit security feature should be defaulted to “on” for all County applications and is a required field.
Will the business application need the three digit security feature turned “off”? Yes No
If you answered “Yes”, and need this field to be turned “off”, please explain why:
i. Velocity Control System (VCS) provides clients the ability to control how many transactions and/or how much money may be processed over a given period of time for a given credit card. Exceeding those limits will result in an automatic decline before the transaction is sent to the processor. Velocity control system can reduce the ratio of chargebacks to successful transactions. User Identification System (UIS) is an add-on enrollment or authentication process that is custom developed for a client that may use information from a variety of sources (E.G., Nexus-Lexus) to positively identify the user of a given E-commerce application. (Please note: There is an additional charge per credit/debit transaction for the use of these advanced security features.)
Will your E-commerce application need advanced security features such as Velocity Control System or User Identification System functions?
County of Los Angeles E-commerce Program Section I – Assessment Questionnaire
County of Los Angeles, E-commerce Readiness Governance (ERG) 15 of 26 Version 3.0 - Updated: 02/28/2017 __________
4. Application Costs and Transaction Feesa. How will your department handle E-commerce application costs (e.g., credit/debit card processing fees, FIS transaction fees, application development
costs, etc.)? (Check all that apply) Recover the costs by increasing the fee/price of the service or product (Requires Board [BoS] approval) Absorb the costs in your department’s budget (Requires CEO Budget Analyst approval) Charge a transaction processing (service) fee to the customer (Requires Auditor-Controller [A-C] approval) A possible blending of any two or more of the options above (May require BoS, A-C, and CEO approval) Unsure
If you selected the “blending” option above, please describe how you reached that decision:
b. It is your responsibility to work with your Department's counsel to verify that you are authorized to collect payment using E-commerce and to verify the laws and policies that apply to how you intend to handle transaction fees. Are there any restrictions (e.g., legal, regulatory, County policy, department, etc.) that will prevent you from accepting credit/debit cards or other electronic payment options via the Internet for fees or other payments you plan to collect?
County of Los Angeles E-commerce Program Section I – Assessment Questionnaire
County of Los Angeles, E-commerce Readiness Governance (ERG) 16 of 26 Version 3.0 - Updated: 02/28/2017 __________
(For ERG use only)
E-commerce application costs and fees are well understood, and the department has done their due diligence to determine how they will handle these costs:
County of Los Angeles E-commerce Program Section I – Assessment Questionnaire
County of Los Angeles, E-commerce Readiness Governance (ERG) 17 of 26 Version 3.0 - Updated: 02/28/2017 __________
5. Customer Supporta. A Help Desk or Customer Service Center is required for every Department’s E-commerce solution/application. How does your organization intend to
provide customer services assistance to resolve issues and application problems? 24/7 real time online Chat 24/7 via customer service e-mail During organization business hours - help desk telephone number & after hours voice mail 24/7 ISD Customer Assistance Center (CAC) During organization business hours and ISD/CAC after hours By the Front End/Website or Application Layer vendor (skip to b) Other/Unsure
Please describe how you will handle customer service if you indicated “Other/Unsure”:
b. Has your department completed the Service Level Agreement for Customer Support with the vendor? Yes No
Chair all ERG meetings and discussion boards. Direct the County E-commerce Program. Review and approve all components that make up the project (Assessment Questionnaire, website/store front design, internal operations, integrations, payment options, security, hosting, SLAs, etc.). Coordinate all involved areas between FIS, vendors, departments, TTC, A-C, Counsel, OCIO Security, ISD SFTP and Help Desk, or any other entity involved with the project. Coordinate project management documents (i.e., product configuration specifications, JAD sessions, project plan and schedules, project status reports, etc.) with all involved parties. Provide project status updates to client departments and ERG. Keep an open line of communication with all involved stakeholders. Assist in the completion of and review Work Order Release, Statement of Work, Standard Merchant Agreement, Terms and Conditions, etc. Provide advice, guidance, project management, and support to ensure all projects completed successfully.
Prepare all necessary agenda, documents, and minutes for the monthly ERG meeting. Ensure all required approvals are obtained. Ensure all project management documents are stored centrally on the ERG SharePoint Portal. Ensure all project management tasks are successfully completed and documented.
Robert PittmanCounty Chief Information Security Officer (CISO)[email protected]
Department Information Security Officer (DISO)
___________________________
Review and approve all County security requirements from vendors’ infrastructure, software, and related products. Review and approve the Privacy and Security requirements related to the development and deployment of the application. Review and sign the Security Self-Assessment Questionnaire.
Provide an overall security assessment of the store front application, ensuring compliance with County and industry recommended programming/coding standards. If required, assist in scanning of the store front application source codes to ensure secure coding techniques were used, and address any coding vulnerabilities prior to deployment.
Review the overall functionalities and acceptance of the application.
Review the overall functionality of the application. Review Board policies, including privacy statements, advertising restrictions, and other legal requirements that may apply.
Review the application website design to ensure that County policies related to online usage and payment requirements, privacy and security statements, advertising restrictions, and other legal requirements have been met and implemented.
Review and approve the Terms & Conditions documents: Terms of Use, Terms of Payments, and Privacy & Security Policy.
Review and approve payment options and the related processes, facilitate obtaining the “merchant account number” and setup deposit permits and banking services as necessary. Assist in the development of the Statement of Work, the Work Order Release, and Standard Merchant Agreement with FIS, to assist with initiating over-the-counter (OTC) payments.
Review the successful completion of “go-live” testing with credit/debit card merchant processor, financial institution and/or the Vendor.
Review and approve the department’s recovery model for credit/debit card transaction costs and user fees and review and approve any required updates by Departments. Review the Internal accounting Controls and written Procedures (ICP) for accepting, processing, and reconciling electronic payments, transaction costs and user fees.
Prepare and approve for the application to be displayed in the “I Want to Pay” area of the “Popular Services” and/or on the Newsroom or Announcements sections of the County Portal, if applicable. Provide the CEO’s office with the department name, project name, project manager contact information, start time and payment page URL.
Review budget impacts, if needed. Ensure that Board approval, if necessary, is obtained for additional cost not otherwise funded.
Provides setup and configuration of the secure file transfer protocol (SFTP) services between FIS and the departments for the uploading and downloading of E-commerce transactional data. Examples are the End User Load File (EULF) and the Merchant Activity File (MAF).
Provides 24/7; 365 days Helpdesk Support services that includes E-commerce support for technical issues.
Prepare the Helpdesk’s critical call-back and escalation procedures package. Review with the customer to ensure the information is correct. Provide technical assistance and support for technical related problems such as Processor, Communication or general E-commerce related errors where FIS may have to be contacted after normal business hours.
