Fiscal Note
The proposed resolution authorizes a contract (non-competitive) with Baker Tilly to carry out a scope of work to establish Payment Card Industry Data Security Standards. The total cost of the proposed contract is $90,000. These costs will be split between funding sources; under this allocation the General Fund share will be $50,000, the share for each enterprise fund will be $5,000 per fund. The General Fund share will be funded through existing appropriations in the Finance Department (Service-Treasury, Major-Purchased Services).
Failure to develop the plan outlined in this scope of work, will result in a $5,000 monthly penalty until the plan is finalized.
Title
Authorizing the sole source Payment Card Industry Data Security Standards (PCI DSS) consulting contract to Baker Tilly.
Body
WHEREAS, the City of Madison processes over one million credit card transactions per year and exceeds $28 million; and,
WHEREAS, the City utilizes many different systems to process these transactions; and,
WHEREAS, transactions are accepted in person, over the phone and online; and,
WHEREAS, the majority of transactions relate to the Parking Utility with the increase in card enabled pay stations and street meters; and,
WHEREAS, the major credit cards brands created the PCI Security Standards Council in 2006 to implement the Payment Card Industry Data Security Standards (PCI DSS) aimed at preventing liabilities and losses related to credit card data; and,
WHEREAS, a breach of cardholder data reduces customer confidence, creates liability from fraud loss and legal actions subjecting a merchant to fines, penalties and potential loss of card acceptance; and,
WHEREAS, the PCI DSS requires a merchant to create and maintain systems to safeguard cardholder data that includes maintaining a secure network, protecting cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test the network and maintain an information security policy; and,
WHEREAS, a merchant is required to document these elements and provide an attestation of compliance and assessment questionnaire to the card brands as evidence of a system and related maintenance; and,
WHEREAS, the City has not completed an attestation or assessment questionnaire; and,
WHEREAS, the City does not currently have staff well versed in PCI standards; and,
WHEREAS, this subjects the City to fines from the card brands of $5,000 per month (due to the COVID-19 pandemic, fines are waived through July, 2020); and,
WHEREAS, under MGO 4.26(4), a contract of more than $50,000 that was not competitively selected must be approved by the Common Council; and,
WHEREAS, Baker Tilly is the City’s external audit firm and has provided consulting services in the past; and,
WHEREAS, the consulting work will include: document the current state of card acceptance across all City functions, assistance in identifying control gaps related to PCI DSS compliance, help identify opportunities to reduce the scope of the current processing environment and lessen the effort of compliance, develop a roadmap for achieving compliance; assist City staff in completing the assessment questionnaire, develop and provide PCI DSS compliance education to the Information Technology and Treasury staff; and,
NOW THEREFORE BE IT RESOLVED that the Common Council hereby authorizes the Mayor and City Clerk to execute a sole source contract for the PCI DSS consulting contract to Baker Tilly in an amount not to exceed $90,000.