Request for Information (RFI)
Revenue Modernization (Rev Mod) Program
Credit Card Collections Application (App) – software and hardware solution
The Department of Homeland Security (DHS) U.S. Customs and Border Protection (CBP) Office of Finance (OF) Financial Operations (Fin Ops) Revenue Modernization Program is seeking information about credit card processing of revenue collections. Information about CBP and Rev Mod can be found at: https://www.cbp.gov/about and https://www.cbp.gov/trade/priority-issues/revenue/revenue-modernization.
The Rev Mod Program is seeking technical and non-binding price information about a credit card hardware and software solution. The Rev Mod program has launched a mobile application for officers collecting revenue at CBP ports of entry. Information about the mobile application can be found at: https://www.cbp.gov/trade/priority-issues/revenue/revenue-modernization/automation-368-and-1002-receipts.
The Rev Mod collections application is a Java application with an Oracle back-end and Angular Framework based front-end. For communicating with internal CBP systems, the collection application is Windows 10 based. In addition to desktops and laptops, the software is deployed on Windows tablets using the Cordova based standalone executable application (app).
Rev Mod’s mobile collections application accepts cash and check as payment options. CBP intends to expand the application to provide plastic card payments. The vendor-provided plastic card processing software and Europay, Mastercard, Visa (EMV) readers should be able to be integrated with the CBP developed desktop and App versions of the collections application using a vendor-provided Application Programing Interface (API).
CBP does not use direct internet for credit card transactions. The U.S. Department of the Treasury requires CBP to utilize Worldpay as the Credit Processor.
The Rev Mod program is expanding capabilities to include the ability to process credit card payments in the mobile application. CBP is seeking information about a secure, compliant and simple solution. The solution encompasses: 1. Distributable plastic card processing software solution with an associated API, and 2. EMV reader devices.
The software technical solution must support the following requirements:
- Integrate with a compliant Payment Card Industry (PCI) credit card processor and provide a current certificate of validation for PCI.
- EMV solution that is certified with Worldpay.
- Avoid designs/integrations where the current Rev Mod application will require certification or additional PCI compliance.
- Comply with all applicable Federal Government credit card transaction requirements and all applicable Federal Government Internet Technology (IT) requirements. DHS IT security policies can be found online listed under “Information Technology Security Policy” on the following web site: https://www.dhs.gov/dhs-security-and-training-requirements-contractors. General DHS security information resource materials can be found online here: https://www.dhs.gov/dhs-personnel-security-info-reference-materials.
- Transactions must be secured from end-to-end. Comply with the DHS and CBP security protocols at all touchpoints in the solution.
- A straight-forward, uncomplicated, and effortless card acceptance and processing User Experience (UX/UI) for CBP personnel and the paying public.
- CBP users shall not have the ability to touch, store, and view any credit information during payment processing.
- Support swipe, EMV chip, EMV chip/signature, EMV chip/pin, and contactless pay
- Credit card data should be segmented and routed on a separate network at the point-of-origin regardless of how devices connect to the CBP network
- Ability to identify the device and location that submitted a payment transaction
- Provide real-time view of payment activity through a portal or through tools that can be integrated into the agency’s monitoring and analytics framework for data analytics and performance monitoring
- Provide an Application Programming Interface (API)
- Single portal / process for secured mechanisms to provision and configure devices
- Automated Software/firmware updates pushed to Windows 10 devices such as but not limited to tablets, laptops, and desktops. All updates shall use Software Center, desktop management tool(s), the App Store, or other application management tool(s)
- Compliant with U.S. Department of the Treasury’s Bureau of Fiscal Service Card Acquiring Service (CAS) or similar U.S. Government Federal Agency card service
The hardware technical solution must support the following requirements:
- Universal Serial Bus (USB) and Secured Bluetooth devices
- Shared across Windows 10 devices such as (but not limited to) Government issued tablets, laptops, or desktops. Note: tablet/laptop devices are not confined to fixed locations.
- All EMV reader devices must be portable and compact. Compact is defined as comparable to a standard size smart phone. EMV device will be carried by CBP personnel along with an existing CBP issued tablet. EMV has capacity to attach to existing CBP tablets.
- Compliant with U.S. Department of the Treasury’s Bureau of Fiscal Service Card Acquiring Service (CAS) or similar U.S. Government federal Agency card service
Optional features sought by CBP:
- Flexibility to include a unique identifier for each credit card transaction, and device location so that payments can be aggregated to a location
- Potential for expanding to Android, iOS, and other operating systems in the future
Information Sought from Industry
As permitted by FAR Part 10, Rev Mod Program is requesting that interested parties submit a 5-page (single sided, standard margins, 11 point font) informational statement on company letterhead, with responses to the RFI requests numbered below. Please provide any other relevant information that is deemed important. The information package shall be sufficiently detailed to assist CBP reviewing the technical solution. The Rev Mod team will accept written technical questions to this notice by September 15, 2020. All answers in response to industry questions will be posted on this notice for public use. The Government is not obligated to, and will not, pay for any information received as a result of this RFI.
The documentation should also provide, at a minimum, the following: a. Company Name b. Address c. Point of Contact, Title, telephone number, email address, and web site address d. Any socio-economic designation such as small business, Service-Disabled business, veteran-owned, etc. e. Participation in any Government-Wide (GWAC or GSA schedule) or DHS-Wide contract vehicle information.
- Is your company approved by any of the U.S. Federal Government Agencies to provide certified credit collections devices and software? If yes, please provide details. If no, are you currently seeking any U.S. Federal Government credit card payment certification? If yes, please provide a status of your certification.
- Identification of risk and benefits of solution information provided.
- Available and recommended hardware components per the above must-have and may-have specifications. Provide size and weight specifications. May include photos or drawings of hardware.
- Recommended software solutions with functionality and architecture.
- Recommended approach to initial provisioning of devices, and subsequent firmware / software updates.
- Provide an estimated non-binding cost and/or pricing breakdown. Illustrate a range of estimated costs for concepts/solutions to help CBP find the right balance of risk versus lifecycle cost. For example, but not limited to, does your solution charge a fee on each transaction or as an enterprise pricing structure?
- Are your device firmware updates included as part of EMV certification? Or are the device updates updated for re-certification? Or are devices updated if certificates expire? Please provide an explanation.