HomeMy WebLinkAboutContract 53198-A2CSC No. 53198-A2
AMENDMENT NO. 2
TO
CITY OF FORT WORTH CONTRACT 53198
This Second Amendment is entered into by and between the City of Fort Worth
(hereafter 'Buyer"), a home rule municipality, with its principal place of business at 200 Texas
Street, Fort Worth, Texas, and Weaver and Tidwell, L.L.P. ("Vendor"), Buyer and Vendor may
be referred to individually as a Party and collectively as the Parties.
WHEREAS, on December 1, 2019, the Parties entered into City Secretary Contract
53198 to provide Payment Card Industry (PCI) Qualified Security Assessor services
("Agreement/Contract");
WHEREAS, the Parties wish to amend the Agreement to update the scope of work for
the second Renewal term.
NOW, THEREFORE, the Parties, acting herein by and through their duly authorized
representatives, enter into the following agreement:
1.
AMENDMENTS
The Agreement is hereby amended by adding Exhibit A-2, attached to this second
Amendment, as Exhibit A-2 of the Agreement.
2.
ALL OTHER TERMS SHALL REMAIN THE SAME
All other provisions of the Agreement which are not expressly amended herein shall
remain in full force and effect.
3.
ELECTRONIC SIGNATURE
This Amendment may be executed in multiple counterparts, each of which shall be
an original and all of which shall constitute one and the same instrument. A facsimile copy
or computer image, such as a PDF or tiff image, or a signature, shall be treated as and shall
have the same effect as anoriginal.
OFFICIAL RECORD
CITY SECRETARY
FT. WORTH, TX
Second Amendment to Fort Worth City Secretary Contract No. 53198 Page 1 of 4
ACCEPTED AND AGREED:
CITY OF FORT WORTH:
By: Valerie Washington (Apr 3, 202312:32 CDT)
Name: Valerie Washington
Title: Assistant City Manager
Date: Apr 3, 2023
APPROVAL RECOMMENDED:
to
CONTRACT COMPLIANCE MANAGER:
By signing I acknowledge that I am the person
responsible for the monitoring and administration
of this contract, including ensuring all
performance and reporting requirements.
By: Jus M Grace (Mar 29, 2023 11:42 CDT)
Name: Justin Grace
Title: Sr. IT Solutions Manager
APPROVED AS TO FORM AND LEGALITY:
Name: Kevin Gunn
Title: Director, IT Solutions Department
ATTEST: p of FORr�y°ad By:
° o�
p �'=o Name: Taylor Paris
Title: Assistant City Attorney
�daC4 QEX A5aoair
By: CONTRACT AUTHORIZATION:
Name: Jannette Goodall M&C: N/A
Title: City Secretary Approved: N/A
1295: N/A
VENDOR:
Weaver and Tidwell, L.L.P.
ATTEST:
By: 92c�7. :! By:
Name: B ritt&VGeorge
Title: Partner
Date: March 24, 2023
Name:
Title:
OFFICIAL RECORD
CITY SECRETARY
FT. WORTH, TX
Second Amendment to Fort Worth City Secretary Contract No. 53198 Page 2 of 4
FORT WORTH Exhibit A-2
City of Fort Worth - PCI SAQ-0 Services
Roles
Weaver: Perform testing over the applicable requirements and provide two completed SAQ-Us and AOC's for Wafer and Non -water payment
channels.
COFW: Review of the two SAQ-D's and AOC's, provide the requested documentation, and be available for walkthroughs.
Re uirement Sca e
Non -wafer payment channel: Requirements outlined in the SAQ P2PE are in -scope.
Water payment channel: 214 Requirements based on the assumptions outlined below and in the "Requirement Type Summary"tab.
Timeline: 2.5 months
Activity:
Low Estimate
High
Estimate
Non -wafer Payment Channel
Hrs
Hrs at Rafe
Hrs
Hrs of Rafe
Planning 1 Proj Mgmt
15
$ 3,3DD
25
$
5,57
Fieldwork Execution & SAQ D Population
40
$ 8,800
55
$
12,1 DD
Review 1 Reporting 1 Issuance
25
$ 5,50D
35
$
7,7DD
Non -Water Payment Channel iota
8D
$ 17,6W
115
$
25,3D0
Water Payment Channel
Hrs
Hrs of Rafe
Hrs
Hrs at Rafe
Planning 1 Proj Ntgmt
3D
$ 6,600
40
$
8,87
Fieldwork Execution & SAQ D Population
175
$ 38,5DC1
210
$
46,2D0
Review 1 Reporting 1 Issuance
45
$ 9,900
55
$
12,1 D0
Water Payment Channel Tofa
250
$ 55,ODO
305
$
67,1D0
Overall Total:
330
$ 72,6001
420
1 $
92,400
Assumptions {Low Eafrrnate}m
1. COFW will provide accurate do tolnetwork flaw diagrams and system and device inventories prior to the issuance of a Document Request List
from Weaver.
2. IniTiol requests for documentation or evidence for testing will be fulfilled within 15 business days je.g. populations, inventories, policies, etc.).
Subsequent requests for information (e.g. samples for testing, clarifications on previous requests) will be responded to within 3 business days. All
initial requests are provided prior to the stars of fieldwork.
3. For the Non -wafer payment channel that encrypts cardholder data at the point of interaction and con only be decrypted by the processor,
the applicable requirements outlined in the SAQ-P2PE will be evaluated. See highlighted green cells in column G of the "Requirement Type
Summary" tab for the applicable requirements.
4. For the Water payment channel the applicable SAC;!-D requirements will be evaluated. See highlighted green cells in column F of the
'Requiremenf Type Summary' fob for the applicable requirements.
5. The COFW has reviewed all 1n-scope" requirements in the table "Requirement Type Summary" and agrees that the applicable requirements
are In -Place and documented evidence con be made available to demonstrate it as such.
6. For both payment cho nnels the folloWng assumptions were made to identify the applicable requirements:
• No ca rd holder data is retained or stored. Al card holder data is encrypted at the Point of Interaction (POI) or Point of Sale (FOSj and the
CoFW only reto ins ioke nized transaction information received from the processor.
• All applications are off the shelf and no custom code development is performed for the CDE.
• SSL and early TLS are not utilized for encryption.
7. The city has performed scans of their networks and systems for cardholder data and can provide documentation demonstrating no
cardholder data exists.
8. The Wa ter cardhol der data environment is fully segmented from other networks and systems.
9. Issues identified in prior assessments have been remediated and in place for any required periods of lime.
Assumptions (High Estimate):
1. Not all'in-scope" req uirements i n the table "Requiremenf Type Summarli' hove been implemented, requiring multiple rounds of follow-up
between the CcFW and Weaver.
2. Provided documentation is inaccurate or does not fully address the request or requirement.
weaver .,N