HomeMy WebLinkAboutContract 53198-A3CSC No. 53198-A3
AMENDMENT NO. 3
TO
CITY OF FORT WORTH CONTRACT 53198
This Third Amendment is entered into by and between the City of Fort Worth
(hereafter 'Buyer"), a home rule municipality, with its principal place of business at 200 Texas
Street, Fort Worth, Texas, and Weaver and Tidwell, L.L.P. ("Vendor"), Buyer and Vendor may
be referred to individually as a Party and collectively as the Parties.
WHEREAS, on December 1, 2019, the Parties entered into City Secretary Contract
53198 to provide Payment Card Industry (PCI) Qualified Security Assessor services
("Agreement/Contract");
WHEREAS, the Parties wish to amend the Agreement to increase the total annual
amount of the contract by $5000.00 to an amount not to exceed One Hundred Thousand Dollars
($100,000.00).
NOW, THEREFORE, the Parties, acting herein by and through their duly authorized
representatives, enter into the following agreement:
1.
AMENDMENTS
The Agreement is hereby amended by adding Exhibit A, attached to this Third
Amendment, as Exhibit A-2 of the Agreement, to increase the total annual amount of the contract
by $5000.00 to an amount not to exceed One Hundred Thousand Dollars ($100,000.00).
2.
ALL OTHER TERMS SHALL REMAIN THE SAME
All other provisions of the Agreement which are not expressly amended herein shall
remain in full force and effect.
3.
ELECTRONIC SIGNATURE
This Amendment may be executed in multiple counterparts, each of which shall be
an original and all of which shall constitute one and the same instrument. A facsimile copy
or computer image, such as a PDF or tiff image, or a signature, shall be treated as and shall
have the same effect as anoriginal.
OFFICIAL RECORD
CITY SECRETARY
FT. WORTH, TX
Third Amendment to Fort Worth City Secretary Contract No. 53198 Page 1 of 2
ACCEPTED AND AGREED:
CITY OF FORT WORTH:
Name: Mark McDaniel
Title: Deputy City Manager
Date: J u n 7, 2024
APPROVAL RECOMMENDED:
By: /
Name:
Kevin Gunn
Title:
Director, IT Solutions
ATTEST:
09 �4b
F fORt. .
p.f
�o
oBSa
ptlg
�
aaa4 K p?o4b
C
BY:
l �
Name:
Jannette Goodall
Title:
City Secretary
VENDOR:
Weaver and Tidwell, L.L.P.
By: U2���.CLAtw- Jrge
Name: Brittgn Geo
Title: Partner
Date: 6/5/24
CONTRACT COMPLIANCE MANAGER:
By signing I acknowledge that I am the person
responsible for the monitoring and administration
of this contract, including ensuring all
performance and reporting requirements.
By: Sud�e (Jun 5, 2024�DT)
Name: Sudong Lee
Title: Sr. IT Solutions Manager
APPROVED AS TO FORM AND LEGALITY:
By:
Name: Taylor Paris
Title: Assistant City Attorney
CONTRACT AUTHORIZATION:
M&C: N/A
Approved: N/A
1295: N/A
ATTEST:
LIN
Name:
Title:
OFFICIAL RECORD
CITY SECRETARY
FT. WORTH, TX
Third Amendment to Fort Worth City Secretary Contract No. 53198 Page 2 of 2
EXHIBIT A
City of Fort Worth - PCI SAQ Services
City of Fort Worth PCI Services Estimate for PCI SAQ Services
Roles
Weaver: Perform testing over the applicable requirements and provide two completed SAQ-D's and AOC's for Water and City
payment channels.
City: Review of the two SAQ-D's and AOC's, provide the requested documentation, and be available for walkthroughs.
Reauirement Scooe
Non -water payment channel: Requirements outlined in the SAQ P2PE are in -scope.
Water payment channel: 264 Requirements based on the assumptions outlined below and in the "Requirement Type Summary" tab.
of Fort Worth PCI Services Estimate for PCI SAQ
Payment Channel
Hrs
Estimate
Planning / Proj Mgmt
25
$
5,600
Fieldwork Execution & SAQ Population
55
$
12,000
Review / Reporting / Issuance
35
$
7,400
Non -Water Payment Channel Total
115
$
25,000
(Water Payment Channel rM
Hrs
Fee
Planning / Proj Mgmt
30
$
6,500
Fieldwork Execution & SAQ Population
100
$
22,500
Review / Reporting / Issuance
50
$
11,000
Water Payment Channel Total
180
$
40,000
SAQ Services Total:( MMM111
OF 651000
Invoicing:
Fees will be invoiced in three (3) installments throughout the engagement. Invoices will be for the following amounts:
1. Installment]: $21,666
2. Installment2: $21,666
3. Installment3: $21,668
SAQ Services Assumptions:
1. City will provide accurate data/network flow diagrams and system and device inventories prior to the issuance of a Document
Request List from Weaver.
2. Initial requests for documentation or evidence for testing will be fulfilled within 15 business days (e.g. populations, inventories,
policies, etc.). Subsequent requests for information (e.g. samples for testing, clarifications on previous requests) will be
responded to within 3 business days. All initial requests are provided prior to the start of fieldwork.
3. For the Water payment channel the applicable SAQ-D requirements will be evaluated and documented with the SAQ-D. See
highlighted green cells in column E of the "Requirement Type Summary tab for the applicable requirements.
4. For the City payment channel that encrypts cardholder data at the point of interaction and can only be decrypted by the
processor, the applicable requirements outlined in the SAQ-P2PE will be evaluated and documented with the SAQ-D. See
highlighted green cells in column F of the "Requirement Type Summary tab for the applicable requirements.
5. The City has reviewed all "in -scope" requirements in the table "Requirement Type Summary' and agrees that the applicable
requirements are In -Place and documented evidence can be made available to demonstrate it as such.
6. For both payment channels the following assumptions were made to identify the applicable requirements:
• No cardholder data is retained or stored. All cardholder data is encrypted at the Point of Interaction (POI) or Point of
Sale (POS) and the City only retains tokenized transaction information received from the processor.
• All applications are off the shelf and no custom code development is performed for the CDE.
• SSL and early TLS are not utilized for encryption.
7. The city has performed scans of their networks and systems for cardholder data and can provide documentation
demonstrating no cardholder data exists.
8. The Water cardholder data environment is fully segmented from other networks and systems.
9. Issues identified in prior assessments have been remediated and in place for any required periods of time.
10. All "in -scope" requirements in the table "Requirement Type Summary' have been implemented, requiring multiple rounds of
follow-up between the City and Weaver.
11. Provided documentation is accurate or fully addresses the request or requirement.
This estimate is dated January 15, 2024 and is valid through July 31, 2024.
weaverr�►-
City of Fort Worth - PCI SAQ Services
City of Fort Worth PCI Services Estimate for PCI SAQ Services
Roles
Weaver: Perform testing over the applicable requirements and provide a completed SAQ-D and AOC for the Courts payment
channel.
City: Review of the SAQ-D and AOC, provide the requested documentation, and be available for walkthroughs.
Reauirement Scooe
Courts payment channel: Requirements outlined in the SAQ A are in -scope.
Activity:( Estimate
Payment Channel
Fee
Planning / Proj Mgmt
35
$
7,000
Fieldwork Execution & SAQ Population
85
$
19,000
Review / Reporting / Issuance
40
$
9,000
Courts Payment Channel Total
160
$
35,000
Invoicing:
Fees will be invoiced in three (3) installments throughout the engagement. Invoices will be for the following amounts:
1. Installment 1: $11,666
2. Installment2: $11,666
3. Installment3: $11,668
SAQ Services Assumptions:
l . City will provide accurate data/network flow diagrams and system and device inventories prior to the issuance of a Document
Request List from Weaver.
2. Initial requests for documentation or evidence for testing will be fulfilled within 15 business days (e.g. populations, inventories,
policies, etc.). Subsequent requests for information (e.g. samples for testing, clarifications on previous requests) will be
responded to within 3 business days. All initial requests are provided prior to the start of fieldwork.
3. For the Courts payment channel the applicable SAG -A requirements will be evaluated and documented with the SAQ-D. See
highlighted green cells in column G of the "Requirement Type Summary tab for the applicable requirements.
4. The City has reviewed all "in -scope" requirements in the table "Requirement Type Summary' and agrees that the applicable
requirements are In -Place and documented evidence can be made available to demonstrate it as such.
5. For the payment channel the following assumptions were made to identify the applicable requirements:
• No cardholder data is retained or stored. All cardholder data is encrypted at the Point of Interaction (POI) or Point of
Sale (POS) and the City only retains tokenized transaction information received from the processor.
• All applications are off the shelf and no custom code development is performed for the CDE.
• SSL and early TLS are not utilized for encryption.
6. The city has performed scans of their networks and systems for cardholder data and can provide documentation
demonstrating no cardholder data exists.
7. Issues identified in prior assessments have been remediated and in place for any required periods of time.
8. All "in -scope" requirements in the table "Requirement Type Summary' have been implemented, requiring multiple rounds of
follow-up between the City and Weaver.
9. Provided documentation is accurate or fully addresses the request or requirement.
This estimate is dated January 15, 2024 and is valid through July 31, 2024.
weaver>-