Opportunity
NYC Passport #83626B0001
NYC Department of Finance Seeks PCI DSS Qualified Security Assessor Services
Posted
May 13, 2026
Respond By
June 15, 2026
Identifier
83626B0001
NAICS
541512
The New York City Department of Finance (DOF) is seeking a Qualified Security Assessor (QSA) to provide Payment Card Industry Data Security Standard (PCI DSS) certification services over a five-year contract, with options for renewal. - Government Buyer: - New York City Department of Finance (DOF), Treasury & Payment Services - Also includes NYC Office of Technology and Innovation (OTI) - Services Requested: - Annual PCI DSS certification for DOF (Level 1 merchant) and OTI (service provider) - Subject matter expertise and guidance for annual certification of 28 PCI Level 4 city agencies - Three main service phases: - Strategic Scoping (156 hours/year): PCI DSS certification type determination - Evidence Review and Scoring (157 hours/year): Review and scoring of evidence submitted - Report Issuance (314 hours/year): 100% evidence review, quality assurance, and final delivery of required PCI DSS reports (AOC/ROC/SAQ) - Use of a secure PCI certification portal - Background checks and compliance with security, confidentiality, and labor laws - Estimated total project hours: 627 annually, at $195/hour - Estimated contract value: $611,325 over five years - Unique/Notable Requirements: - Annual certification cycle (8-10 months per year) - QSA resource must be available approximately 1 hour per week for 40 weeks per year - Work may be performed remotely or on-site; travel expenses included - Subject to Local Law 1 M/WBE requirements - No specific OEMs or vendors are named in the solicitation - Place of Performance: - New York City (remote or on-site at city facilities as needed)
Description
The New York City Department of Finance is soliciting bids for PCI DSS Qualified Security Assessor Services. The contract involves assisting the Department of Finance in fulfilling the requirements of the mandated Payment Card Industry Data Security Standard annual certification. The vendor will perform PCI DSS certification for one PCI Level 1 merchant agency and one service provider agency, as well as provide subject matter expertise and guidance to internal PCI teams of multiple city agencies. The contract term is anticipated to be five years with possible renewal options. Responses must be submitted electronically via PASSPort, New York City's online procurement portal.