Understanding Enterprise RFP Requirements: Security

Security, including but not limited to cybersecurity, is omnipresent in almost any RFP regarding digital commerce.

Whether a Request for Proposal is for PunchOut ecommerce integration, a company store, an ecommerce storefront, cost centers, or any digital commerce arrangement, the RFP will include one expansive set of requirements that touches on every part of the arrangement:

Security.

Security, including but not limited to cybersecurity, is omnipresent in almost any RFP regarding digital commerce. With sensitive information like payment card data and Personally Identifiable Information (PII) repeatedly exchanged by two or more parties and systems, the increasing prevalence of consumer privacy laws, the need for access control to authorized users, the need to back up data with redundant tiers, compliance with a wide array of federal and trade group policies and controls, and sometimes cybersecurity insurance – security touches every part of a digital commerce RFP.

At the same time that security is a sweeping consideration in RFPs for digital commerce, the security requirements – PCI DSS compliance, data security arrangements, and NIST CSF policies, to name a few – can seem more opaque than almost any of the other requirements, even the technological ones. Sales oriented business leaders typically are not well-versed in the granular technical details of security in general or cybersecurity yet need to answer for those details in order to win the RFP.

This installment in our RFP and Rising Technology Demands series provides an overview of security requirements, terms, policies, procedures, standards, frameworks, and more often found in RFPs. The security landscape is so broad that this installment doesn’t cover all of the details. Instead, it provides insights into six separate areas of security, with more details on each area to follow in future installments.

RFP Requirements: Sensitive Data and Consumer Privacy

The overriding type of sensitive information in digital commerce arrangements is Personally Identifiable Information, or PII, that can be used to identify an individual and is increasingly governed by new consumer privacy laws.

A digital commerce arrangement involves the continuous exchange of sensitive information and the RFP issuer requires assurances that the information will be secured.

The overriding type of sensitive information in digital commerce arrangements is Personally Identifiable Information, or PII. PII is information that can be used to identify an individual, whether the information is used alone or combined with other information (e.g. SSNs, name, DOB, home address, home email). In the digital commerce arrangement, names and addresses are among the most common forms of PII.

Cardholder data, the information about your customer using a card to pay online, also includes potential PII like names and addresses and adds to it more sensitive information such as the card number, expiration date, and security code, which could be abused if the wrong person gained access to it.

A number of consumer privacy laws have emerged in recent years to address PII and cardholder data. The General Data Protection Regulation (GDPR) applies to those doing business in Europe and the California Consumer Privacy Act (CCPA) applies to those doing business in California, to name two. Even if Europe and California aren’t considerations, these regulations are often specificed as the privacy standard. As consumer privacy becomes an increasing consideration, the RFP issuer may want these protections nonetheless.

Payment Processing and PCI DSS Requirements found in RFPs

Companies who handle payment card data are bound by 12 Payment Card Industry Data Security Standards (PCI DSS) containing roughly 250 requirements in an ever-evolving technology landscape. The sheer volume of requirements under PCI DSS makes payment processing an enormous responsibility.

RFP issuers will expect the vendor, who is andling the payment processing, to be compliant with PCI DSS. One solution for the bidder is to process payment and manage cardholder storage itself in compliance with PCI DSS, but there are solutions that reduce the scope of compliance for the bidder: the bidder may use third-party payment processing solutions like USAePay or Payeezy so that the bidder isn’t processing payments itself.

The bidder may also use Tokenization, which removes payment card data from a company’s systems, servers, databases, and environments and replaces it with an essentially worthless token — a string of random representative numbers. The token identifies the customer, but the actual payment card data is stored with a third party — usually a payment card processor, who are experts in storing and securing payment card data.

RFPs Call for Access Control and Authentication

Beyond traditional credentials – username and password – the RFP issuer may require a digital commerce platform that supports permissions, SSO, or eprocurement integration.

Any digital commerce arrangement raises the question of who is able to access it and how. In company stores, for example, the RFP issuer will to control which employees are authorized to make purchases (and also may want to control the employee spend, possibly with cost centers).

Beyond traditional credentials – username and password – the RFP issuer may require a digital commerce platform that supports permissions that define who is provided access to what parts of the systems and how that is enforced. Permissions may need to be enforced at the site level, email domain level, by the IP address, or by combinations.

The RFP issuer may also require Single Sign On (SSO), where an individual is provided access to the digital commerce platform by way of logging onto the RFP issuer’s own system. Single Sign On allows users to log onto several federated systems by way of logging onto one.

Finally, the RFP issuer may seek eprocurement integration where the issuer’s eprocurement system is integrated with the bidder’s ecommerce storefront. This integration, called PunchOut integration, usually requires Single Sign On where buyers can log into the ecommerce storefront by way of logging onto their own eprocurement system.

Data Security Including Reliability, Uptime, and Performance SLAs Found in RFPs

The data security level is largely governed by agreements between the RFP issuer and the bidder, and the bidder’s own technology policies and infrastructure.

An RFP issuer seeking a digital commerce arrangement will want assurances about the continued availability of the arrangement and the data generated by it.

The data security level is largely governed by agreements between the RFP issuer and the bidder, and the bidder’s own technology policies and infrastructure. The RFP may require the bidder to enter a Data Security Agreement of performance Service Level Agreement (SLA).

The issuer may also set standards for data backup. This may be expressed in Recovery Time Objective (RTO), which is the amount of time it takes to get back to normal operations after an outage or data loss, and Recovery Point Objective (RPO), which is the maximum amount of data that may be lost.

Policies and Controls that are Sought in RFPs

An RFP issuer seeking a digital commerce arrangement may ask that the bidder complies with any numbers of sets of standards relating to security, focused on technology or otherwise.

An RFP issuer seeking a digital commerce arrangement may ask that the bidder complies with any numbers of sets of standards relating to security, focused on technology or otherwise.

Cybersecurity policies, controls, and standards often found in RFPs include the National Institute of Security Standards and Technology Cybersecurity Framework (NIST CSF), which is a set of security policies and best practices that the NIST developed to detect and manage cybersecurity risks; and the Department of Defense (DoD) Cybersecurity Certification, cybersecurity standards that the U.S Department of Defense developed for its contractors

Other cybersecurity policies, controls, and standards often found in RFPs include: the International Organization for Standardization (ISO 2700) standards, developed by ISO to help organizations manage the security of financial information, intellectual property, and PII; and SOX compliance, which refers to the Sarbanes-Oxley Act that the U.S. Congress passed to protect investors and the general public from accounting errors and fraud.

RFP Requirements: Insurances

RFP issuers may require Cyber Liability Insurance, E&O Insurance, and other types.

Security considerations in an RFP for digital commerce may also include insurance policies. Types of insurance policies related to digital security include Cyber Liability Insurance and Technology Errors and Omissions (E&O) Insurance.

Cyber liability insurance covers the issuer or client if data breaches cyberattacks occur. E&O insurance covers the bidder or provider to make the client whole if the provider’s mistake causes the client financial loss. Either may establish a cap per claim or a cap per policy for the dollar amount insured for losses incurred by outage or data loss.

RFPs Include a Broad Range of Security Requirements

Understanding the security requirements is a first step toward meeting the requirements and winning the opportunity the RFP represents.

In any RFP that calls for a transactional arrangement or the exchange of information, security potentially paints a broad stroke of requirements.

Sensitive data like Personally Identifiable Information and cardholder data must be protected, in accordance with consumer privacy laws or other criteria. Payment processing must be handled securely, in accordance with Payment Card Industry Data Security Standards or other criteria.

Access control and authentication infrastructure need to be in place to ensure that access is limited only to those who are supposed to be accessing the transactional system. And data security and reliability assurances need to be provided in the form of Service Level Agreements, policies and agreements, and insurances.

Understanding the security requirements is a first step toward meeting the requirements and winning the opportunity the RFP represents.

Previous: Understanding Enterprise RFP Requirements: Cost Centers

Next: Understanding Enterprise RFP Requirements: Security – Sensitive Data and Consumer Privacy