PCI DSS Qualified Security Assessor Services

The New York City Department of Finance is seeking a Qualified Security Assessor firm to provide PCI DSS certification services for the department and other city agencies.

New York DEPARTMENT OF FINANCE

General

Status:Open

Solicitation Identifier:83626B0001

Set Asides:

Minority-Owned Business (MBE)Women-Owned Small Business (WOSB)

Type:Invitation for/to Bid (IFB/ITB)

Level:Local

Original Solicitation Links

[

83626B0001

]

pci dss qualified security assessor services (034357)

Contact

Name:Peter Cabrera

Description

The New York City Department of Finance is seeking a Qualified Security Assessor (QSA) firm to provide professional services for the City's annual Payment Card Industry Data Security Standard (PCI DSS) certification. The selected contractor will be responsible for conducting assessments, testing, validation, and documentation to ensure PCI DSS compliance for the Department of Finance and other city agencies that accept credit card payments. This includes completing all mandated PCI DSS reports and certifications. The selected firm must possess current QSA credentials and demonstrate significant experience in performing PCI DSS assessments for large, complex organizations. The services will involve strategic scoping, evidence review and scoring, and report issuance, with payment milestones tied to the completion of these phases. The period of performance is expected to be annual, typically running 8-10 months per certification cycle, with a potential need for one hour of QSA support per week for 40 weeks for ongoing guidance.

Classification Codes

NAICS561621Security Systems Services (except Locksmiths)

PSCDJ01Support services focused on supporting security policies/controls, processes, measuring compliance of relevant legal/compliance requirements, and responding to security breaches. Also provides support for IT Security systems providing Continuous Diagnostics and Mitigation (CDM) for real-time Cyber Security and protection such as vulnerability scanning, managing firewalls, intrusion prevention systems, and security information and event management (SIEM). Includes Disaster Recovery (DR) services to support DR policy, process and means, dedicated failover facilities and perform DR testing.

Smart Codes

pci dss assessmentqualified security assessorpayment card industry compliance

Timeline

May 13, 2026 12:00 PM-Release Date

Jun 05, 2026 12:00 PM-Questions Due Date

Jun 15, 2026 12:00 PM-Bid Opening Date

Jun 15, 2026 12:00 PM-Due Date

Dec 14, 2026 12:00 PM-Anticipated Contract Start Date

Dec 13, 2031 12:00 PM-Anticipated Contract End Date

Location

New York, NY, USA

View on Google Maps

Documents

Title
Attachment A_Instructions for Responding to RFx..pdf
QSA_Renewal Pricing_Locked .xlsx
Experience Form(2).xlsx
MWBE-LL1-Notice-to-Prospective-Contractors.pdf
IFB_PCI DSS QSA Svcs(1).pdf
Addendum 1_PCI DSS QSA.pdf