University of Utah

Buyer seeks a qualified vendor to perform PCI DSS v4.0.1 compliance assessment and penetration testing. The scope includes completing a Report on Compliance (ROC) and conducting external, internal, and segmentation penetration testing. Buyer requires services for a university environment with multiple payment applications, P2PE payment systems, and approximately 79 small merchants designated as Stand-Alone merchants.

• 4/4/2025 - RFP Issued
• 4/17/2025 - RFP Inquiry Questions Due
• 5/1/2025 - Proposal Due Date
• 7/15/2025 - Contract Effective Date

• Minimum five years experience performing PCI Reports on Compliance
• Individual assessors must have 3+ years in PCI attestation services
• Must provide a dedicated project manager separate from assessment team
• Must perform QA on ROC documentation
• Must encrypt all data gathered during assessment

• Complete PCI DSS v4.0.1 Report on Compliance (ROC)
• Perform external penetration testing of CDE systems
• Conduct internal penetration testing per PCI requirements
• Execute segmentation testing following PCI guidance
• Provide a qualified QSA to assess CDE compliance
• Prepare Attestation of Compliance (AOC) documentation
• Follow sampling strategy as defined in PCI 4.0
• Coordinate project activities with university personnel