Request for Proposal

3D Secure Online Payment Solution

Nepal Electronic Payment Systems Ltd

Bhim Plaza, Narayanchaur, Naxal
Kathmandu, Nepal
 Nepal Electronic Payment Systems
Ltd. Request for Proposal 2017

Contents

Request for Proposal.................................................................................................................................. 0

1. Introduction .................................................................................................................................... 2
2. Eligibility Criteria ............................................................................................................................. 2
3. Technical Requirements for the EMV cards .................................................................................... 3
4. Price Quotations ............................................................................................................................. 6
5. BID Response Requirements ........................................................................................................... 6
6. General Conditions ......................................................................................................................... 7
7. Submission of Offer:........................................................................................................................ 7
8. Bid Guarantee and Performance Guarantee ................................................................................... 8
9. Opening of Bid, BID evaluation and award of Contract ................................................................... 8
10. Payment Terms ............................................................................................................................... 9
11. Tenure of the Contract .................................................................................................................. 10
12. Termination of order ..................................................................................................................... 10

Confidential Page | 1
 Nepal Electronic Payment Systems
Ltd. Request for Proposal 2017

1. Introduction

Nepal Electronic Payment Systems Ltd (NEPS) is a company promoted by commercial banks of Nepal,
with 15 financial institutions of Nepal as investors currently, who have joined hands together to form a
single platform to fulfill all their electronic payments solutions. NEPS has been incorporated as a public
limited company under company act 2063. NEPS is currently live with 9 financial institutions and
working with more banks to bring it into its hosting solution.

All the banks associated with NEPS want to provide secure online payment solution to its cardholder and
seeking a common solution from NEPS on this regard.

A request for proposal is sought from the interested vendor to provide Access Control Server and
solution for 3D secure online payment to the member banks of NEPS as an outsourced service.

The Proposal by the supplier should contain documentation for substantiation of the eligibility.

2. Eligibility Criteria

2.1 A Service Provider or agent on behalf of the service provider who can operate and outsource 3D
secure solution are eligible to apply.
2.2 The Service Provider must have license from Visa & MasterCard and must be able to get license
from UPI whenever there is a need for NEPS or its member banks to provide ACS and 3-D services
to UPI Cards.
2.3 The Service Provider must demonstrate that its solutions have been implemented and is capable of
providing outsourcing services.
2.4 The Service Provider should be able to demonstrate that its services are PA-DSS and PCI-DSS
compliant.
2.5 The Service Provider should be compliant to technical specification requirement as per section
‘3’and submit documentation to substantiate the same wherever is necessary

Please Note:

• Copies of all relevant documents/certificates should be submitted as proof in support of the

claims made. The bidder should provide relevant additional information wherever required in
the eligibility criteria. The company reserves the right to verify/evaluate the claims made by the
bidder independently. Any decision of the company in this regard shall be final, conclusive and
binding to the Bidder. The copy documents should be duly signed by the bidder’s authorized
personnel with organization’s stamp marking “Certified true copy”.

Confidential Page | 2
 Nepal Electronic Payment Systems
Ltd. Request for Proposal 2017

3. Technical requirement
S. N. Requirements Available- Y
Not Available- N
Customization- C
Solution capabilities
1 Solution must support multi-institutions for all of the services offered by
NEPS to its Member Banks.
2 Solution should support 3-D Secure functionality for VISA and MasterCard
branded cards and also must support UPI cards whenever NEPS or its
member banks are ready for UPI.
3 If required, solutions must be able to interface with NEPS switch for data
upload.
4 The 3-D Secure product must support multiple authentication methods
including password, OTP, mobile tokens, etc.
5 Different authentication method must be supported based on BINs, Card
Products, etc.
6 Once used or expired, a different OTP should be generated and sent for
next transaction
7 Expiration of the OTP should be configurable based on BINs, Card
Products, etc.
8 In case of OTP generation or delivery failure, the solutions must have an
option to "resend OTP".
9 Solution should support dynamic authentication which is user, location
and device context based i.e. based on the profile, transaction history of
the user and incoming transaction parameters – the device from which the
request is coming, the location from which the request is made, user
should be challenged with appropriate authentication level.
10 All configuration parameters should be maintained in the database with
configurable maker-checker functionality for making changes.
11 Capability to maintain comprehensive Audit logs of user access to defined
resources.
12 Should support session time outs, connection time outs, account locking
after number of failed attempts etc.
13 The service provider must agree to maintain the system performance
standard as described by the payment card brand.
14 Inbuilt features for Customized reporting based on configurable
parameters (Like user, time etc.).
15 The solution should be browser and OS independent.
16 IPv6 Readiness: The bidder shall ensure that the entire Two Factor
Authentication Solution including hardware and software are IPV6
compatible and shall ensure the readiness as per the roadmap for IPv6
deployment at no extra cost to NEPS.

Confidential Page | 3
 Nepal Electronic Payment Systems
Ltd. Request for Proposal 2017

17 The solution should be able to interface with NEPS switch to

update/verification of mobile number/e-mail of the card holder as and
when required. Various options, including but not limited to , file upload /
download , File transfer via SFTP, email will be explored and finalized
during workflow finalization
18 All activities at admin console should have an audit trail of all login
attempts and operations. Confidential Logs should be tamper proof. Tools
should be provided to check the integrity of logs. The solution must
provide a means to log all transactions, and must support standard
reporting packages for generating reports on activities. Also, NEPS and/or
its member banks should have the facility for remote generation of reports
and its online view/ download facility
19 Should provide administrator access to NEPS and/or its member banks for
performing the standard functions like card holder enquiry,
adding/deleting card holders, locking/unlocking card holder account etc.
Also, 3-D Secure Product must have multiple level administration
capability with inbuilt configurable access control.
20 On-line Real Time Admin facility to NEPS to view & download the Reports
21 Reports to be customized as per mutually agreed formats
22 The product should support cardholder purchase flow on multiple devices
including mobile devices
23 The Solution should allow the issuers to subdivide their card portfolios into
logical entities where each entity can have independent system behavior
and branding
24 NEPS and/or its member banks should have real time access to
transactional and customer data.
Enrollment
25 Use Card No., Expiry Date of card and CVV (Card Verification Value)
Verification mechanism during enrollment and to send OTP to pre-
registered mobile number and on successful authentication, system should
allow the card holder to set 3D Secure password.
26 Solution should have following enrolment mechanism
1) PIN based for Debit / Credit Cards, duly authenticated through OTP
2) Card Number and Account Number extract
3) Mass enrolment (NEPS pre registers customers offline)
4) Enrollment through NEPS’s Website
5) Enrollment during shopping
27 The solutions must provide an alert message (SMS and/or email) for each
successful registration. An option should be available to define cooling
period between the successful registration and transaction.
28 At the time of registration, customer has to enter Name, Mobile No., e-
mail etc. which should be validated with NEPS’s database without storing
the values.
29 Solution should support issuer logos and branding throughout enrollment
and transaction authentication pages

Confidential Page | 4
 Nepal Electronic Payment Systems
Ltd. Request for Proposal 2017

Compliance
30 The Service Provider should comply with industry standards of security
such as, but not limited to, Payment Card Industry Data Security Standard
(PCI DSS) without any additional cost to the NEPS
31 The solution should be in compliance with Central Bank of
Nepal/Government of Nepal/other payments system authority guidelines
32 NEPS may conducts IS audit periodically and vulnerability found during the
audit should be removed by solution provider promptly without any
additional cost
33 Solution provider should submit a proof of audit certifications of PCI/ISO
27001/SAS 70 Audits stating that the solution/product/infrastructure
proposed for additional authentication/ validation based on information
not visible on the cards for all on-line card not present transactions has
gone through audit. Also the solution has undergone third party
penetration testing / ethical hacking tests
34 If the vendor Data Center has ever been compromised. the vendor to
provide the details about the compromise along with subsequent
certificates from Networks & PCI-DSS
35 OEM PCI certification should not have been revoked within last two years
36 The cardholder data should be stored securely in the database. State how
is this achieved and is it compliant with PCIDSS
37 Bidder should have a comprehensive Information Security plan, which
should also cover physical access to bidders/OEM’s systems at the data
center. The solution provider must submit its operation manual on security
and access to the system.
Uptime
38 Bidder should have uptime of 99.5%
Support
39 System installation, configuration and customization
40 Solution provider has to provide necessary support for Testing and provide
training & documentations but not limited to system user manual, data
dictionary etc.
41 Solution provider should provide implementation and on-going support
42 The selected solution provider must constitute a Project Management
Team within two weeks of placement of order for Implementation of
Access Control Server (ACS) and Registration Server for customer
enrolment and authentication
43 To deploy the application as well as servers required for implementing the
solution on real time basis at Bidder’s secure Processing Centre.
44 To provide all integration and implementation support for connectivity and
data transfers between the NEPS and the Solution provider service center
45 Solution provider must implement on-going software maintenance
updates including card network mandated updates and changes.

Confidential Page | 5
 Nepal Electronic Payment Systems
Ltd. Request for Proposal 2017

46 Solution provider should have a Disaster Recovery Centre (DRC) facility in

place and should be able to demonstrate its Business Continuity Plan.
47 Solution provider should have an online case management system to
report service issues, product bugs
48 The solution provider must have 24x7 support center and must provide
details of support staffs

4. Price Quotations

S. No. Items Rate Unit Amount

1 Implementation Charge - One Time
2 Testing & Certification Charge - One Time

3 Monthly Minimum Charge- Year 1

4 Monthly Minimum Charge- Year 2
5 Monthly Minimum Charge- Year 3

6 New member bank implementation if any – per bank

7 Charge per transaction above monthly minimum
8 Monthly Minimum Volume
Note:
Please quote on separate sheet if there are other charges/ offers.
Please mention if the price is inclusive of local taxes and levies.

5. BID Response Requirements

Each bidder response must address the following:
5.1 Provide brief information on the structure of the organization and the field(s) and location(s).
5.2 Describe the nature of the organization and provide its list of clients and services provided
relevant to this proposal. . The details must be presented as part of supporting document.
5.3 Provide list of reference accounts where bidder has previously provided such service.
5.4 Bidder shall submit evidence of legal documents such as copy of Company Registration (The
PAN/VAT certificate, Memorandum of Association, Memorandum of Article, Company Tax
Clearance certificate for the latest fiscal Audited Financial Reports. These documents should be
certified as follows:
• “Certified True Copy” to be mentioned and duly signed by the bidder’s authorized
personnel with organization’s stamp or
• Stamped and Certified by Notary Public.

Confidential Page | 6
 Nepal Electronic Payment Systems
Ltd. Request for Proposal 2017

6. General Conditions
6.1 NEPS reserves the rights to accept or reject or negotiate on any quotation(s) or any quoted price
in full or in part without assigning any reason whatsoever.
6.2 The offers containing unauthenticated erasures or alterations will not be considered. Therefore,
there should be no unauthenticated hand written material, corrections or alterations in the
offer. If such unauthenticated erasures or alterations are present these should be initialed by
the person or persons authorized for signing the bid. Any deviation may lead to the
rejection of the bid.
6.3 The Bidder shall bear all costs associated with the preparation and submission of its bid and
NEPS will in no case be responsible or liable for these costs, regardless of the conduct or
outcome of the bidding process.
6.4 The bid prepared by the Bidder, all correspondence and documents relating to the bid
exchanged by the Bidder and the NEPS shall be written in English.
6.5 Bids must be received by the NEPS at the address specified not later than the time and date
specified.
6.6 In the event of the specified date for the submission of Bids being declared a holiday for the
NEPS, the bids will be received up to the appointed time on the next working day.
6.7 The NEPS may, at its discretion, extend the deadline for submission of Bids by amending the
bidding document, in which case all rights and obligations of the NEPS and Bidders previously
subject to the deadline will thereafter be subject to the deadline as extended.
6.8 Any bid received by the NEPS after the deadline for submission of bids prescribed by the
NEPS, in Invitation for Bid, will be rejected and returned unopened to the Bidder.
6.9 Bidder should observe the highest standard of ethics during the process of bidding, and
execution of the contract.
6.10 Dispute or differences, if any, arising between NEPS and the bidder from misconstruing the
meaning and operation of Bid process will be resolved amicably.

7. Submission of Offer:
The interested bidder should submit the proposal on or before the bid submission date duly sealed in
the attention of:

Mr. Man B. Khatri

Manager – Finance & Admin
Nepal Electronic Payment Systems Limited
4thand 5th Floor, Bhim Plaza, Naxal
Kathmandu, Nepal.

Bid submission last entry date: March 5th, 2017 by 4:00 pm.

The envelope should be clearly marked as “Response to RFP for online 3D secure transaction”.

Confidential Page | 7
 Nepal Electronic Payment Systems
Ltd. Request for Proposal 2017

The bids should be typed or written in indelible ink and shall be signed by the person with authorization
to submit the bid along with the company stamp on every page of the bid. Any amendments, erasures,
overwriting will be validated by putting the initials.

Any bid received after the deadline of the submission of the bids will be rejected by NEPS.

NEPS reserves the right to reject the bids for not confirming to above.

8. Bid Guarantee
The interested bidder should submit a Bid Guarantee of NPR 400,000 in the form of Cash or Bank
Guarantee from Class ‘A’ financial Institution of Nepal in favor of Nepal Electronic Payment Systems
Limited valid for six months.

Nepal Electronic Payment Systems will return the Cash/Bank Guarantee to the unsuccessful bidder/s
within 30 days from the opening of the BID. The successful bidder may have to provide performance
bond valid for one year or renew the bid guarantee for additional one year, within three weeks of the
receipt of purchase order. NEPS can invoke the bid guarantee or performance bond any time the bidder
fails to act in accordance of the purchase order or the contract.

9. Opening of Bid, BID evaluation and award of Contract

NEPS will open all received Bids in the presence of interested bidders on the date and time published in
the tender notice.

All the Bids will be scrutinized for to check if they are complete or if the bids have any
errors/discrepancies and whether the items are quoted as per requirements. NEPS will further check if
the bidder is eligible in terms of eligibility criteria set in the RFP. NEPS may at its own discretion, waive
minor deviations/irregularities in a bid which shall be conclusive and binding to all the bidders.

NEPS reserves the right to accept or reject any or all offers and/or cancel the bidding process without
assigning any reason thereof without incurring liability to the affected bidder. Any decision of NEPS shall
be final, conclusive and binding to the bidders. NEPS also shall have no obligation on its part to inform
the bidders the ground for the action. NEPS will further have no obligation to acquire any or all of the
items proposed and no contractual obligation whatsoever shall arise from the RFP process unless and
until a formal contract is signed and executed by duly authorized officials of NEPS and the bidder.

NEPS will have its own internal evaluation process which will not be disclosed to the bidders to
technically and commercially evaluate all the eligible bids. During technical evaluation, if it is found that
the bidder has not indicated any component/module or item which is required for the implementation

Confidential Page | 8
 Nepal Electronic Payment Systems
Ltd. Request for Proposal 2017

of the solution, the same has to be provided by the successful bidder without any additional cost to
NEPS.

NEPS will, at its sole discretion, ask some or all of the bidders for the clarification of their proposals to
assist in comparison, evaluation and scrutiny of the bids. The request for clarification will be in writing
and will have to be responded by the bidder.

NEPS can and will negotiate, with the 3 short listed bidders who have scored the highest in technical and
commercial evaluation, on the pricing and/or additional requirements. NEPS may further request site
visit of the bidder’s installation for technical evaluation which shall have to be arranged.

On the completion of selection process, NEPS will enter into agreement with selected bidder. The
agreement will be based on the bidder’s offer document with all its enclosures and modification arising
out of clarification/negotiations. NEPS reserves the right to stipulate any other documents deemed fit to
be enclosed as part of the final contract.

NEPS reserves the right to assign the contract to any of the bidder/bidders without assigning any
reasons thereof. Any decision of NEPS in this regard will be final and binding to all the parties. NEPS will
incur no liability/ contractual obligation with any or all of the bidders affected by the decision.

10. Payment Terms

The bidder needs to submit the detail Itemized cost of the deliverables. The payment of the deliverables
will be done after as per agreement between the parties. If the payment term is in advance, NEPS will
require an advance payment guarantee to make such payment

Note

(1) If there is a discrepancy between the unit price and the total price which is obtained by multiplying
the unit price and quantity, the unit price shall prevail, and the total price will be corrected.

(2) If there is a discrepancy between words and figures, the amount in words will prevail.

(3) All the price should be quoted in Nepalese Currency and shall be inclusive of Taxes/Duties such as
VAT, Local Development Tax, Custom Duties, and Security Tax etc. applicable in Nepal.

(4) This Price Schedule shall be duly filled, signed along with date and stamped with official seal. Bid with
Price Schedule not duly filled and without signature, date and official stamp shall be rejected and
not be considered for evaluation.

Confidential Page | 9
 Nepal Electronic Payment Systems
Ltd. Request for Proposal 2017

11. Tenure of the Contract

NEPS will enter into contract with the selected Vendor(s) for two years from the date of first institution
live with option to extend the agreement to further one year. Should there be change in price, NEPS
shall have the rights to terminate the contract, invoke the guarantee and award the contract to another
vendor or call for a new bid.

12. Termination of order

NEPS reserves the right to cancel the contract placed on the selected bidder and recover expenditure
incurred on the following circumstances:

12.1 The selected bidder fails to make delivery as per the terms and condition on the BID.
12.2 The selected bidder commits a breach of any of the terms or condition of the bid.
12.3 The bidder goes into liquidation, voluntary or otherwise.
12.4 The selected bidder fails to complete the assignment within stipulated time frame and the
extension if granted.

Confidential Page | 10