Specifications include, but are not limited to: Payment Processing Process between two thousand five hundred (2,500) and three thousand (3,000) payments per year by: Utilizing a secure, online data transfer system for receiving electronic files from the Department (Microsoft Excel and PDF). Retrieving files, processing payments, and issuing payments to specified Payees with corresponding invoices within two (2) business days of receipt of the Department’s files. Accommodate occasional emergency payment requests within one (1) business day. Ensure Payees can associate the payment with the Department’s client based on “check memo” data submitted by Department via the data transfer system. Seek reimbursement from the Department by submitting monthly invoices by the fifteenth (15th) of the following month for payments made to Payees, based on the allowable service reimbursement costs as defined by the Department. Payment Vouchers Purchase approximately five thousand (5,000) Vouchers per year within two (2) business days of the Department’s request. Food Vouchers shall be purchased online from grocery stores monthly and shipped to the Department. Transportation Vouchers shall be purchased from gas stations, as needed, and shipped to the Department. Technology Requirements Provide a SaaS solution capable of receiving and managing all information used for payment processing, including but not limited to: Access to high-speed internet connection; Current anti-virus software on the awarded Bidder’s computer(s) receiving or processing payment requests; Email account(s) for all staff processing payments; and Financial processing software which processes and tracks individual payments which complies with the PCI Security Standards Council security certification. Ensure no more than three (3) seconds for lookups, and five (5) seconds for data modification. Provide technical support as needed to ensure files are transferred in a timely manner. Provide a secure FTP site for online file transfer which has the ability to accept Excel and PDF formatted files. Comply with the entire suite of MaineIT Policies and Standards with special attention paid to the follow policies General Architecture Principles System and Services Acquisition Policy and Procedures (SA-1) Application Deployment Certification Policy Digital Accessibility and Usability Policy Remote Hosting Policy Data Exchange Policy Information Security Policy Access Control Policy Access Control Procedures for Users Risk Assessment Policy Vulnerability Scanning Procedure Security Assessment and Authorization Policy System and Information Integrity Policy Configuration Management Policy Business Continuity and Disaster Recovery Policy COTS-Cloud Policy Ensure the product/solution achieves the NIST 800-53 Rev 5 for the remaining security and privacy control families to a security baseline appropriate to the impact level of the data as determined by the agency. Physical and Environmental Protection; Awareness and Training; Planning; Audit and Accountability; Assessment, Authorization, and Monitoring; Personnel Security; PII Processing and Transparency; Contingency Planning; Identification and Authentication; Incident Response; System and Communications Protection; Maintenance; Media Protection; and Supply Chain Risk Management to a security baseline appropriate to the impact level of the data as determined by the agency. Work with MaineIT and submit any required information to the Department to show compliance with the required policies. Ensure all payment data at the file level, including backup files, are encrypted and complete all necessary updates and upgrades to meet and maintain the minimum 256-bit encryption requirement. Ensure the SaaS solution provides disaster recovery and back up, including: Ninety-nine percent (99.9%) uptime; and Backup restoration in one (1) hour or less. Conduct a full SSAE-18 SOC 2 Type 2 Annual Audit, which shall include testing the Five (5) Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy). Ensure compliance with HIPAA and PHI standards.
