Specifications include, but are not limited to: consulting firm capable of serving as a Payment Card Industry (PCI) Qualified Security Assessor (QSA), Approved Scanning Vendor (ASV) and an enterprise security consulting firm to assist with the following: A. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of cardholder data (CHD), PII State of Rhode Island Compliance and HIPAA. B. Provide an accurate identification of all legacy Secure Socket Layer (SSL) encryption presently in use and a remediation plan to upgrade security certificates to the latest version of Transport Layer Security (TLS). C. Validate that vulnerabilities and risks identified have been mapped to appropriate areas of the current version of the PCI Data Security Standard (DSS). D. Provide a Gap Analysis of the current network to the current version of the PCI DSS. E. Completion of applicable Self-Assessment Questionnaire (SAQ) and all validation, testing and assessment requirements for becoming compliant with the current version of the PCI DSS. F. Optional periodic corporate network wide vulnerability scans. Specify quarterly, semi-annually or annually. G. Annual internal and external corporate network wide penetration testing, to include periodic vulnerability scans. Respondents should clearly identify in their submittal which services are to be performed onsite and which are or can be accomplished remotely. If sampling is part of the preferred methodology, define when and how sampling will be used. The requirements of this engagement are to: 1. Assist with defining the scope of PCI compliance for the organization as well as consulting on how to reduce scope. 2. Determine how effectively the organization is maintaining security, integrity and confidentiality of cardholder data according to the current version of the PCI DSS. 3. Determine how effectively the organization is protecting against anticipated threats or hazards according to the current version of the PCI DSS. 4. Determine how effectively the organization is protecting against unauthorized access to information according to the current version of the PCI DSS. 5. Provide guidance for policy and procedure creation and assist with the drafting and iteration of the same. 6. Provide written recommendations and/or a remediation plan to the organization to meet or exceed the current version of the PCI DSS. 7. Propose a plan to monitor compliance, provide guidance on updates related to laws and regulations, and review compliance status within time-frames stipulated under the various laws and regulations. 8. Provide samples of deliverables (with confidential information removed) typically provided in Respondent’s prior PCI engagements.