The URL can be used to link to this page

Agenda 12/11/2018 Item #16E 312/11/2018 EXECUTIVE SUMMARY Recommendation to award Request for Proposal (RFP) No. 18-7284 “Credit Card Payment Processing and Related Services” to JetPay Payment Services FL, LLC. OBJECTIVE: To award a contract for credit card processing and related services, which provides cost reductions and improved customer experience across all participating departments. CONSIDERATIONS: Staff sought a single provider to process payment collections for County services to promote a superior customer experience that provides continuity and predictable fees across County departments. Additionally, with departments jointly acting on this project, the County is better positioned to leverage economies of scale to negotiate the most competitive rates, ultimately leading to across the board reductions in payment processing expenses for the participating divisions. On December 28, 2017 the Procurement Services Division released RFP No. 18-7284 to 1,644 vendors for Payment Processing and Related Services. Interested vendors downloaded ninety-eight (98) bid packages, and the County received eleven (11) proposals by the February 26, 2018 deadline. A selection committee convened on April 26, 2018. The selection committee recommended a shortlist of four (4) firms for follow-up presentations. The selection committee held presentations and conducted its final ranking on May 15, 2018. The selection committee ranked the short-listed firms as follows: Company Name City State Final Ranking JetPay Payment Services, FL, LLC Pensacola FL 1 ACI Worldwide Corp. Elkhorn NE 2 Point and Pay LLC Oldsmar FL 3 Gila LLC Austin TX 4 Staff recommends that the award of RFP No. 18-7284 go to JetPay Payment Services, FL, LLC. LEGAL CONSIDERATIONS: This item is approved as to form and legality and requires majority vote for Board approval. -SRT FISCAL IMPACT: Operating Divisions have appropriated funds to cover the cost of credit card processing fees. At the current time, this contract will be utilized by Solid Waste and the Water Utilities. Under the terms of this agreement, there will be an immediate 15% reduction in the transaction rate, resulting in approximately $50,000 annual savings. Additionally, when the new billing system is fully operational in a few years, there will be an additional $100,000 annual expected savings. GROWTH MANAGEMENT IMPACT: There is no Growth Management Impact associated with this Executive Summary. RECOMMENDATION: To award RFP No. 18-7284 “Payment Processing and Related Services” to JetPay Payment Services FL, LLC. and authorize the Chairman to sign the attached agreement. Prepared by: Lee Willer-Spector, Operations Analyst, Administrative Services Department 16.E.3 Packet Pg. 2396 12/11/2018 ATTACHMENT(S) 1. 18-7284 Solicitation (PDF) 2. 18-7284 Final Ranking (PDF) 3. 18-7284 Notice of Recommended Award (PDF) 4. 18-7284 Addendum #1 (PDF) 5. Collier County Insuracne Certificate Approved by Risk (PDF) 6. [Linked] Exhibit A -18-7284 Solicitation CAO (PDF) 7. [Linked] Exhibit B - 18-7284 JetPay Proposal CAO approved (PDF) 8. Merchant Card Processing Terms and Conditions CAO approved (PDF) 9. JetPay Bank Disclosure (PDF) 10. JetPay Business Associate Agreement (PDF) 11. JetPay Merchant Application and Agreement (PDF) 16.E.3 Packet Pg. 2397 12/11/2018 COLLIER COUNTY Board of County Commissioners Item Number: 16.E.3 Doc ID: 7348 Item Summary: Recommendation to award RFP #18-7284 “Credit Card Payment Processing and Related Services” to JetPay Payment Services FL. LLC. Meeting Date: 12/11/2018 Prepared by: Title: Operations Analyst – Administrative Services Department Name: Lee WillerSpector 11/19/2018 4:11 PM Submitted by: Title: Department Head - Administrative Svc – Administrative Services Department Name: Len Price 11/19/2018 4:11 PM Approved By: Review: Public Utilities Operations Support Joseph Bellone Additional Reviewer Completed 11/19/2018 4:18 PM Procurement Services Sandra Herrera Level 1 Purchasing Gatekeeper Completed 11/19/2018 4:20 PM Administrative Services Department Paula Brethauer Level 1 Division Reviewer Completed 11/19/2018 4:21 PM Administrative Services Department Len Price Level 2 Division Administrator Review Completed 11/19/2018 4:48 PM County Attorney's Office Scott Teach Level 2 Attorney Review Completed 11/20/2018 9:33 AM County Attorney's Office Jeffrey A. Klatzkow Level 3 County Attorney's Office Review Completed 11/20/2018 9:44 AM Office of Management and Budget Valerie Fleming Level 3 OMB Gatekeeper Review Completed 11/20/2018 11:11 AM Office of Management and Budget Laura Wells Additional Reviewer Completed 11/20/2018 1:33 PM County Attorney's Office Emily Pepin CAO Preview Completed 11/20/2018 2:23 PM County Manager's Office Nick Casalanguida Level 4 County Manager Review Completed 12/03/2018 8:03 AM Board of County Commissioners MaryJo Brock Meeting Pending 12/11/2018 9:00 AM 16.E.3 Packet Pg. 2398 COLLIER COUNTY BOARD OF COUNTY COMMISSIONERS REQUEST FOR PROPOSAL (RFP) FOR PAYMENT PROCESSING AND RELATED SERVICES SOLICITATION NO.: 18-7284 VIVIANA GIARIMOUSTAS, PROCUREMENT STRATEGIST PROCUREMENT SERVICES DIVISION 3295 TAMIAMI TRAIL EAST, BLDG C-2 NAPLES, FLORIDA 34112 TELEPHONE: (239) 252-8375 VivianaGiarimoustas@colliergov.net (Email) This solicitation document is prepared in a Microsoft Word format (Rev 8/7/2017). Any alterations to this document made by the Vendor may be grounds for rejection of proposal, cancellation of any subsequent award, or any other legal remedies available to the Collier County Government. 16.E.3.a Packet Pg. 2399 Attachment: 18-7284 Solicitation (7348 : RFP 18-7284 Payment Processing and Related Services) SOLICITATION PUBLIC NOTICE REQUEST FOR PROPOSAL (RFP) NUMBER: 18-7284 PROJECT TITLE: PAYMENT PROCESSING AND RELATED SERVICES LOCATION: PROCUREMENT SERVICES DIVISION, CONFERENCE ROOM A, 3295 TAMIAMI TRAIL EAST, BLDG C-2, NAPLES, FLORIDA 34112 RFP OPENING DAY/DATE/TIME: Monday, February 26, 2018 at 10:00AM EST PLACE OF RFP OPENING: PROCUREMENT SERVICES DIVISION 3295 TAMIAMI TRAIL EAST, BLDG C-2 NAPLES, FL 34112 All proposals shall be submitted online via the Collier County Procurement Services Division Online Bidding System: https://www.bidsync.com/bidsync-cas/ INTRODUCTION As requested by the Administrative Services Department (hereinafter, the “Department”), the Collier County Board of County Commissioners Procurement Services Division (hereinafter, “County”) has issued this Request for Proposal (hereinafter, “RFP”) with the intent of obtaining proposals from interested and qualified vendors in accordance with the terms, conditions and specifications stated or attached. The vendor, at a minimum, must achieve the requirements of the Specifications or Scope of Work stated. The results of this solicitation may be used by other County departments or Constitutional Offices once awarded according to the Board of County Commissioners Procurement Ordinance. The purpose of this RFP is to select a “single” vendor to provide an enterprise application software and services solution for Point of Sale Transactions, Billing or Payments, Credit Cards and PCI Compliance for various departments. Collier County is composed of four major Departments that currently utilize various and separate solutions to processes approximately $90,000,000 annually via: POS applications, website and mobile interfaces, and third-party transaction services (detailed below). Collier County’s goal is to implement a single integrated system for County wide utilization. However, the solution must be flexible enough to encompass other functions, modules and features, as needed, in the future. The County understands that this will be a complex and extensive, multi- year effort and therefore, interested parties are invited to respond to this RFP outlining their approach to such a project implementation, taking into account that the County is open to hearing from interested parties offering different points of view on the components outlined above. BACKGROUND Collier County’s current Point of Sale Applications, Billing or payments, and Credit Card processing are highly decentralized with many functions, overall management and compliance are being performed by the individual departments. Currently, a limited number of the divisions within the departments, process credit card transactions through point terminals while a smaller number handle credit cards online through some sort of e-business web interface. Since a growing number of additional divisions within the agency plan to implement credit card processing, it is imperative that the process of authorizing, billing or receiving payments, and reconciling of credit card transactions be centralized in a single solution, with both the technical ability to establish and maintain a secure credit card processing gateway, and the accounting acumen to manage the increasing volume of transactions. Additionally, distributed credit card processing implies distributed risk. By centralizing credit card processing, a single vendor and solution is desired to handle sensitive financial information and be responsible for developing and implementing required processing controls. Public Utilities Department The Department currently processes approximately $29,000,000 in credit card transactions annually with the ability to accept chipped cards. Approximately 2% is point of sale, 72% is web payments, and 26% is IVR payments. The Department does not take any payments over the Collier County telephone system. All phone calls are through the IVR and that is a public telephone network line external to the county’s firewall, through Transaction Warehouse. There is a point of sale for solution Solid Waste facilities as well. For credit card payments on the web or IVR, the Department uses Transaction Warehouse (a partner of Harris) as a host and Jet Pay as the 3rd party approver, and for point of sale, Jet Pay, acts as both host and 3rd party approver. The Department also collects credit card monies for the Estoppel program over the web through a locally developed software system, that is hosted and 3rd party approved by Jet Pay. Growth Management Department The Department utilizes Magic Writer solely through the use of mobile devices without any point of sale terminals to process approximately $8,500,000.00 in credit card transactions and $5,000,000.00 in ACH transactions. This solution provides a payment 16.E.3.a Packet Pg. 2400 Attachment: 18-7284 Solicitation (7348 : RFP 18-7284 Payment Processing and Related Services) platform which requires manual processing of all ACH and Credit/Debit Card transactions. The Airport Authority utilizes OMNI machines in three separate locations throughout the county to process approximately $2,250,000 in credit card transactions annually. The sales are not directly connected to a Point of Sale application. PCI compliance has not yet been achieved at these locations and chip readers have not been installed. Manual cash journal entries are required to upload sales data to the SAP financial reporting system. Public Services Department The Parks and Recreation Division currently utilize Active Network as an Activity Management Software Solution (AMSS) that enables staff to serve its customers with greater efficiency and to enhance internal operations. The solution currently provides for easy management, allow for future growth, and deploy easily to functional areas of Parks & Recreation in the areas of Program registrations, Facility reservations, Memberships, League scheduling, Point of sale, Admissions, Payment processing, and Ad hoc reporting. Active Network currently requires that all equipment be purchased separately and, all hosting services are separate from our County’s IT Network. All transactions through Active Network are subject to a transaction fee. Cash/Check transactions processed by staff are subject to a 1.5% fee. All credit card transactions (online or entered by staff) are subject to a 4.25% transaction fee. The division processes approximately $6,000,000 annually total through this solution with $3,000,000 in credit card transactions. Beach parks and boat launch areas utilize credit card machines provided JetPay. The division processes approximately $640,000 annually through these credit card machines. Administrative Services Department The department currently utilizes Magic Writer in the Emergency Medical Services Division to process credit card and ACH payments. Other Constitutional Offices There is a possibility that other Collier County Constitutional Offices will utilize this agreement during implementation or at a later date. TERM OF CONTRACT The contract term, if an award(s) is/are made is intended to be for five (5) years with one (1) three (3) year renewal option. Prices shall remain firm for the initial term of this contract. Surcharges will not be accepted in conjunction with this contract, and such charges should be incorporated into the pricing structure. DETAILED SCOPE OF WORK The Selected Vendor will provide payment processing services for payments made to the County using the vendor provided payment channels, such as but not limited to, walk-in payment locations, self-service payment kiosks, internet/web, mobile and interactive voice response systems. Payments will be processed for various receivables owed to the County. The Selected Vendor will be required to interface with each of its line of business applications (see above and appendix xxx for a listing) using manufacturers approved interfaces. The Selected Vendor will also be required to provide an interface file for batch processing with the agency’s SAP financial system (see section 5. Below). Vendors are invited to respond to this solicitation outlining their approach to such a project implementation, taking into account that the County is open to hearing from interested parties offering different points of view on the components outlined above. Selected Vendor will be responsible for, but not limited to, the following requirements: 1. Cashiering Front-End Provide all front-end systems for Selected Vendor to process County payments, regardless of payment channel. 2. Real-time Payment Processing County operations depend on real-time recording of payments against the receivable. 3. Interfaces The Selected Vendor must create the interface between the Selected Vendor’s own front-end payment processing software and the County’s line of business systems establishing the ability for the Selected Vendor to: • query and search real-time for County debt owed by customer • provide payment transaction information real-time to the County • retrieve County revenue reporting for reconciliation purposes 16.E.3.a Packet Pg. 2401 Attachment: 18-7284 Solicitation (7348 : RFP 18-7284 Payment Processing and Related Services) Selected Vendors must provide payment information through the with each of the County’s line of business applications (see above and appendix xxx for a listing) using manufacturers approved interfaces. The Selected Vendor will also be required to provide an interface file for batch processing with the agency’s SAP financial system (see section 5. Below).. Selected Vendors must be able to provide the necessary information using a secure authentication method and provide data formatted as required by the line of business applications vendors. Selected Vendor must work with the County’s Information Technology Division and the line of business application vendors to achieve the required secured connection and communication. The Selected Vendor must also create interfaces to the County’s existing (contracted–out) payment processing Selected Vendor systems to: • process payment card payments • process ACH payments • process check images 4. Hosting The Selected Vendor will be responsible for hosting and maintaining the services and providing IT support for county staff. Please note, Collier County will not consider any solicitation the does not include hosting services. 5. Current Financial System Collier County’s financials are managed within SAP, which is at current and fully supported release levels, namely SAP ECC 6.0 – Enhancement Pack 7. The SAP application uses the following modules: FI, CO, FM, AP, MM, SD (Misc. Billing), BCS, HR, BN, and PY. In addition to these core SAP modules, the invoice payment and approval process is managed and optimized using an SAP integrated solution called Dolphin PTS-AP. 6. Payment Deposits The Selected Vendor is required to initially and directly deposit, immediately or next banking day depending on payment type as directed by the County, all payments received on behalf of the County into a County owned bank account. All payments are to be deposited in whole, without reduction of any kind by the Selected Vendor. Selected Vendor will use County obtained Merchant accounts for any payment processing, as required. Selected Vendor must reimburse the County for any lost interest when payments to the County are not deposited as required to the designated depository. The lost interest will be calculated based on the average federal funds rate for the period during which the deposits were not made as required. 7. Reconciliation Selected Vendor is required to reconcile each day’s payment collections to County system reports of revenue recorded and to daily deposits into County bank accounts. All discrepancies must be investigated and resolved, and findings provided to the County for related adjustments. 8. Revenue Shortages The Selected Vendor is required to reimburse the County for all vendor caused Revenue Shortages, payments collected on behalf of the County, which are not accounted for, are lost, misdirected, or otherwise not provided to the County as required. 9. Returned Payments For all payments originally processed by the Selected Vendor, the Selected Vendor is required to: • monitor, manage and respond to any payment challenges • Enter information, as defined by the County, into County systems for all returned payments, regardless of payment type. 10. Workflow Mapping Selected Vendor must provide and maintain application and business workflows for current and revised workflow processes during the term of the Agreement. In the event of new technologies that become available and which may enhance or may otherwise be provided as an additional service under the terms of the Agreement, the Selected Vendor may provide such business transaction opportunities to the County. The County reserves the right to incorporate such changes if deemed to be in the best interest of the County. 11. Training The Selected Vendor must train and manage quality controls of its personnel to adapt the business processes associated with such training instructions and guidelines, and monitor performance on an ongoing basis. Selected Vendor staff must establish the expertise to search for all debt related to a particular transaction and provide the needed customer service needed to properly complete the transaction. 12. PCI and Data Security Compliance In as much as the County is required to have its outside Selected Vendors comply with the latest PCI requirements as determined by 16.E.3.a Packet Pg. 2402 Attachment: 18-7284 Solicitation (7348 : RFP 18-7284 Payment Processing and Related Services) certified PCI Compliance authorities, so too must the Selected Vendor be required to submit to those standards as may be applicable and to provide industry accepted documentation of their compliance. 13. HIPAA and HITECH Act Compliance Any information and transactions involving personal information which require compliance with the most current Health Information Portability and Accountability Act requirements must be provided for by the Selected Vendor. 14. Security Protocols The Selected Vendor must provide for electronic and hardcopy security of all Collier County related documents and all other related data while in the Selected Vendor’s custody and control. Selected Vendor must provide to the County, upon request, the identification of personnel who will be providing services under the Agreement, and any details which may be required by the County of such personnel for security purposes. Personnel will also be required to be fingerprinted and approved per the agency fingerprinting ordinance. 15. Reporting The Selected Vendor will be required to provide reports to the County which will include, but are not limited to: a. Any instance of lost, stolen, misdirected, not delivered, or breach in security, even if temporary, must immediately be reported to the authorized representative of the Department managing the Agreement. Selected Vendor will be responsible for all costs associated with a breach including, but not limited to, notifications and credit reporting to impacted individuals, legal fees and fines, any other costs associated with a data breach. b. Any instance of a system application or other communication line being unavailable for a customer’s use (downtime), must be reported to the authorized representative of the Department managing the Agreement. c. Selected Vendor must provide County with online access to daily and monthly reconciliation reports to allow County personnel to account for and reconcile receipts collected through the Selected Vendor’s system. d. Selected Vendor must provide a usage report to Department at least on a monthly basis, and more frequently if so requested, indicating the following metrics per transaction made (or attempted to be made) for all payments: o range of dates for the reporting period o dates and time of day when transaction occurred o location where transaction occurred o number of transactions made, by payment type  check, ACH or image  payment card  U.S. currency o identify which transaction resulted in a transaction error o number of errors made o number of reported problems o time of downtime incurred o total amount of payments made e. Selected Vendor must provide a reporting format to compare against the County’s revenue collection report, to facilitate an efficient account reconciliation review by the authorized representative of the Department. f. Other reports as requested by the County. 16. Back-up Documentation Selected Vendor must provide a reliable process for maintaining a copy of each completed transaction, in the event of system crash or other business interruption, such that the completed transaction record can be replicated, if necessary. 17. Convenience Fee Any Convenience Fee charged to the Customer, if applicable, by the Selected Vendor must be agreed upon by the County and will be pursuant to the Agreement between the County and Selected Vendor. The Convenience Fee may be a set fee or a percentage of the payment amount. 18. Customer Service Selected Vendor will be required to provide customer service support to customers in relation to payments processed by Selected Vendor. 19. Refunds Selected Vendor will not process any refunds, or return payments to customers after settlement, without expressed written authority from the County. 20. Scheduled Recurring Payments The Selected Vendor may provide scheduled payment processing services allowing County customers to provide needed payment information and have a series of scheduled recurring payments automatically submitted to the County for posting to receivables of 16.E.3.a Packet Pg. 2403 Attachment: 18-7284 Solicitation (7348 : RFP 18-7284 Payment Processing and Related Services) various debt types. 21. Single User Sign-On The Selected Vendor’s internet payment channel may provide the option for customers to create a secure account with the ability to voluntarily link debt from various County receivable systems. Customers creating such an account would be able to sign-on to this account as needed to view and pay debt associated with the account. REQUEST FOR PROPOSAL (RFP) PROCESS 1.1 The Proposers will submit a qualifications proposal which will be scored based on the criteria in Section 5.0 Grading Criteria for Development of Shortlist, which will be the basis for short-listing firms. The Proposers will need to meet the minimum requirements outlined herein in order for their proposal to be evaluated and scored by the COUNTY. The COUNTY will then grade and rank the firms and enter into negotiations with the top ranked firm to establish cost for the services needed. With successful negotiations, a contract will be developed with the selected firm, based on the negotiated price and scope of services and submitted for approval by the Board of County Commissioners. 1.2 The COUNTY will use a Selection Committee in the Request for Proposal selection process. 1.3 The intent of the scoring of the qualifications proposal is for respondents to indicate their interest, relevant experience, financial capability, staffing and organizational structure. 1.4 Based upon a review of these qualification proposals, the COUNTY will rank the Proposers based on the discussion and clarifying questions on their approach and related criteria, and then negotiate in good faith an Agreement with the top ranked Proposer. 1.5 If, in the sole judgment of the COUNTY, a contract cannot be successfully negotiated with the top-ranked firm, negotiations with that firm will be formally terminated and negotiations shall begin with the firm ranked second. If a contract cannot be successfully negotiated with the firm ranked second, negotiations with that firm will be formally terminated and negotiations shall begin with the third ranked firm, and so on. The COUNTY reserves the right to negotiate any element of the proposals in the best interest of the COUNTY. GRADING CRITERIA FOR DEVELOPMENT OF SHORTLIST: 1.6 For the development of a shortlist, this evaluation criterion will be utilized by the COUNTY’S Selection Committee to score each proposal. Proposers are encouraged to keep their submittals concise and to include a minimum of marketing materials. Proposals must address the following criteria: Evaluation Criteria Maximum Points 1. Cover Letter / Management Summary 5 Points 2. Certified Minority Business Enterprise 5 Points 3. Business Plan 20 Points 4. Cost of Services to the County 20 Points 5. Experience and Capacity of the Firm 20 Points 6. Specialized Expertise of Team Members 20 Points 7. Local Vendor Preference 10 Points TOTAL POSSIBLE POINTS 100 Points Tie Breaker: In the event of a tie at final ranking, award shall be made to the proposer with the lower volume of work previously awarded. Volume of work shall be calculated based upon total dollars paid to the proposer in the twenty-four (24) months prior to the RFP submittal deadline. Payment information will be retrieved from the County’s financial system of record. The tie breaking procedure is only applied in the final ranking step of the selection process and is invoked by the Procurement Services Division Director or designee. In the event a tie still exists, selection will be determined based on random selection by the Procurement Services Director before at least three (3) witnesses. ---------------------------------------------------------------------------------------------------------------------------------------------------------- Each criterion and methodology for scoring is further described below. EVALUATION CRITERIA NO. 1: COVER LETTER/MANAGEMENT SUMMARY (5 Total Points Available) Provide a cover letter, signed by an authorized officer of the firm, indicating the underlying philosophy of the firm in providing the services stated herein. Include the name(s), telephone number(s) and email(s) of the authorized contact person(s) concerning proposal. Submission of a signed Proposal is Vendor's certification that the Vendor will accept any awards as a result of this RFP. 16.E.3.a Packet Pg. 2404 Attachment: 18-7284 Solicitation (7348 : RFP 18-7284 Payment Processing and Related Services) EVALUATION CRITERIA NO. 2: CERTIFIED MINORITY BUSINESS ENTERPRISE (5 Total Points Available) Submit certification with the Florida Department of Management Service, Office of Supplier Diversity as a Certified Minority Business Enterprise. EVALUATION CRITERIA NO. 3: BUSINESS PLAN (20 Total Points Available) In this tab, include but not limited to: • Detailed plan of approach (including major tasks and sub-tasks). Describe and demonstrate the technical expertise and capabilities to process the outlined transaction volumes, amounts, and tracking to without interruption. • Detailed time line for implementation of the project. • Include with the Business Plan or as an attachment, an example of work product(s). This should be for one of the projects listed as a reference. EVALUATION CRITERIA NO. 4: COST OF SERVICES TO THE COUNTY (20 Total Points Available) In this tab, include but not limited to: • Provide the projected total cost and estimated calendar day duration (including projected hours) for which your firm will provide the work as described in this RFP. • Provide a schedule of merchant or related fees, maintenance, chargeback fees, etc. which should include pricing for any convenience fees. Please discuss any special rules pertaining to convenience fees and credit/debit card fees. • Provide pricing variation for each transaction type (ACH, credit cards, etc.) per transaction EVALUATION CRITERIA NO. 5: EXPERIENCE AND CAPACITY OF THE FIRM (20 Total Points Available) In this tab, include but not limited to: • Provide information that documents your firm’s and subcontractors’ qualifications to produce the required deliverables, including abilities, capacity, skill, and financial strength, and number of years of experience in providing the required services. • Respondent must provide evidence of their PCI DSS compliance, including evidence for any subcontractors, third party processors and any other involved parties. • Describe the various team members’ successful experience in working with one another on previous projects. The County requests that the vendor submits three (3) completed reference forms from clients whose projects are of a similar nature to this solicitation as a part of their proposal. Provide information on the projects completed by the vendor that best represent projects of similar size, scope and complexity of this project using form provided on the online bidding system. Vendors may include two (2) additional pages for each project to illustrate aspects of the completed project that provides the information to assess the experience of the Proposer on relevant project work. EVALUATION CRITERIA NO. 6: SPECIALIZED EXPERTISE OF TEAM MEMBERS (20 Total Points Available) In this tab, include but not limited to: • Description of the proposed contract team and the role to be played by each member of the team. • Attach brief resumes of all proposed project team members who will be involved in the management of the total package of services, as well as the delivery of specific services. • Attach resumes of any sub-vendors and attach letters of intent from stated sub-vendors must be included with proposal submission. EVALUATION CRITERIA NO. 7: LOCAL VENDOR PREFERENCE (10 Total Points Available) Local business is defined as the vendor having a current Business Tax Receipt issued by the Collier or Lee County Tax Collector for at least one year prior to proposal submission to do business within Collier County, and that identifies the business with a permanent physical business address located within the limits of Collier or Lee County from which the vendor’s staff operates and performs business in an area zoned for the conduct of such business. 16.E.3.a Packet Pg. 2405 Attachment: 18-7284 Solicitation (7348 : RFP 18-7284 Payment Processing and Related Services) INSURANCE AND BONDING REQUIREMENTS Insurance / Bond Type Required Limits 1. Worker’s Compensation Statutory Limits of Florida Statutes, Chapter 440 and all Federal Government Statutory Limits and Requirements Evidence of Workers’ Compensation coverage or a Certificate of Exemption issued by the State of Florida is required. Entities that are formed as Sole Proprietorships shall not be required to provide a proof of exemption. An application for exemption can be obtained online at https://apps.fldfs.com/bocexempt/ 2. X Employer’s Liability $_100,000 single limit per occurrence 3. X Commercial General Liability (Occurrence Form) patterned after the current ISO form Bodily Injury and Property Damage $1.000,000_single limit per occurrence, $2,000,000 aggregate for Bodily Injury Liability and Property Damage Liability. This shall include Premises and Operations; Independent Contractors; Products and Completed Operations and Contractual Liability. 4. X Indemnification To the maximum extent permitted by Florida law, the Contractor/Vendor shall defend, indemnify and hold harmless Collier County, its officers and employees from any and all liabilities, damages, losses and costs, including, but not limited to, reasonable attorneys’ fees and paralegals’ fees, to the extent caused by the negligence, recklessness, or intentionally wrongful conduct of the Contractor/ Vendor or anyone employed or utilized by the Contractor/Vendor in the performance of this Agreement. 5. Automobile Liability $_________ Each Occurrence; Bodily Injury & Property Damage, Owned/Non-owned/Hired; Automobile Included 6. Other insurance as noted: Watercraft $ __________ Per Occurrence United States Longshoreman's and Harborworker's Act coverage shall be maintained where applicable to the completion of the work. $ __________ Per Occurrence Maritime Coverage (Jones Act) shall be maintained where applicable to the completion of the work. $ __________ Per Occurrence Aircraft Liability coverage shall be carried in limits of not less than $5,000,000 each occurrence if applicable to the completion of the Services under this Agreement. $ __________ Per Occurrence Pollution $ __________ Per Occurrence Professional Liability $ ___________ Per claim & in the aggregate Project Professional Liability $__________ Per Occurrence Valuable Papers Insurance $__________ Per Occurrence X Cyber Liability $5,000,000 Per Occurrence X Technology Errors & Omissions $5,000,000 Per Occurrence 7. Bid bond Shall be submitted with proposal response in the form of certified funds, cashiers’ check or an irrevocable letter of credit, a cash bond posted with the County Clerk, or proposal bond in a sum equal to 5% of the cost proposal. All checks shall be made payable to the 16.E.3.a Packet Pg. 2406 Attachment: 18-7284 Solicitation (7348 : RFP 18-7284 Payment Processing and Related Services) Collier County Board of County Commissioners on a bank or trust company located in the State of Florida and insured by the Federal Deposit Insurance Corporation. 8. Performance and Payment Bonds For projects in excess of $200,000, bonds shall be submitted with the executed contract by Proposers receiving award, and written for 100% of the Contract award amount, the cost borne by the Proposer receiving an award. The Performance and Payment Bonds shall be underwritten by a surety authorized to do business in the State of Florida and otherwise acceptable to Owner; provided, however, the surety shall be rated as “A-“ or better as to general policy holders rating and Class V or higher rating as to financial size category and the amount required shall not exceed 5% of the reported policy holders’ surplus, all as reported in the most current Best Key Rating Guide, published by A.M. Best Company, Inc. of 75 Fulton Street, New York, New York 10038. 9. Vendor shall ensure that all subcontractors comply with the same insurance requirements that he is required to meet. The same Vendor shall provide County with certificates of insurance meeting the required insurance provisions. 10. Collier County must be named as "ADDITIONAL INSURED" on the Insurance Certificate for Commercial General Liability where required. This insurance shall be primary and non-contributory with respect to any other insurance maintained by, or available for the benefit of, the Additional Insured and the Vendor’s policy shall be endorsed accordingly. 11. The Certificate Holder shall be named as Collier County Board of County Commissioners, OR, Board of County Commissioners in Collier County, OR Collier County Government, OR Collier County. The Certificates of Insurance must state the Contract Number, or Project Number, or specific Project description, or must read: For any and all work performed on behalf of Collier County. 12. Thirty (30) Days Cancellation Notice required. ________________________________________________________________________________________ 16.E.3.a Packet Pg. 2407 Attachment: 18-7284 Solicitation (7348 : RFP 18-7284 Payment Processing and Related Services) Selection CommitteeFinal Ranking SheetRFP #: 18-7284Title: Payment Processing and Related ServicesName of Firm Teresa Lee Sean Evelyn Ilonka TotalSelection CommitteeFinal Rank JetPay1111151.0000ACI Worldwide Corp.23322122.0000Point Pay LLC32233133.0000Gila LLC44444204.0000Procurement Professional Viviana GiarimoustasStep 1: Upon direction by the Procurement professional, the individual selection committee member should provide their ranking of the proposals (from highest being number one (1) to lowest. Step 2: The procurement professional will review the mathematically calculated final rank and discuss the rank order and determine if consensus is reached.Page 1 of 116.E.3.bPacket Pg. 2408Attachment: 18-7284 Final Ranking (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.c Packet Pg. 2409 Attachment: 18-7284 Notice of Recommended Award (7348 : RFP 18-7284 Payment Processing and Related Services) 1 ADDENDUM #1 Memorandum Date: January 2, 2018 From: Viviana Giarimoustas, Procurement Strategist To: Interested Parties Subject: RFP 18-7284 Payment Processing and Related Services The terms for this agreement have changed. Previously the terms were for five (5) years with one (1) three (3) year renewal option. The five (5) year initial term remains the same, however the renewal option will now be two (2) three (3) year renewal option. If you require additional information please call Viviana Giarimoustas, Purchasing Department at 239- 252-8375 or by e-mail at VivianaGiarimoustas@colliergov.net . Thank you. Email: VivianaGiarimoustas@colliergov.net Telephone: (239) 252-8375 16.E.3.d Packet Pg. 2410 Attachment: 18-7284 Addendum #1 (7348 : RFP 18-7284 Payment Processing and Related Services) SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. INSURER(S) AFFORDING COVERAGE INSURER F : INSURER E : INSURER D : INSURER C : INSURER B : INSURER A : NAIC # NAME:CONTACT (A/C, No):FAX E-MAILADDRESS: PRODUCER (A/C, No, Ext):PHONE INSURED REVISION NUMBER:CERTIFICATE NUMBER:COVERAGES IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. OTHER: (Per accident) (Ea accident) $ $ N / A SUBR WVD ADDL INSD THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. $ $ $ $PROPERTY DAMAGE BODILY INJURY (Per accident) BODILY INJURY (Per person) COMBINED SINGLE LIMIT AUTOS ONLY AUTOSAUTOS ONLY NON-OWNED SCHEDULEDOWNED ANY AUTO AUTOMOBILE LIABILITY Y / N WORKERS COMPENSATION AND EMPLOYERS' LIABILITY OFFICER/MEMBER EXCLUDED? (Mandatory in NH) DESCRIPTION OF OPERATIONS below If yes, describe under ANY PROPRIETOR/PARTNER/EXECUTIVE $ $ $ E.L. DISEASE - POLICY LIMIT E.L. DISEASE - EA EMPLOYEE E.L. EACH ACCIDENT EROTH-STATUTEPER LIMITS(MM/DD/YYYY)POLICY EXP(MM/DD/YYYY)POLICY EFFPOLICY NUMBERTYPE OF INSURANCELTRINSR DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) EXCESS LIAB UMBRELLA LIAB $EACH OCCURRENCE $AGGREGATE $ OCCUR CLAIMS-MADE DED RETENTION $ $PRODUCTS - COMP/OP AGG $GENERAL AGGREGATE $PERSONAL & ADV INJURY $MED EXP (Any one person) $EACH OCCURRENCE DAMAGE TO RENTED $PREMISES (Ea occurrence) COMMERCIAL GENERAL LIABILITY CLAIMS-MADE OCCUR GEN'L AGGREGATE LIMIT APPLIES PER: POLICY PRO-JECT LOC CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) CANCELLATION AUTHORIZED REPRESENTATIVE ACORD 25 (2016/03) © 1988-2016 ACORD CORPORATION. All rights reserved. CERTIFICATE HOLDER The ACORD name and logo are registered marks of ACORD HIRED AUTOS ONLY Willis of Pennsylvania, Inc. c/o 26 Century Blvd P.O. Box 305191 Nashville, TN 372305191 USA JetPay Corporation 3939 West Drive Attn: Gregory Krzemien Center Valley, PA 18034 Additional Named Insureds: JetPay Payment Services, TX, LLC, JetPay Payment Services, FL, LLC, JetPay Payment Services, PA, LLC, JetPay HR & Payroll Services, Inc., Payroll Tax Filing Services, Inc., JetPay ISO Services LLC, JetPay Merchant Services LLC, JetPay, LLC, ACI Merchant Systems, LLC, CollectorSolutions, Inc., CollectorSolutions, LLC SEE ATTACHED Collier County Board of County Commissioners 3295 Tamiami Trail E Naples, FL 34112 11/14/2018 1-877-945-7378 1-888-467-2378 certificates@willis.com Charter Oak Fire Insurance Company 25615 Travelers Property Casualty Company of Ame Travelers Casualty Insurance Company of Am 25674 19046 National Union Fire Insurance Company of P 19445 AXIS Insurance Company 37273 W8837514 A 1,000,000 1,000,000 15,000 1,000,000 2,000,000 2,000,000 Y 630 9K730803 06/21/2018 06/21/2019 B 1,000,000 06/21/201906/21/2018YBA 9K730803 B 10,000,000 0 CUP 9K823988 06/21/2018 06/21/2019 10,000,000 UB-009K82006AC 1,000,00006/21/2018 06/21/2019 1,000,000 1,000,000 D Cyber Ins./Privacy Liability See below01-565-69-08 06/21/2018 06/21/2019 95372517047454SR ID:BATCH: Page 1 of 2 16.E.3.e Packet Pg. 2411 Attachment: Collier County Insuracne Certificate Approved by Risk (7348 : RFP 18-7284 Payment Processing and Related Services) ACORD 101 (2008/01) The ACORD name and logo are registered marks of ACORD © 2008 ACORD CORPORATION. All rights reserved. THIS ADDITIONAL REMARKS FORM IS A SCHEDULE TO ACORD FORM, FORM NUMBER:FORM TITLE: ADDITIONAL REMARKS ADDITIONAL REMARKS SCHEDULE Page of AGENCY CUSTOMER ID: LOC #: AGENCY CARRIER NAIC CODE POLICY NUMBER NAMED INSURED EFFECTIVE DATE: JetPay Corporation 3939 West Drive Attn: Gregory Krzemien Center Valley, PA 18034 Named Insureds Include: JetPay Payment Services, TX, LLC, JetPay Payment Services, FL, LLC, JetPay Payment Services, PA, LLC, JetPay HR & Payroll Services, Inc., Payroll Tax Filing Services, Inc.; JetPay ISO Services, LLC; JetPay Merchant Services, LLC; JetPay LLC; ACI Merchant Systems LLC; AD Computer Corporation dba JetPay Payroll Services; Collector Solutions, Inc.; Collector Solutions, LLC Cyber Insurance / Privacy Liability: Technology Errors and Omissions: $7,500,000 Network Security Liability: $7,500,000 Cyber/Privacy Liability: $7,500,000 Data Breach Fund: $2,500,000 Cyber Extortion: $7,500,000 Miscellaneous Professional Services: Each Claim: $7,500,000 / Aggregate: $7,500,000 Retention: $100,000 Solely in the performance of Payroll Management Services for others for a fee. Re: For any and all work performed on behalf of Collier County. Collier County Board of County Commissioners, OR, Board of County Commissioners in Collier County, OR, Collier County Government, OR, Collier County are included as an Additional Insured as respects to General Liability and Auto Liability. General Liability and Auto Liability policy(ies) shall be Primary and Non-Contributory with any other insurance in force for or which may be purchased by Collier County Board of County Commissioners, OR, Board of County Commissioners in Collier County, OR, Collier County Government, OR, Collier County. INSURER AFFORDING COVERAGE: AXIS Insurance Company NAIC#: 37273 POLICY NUMBER: MNN 631210/01/2018 EFF DATE: 06/21/2018 EXP DATE: 06/21/2019 TYPE OF INSURANCE: LIMIT DESCRIPTION: LIMIT AMOUNT: Crime See Below ADDITIONAL REMARKS: Employee Theft: $3,000,000 Premises: $125,000 In Transit: $125,000 Forgery: $3,000,000 Computer Fraud: $3,000,000 Funds Transfer Fraud: $3,000,000 Money Order and Counterfeit Currency Fraud: $250,000 Client Coverage: $1,000,000 Expense Coverage: $25,000 2 2 Willis of Pennsylvania, Inc. See Page 1 See Page 1 See Page 1 See Page 1 25 Certificate of Liability Insurance W8837514CERT:953725BATCH:17047454SR ID: 16.E.3.e Packet Pg. 2412 Attachment: Collier County Insuracne Certificate Approved by Risk (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2413Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2414Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2415Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2416Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2417Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2418Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2419Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2420Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2421Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2422Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2423Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2424Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2425Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2426Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2427Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2428Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2429Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2430Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2431Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2432Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2433Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2434Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2435Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2436Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2437Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2438Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2439Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2440Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.hPacket Pg. 2441Attachment: Merchant Card Processing Terms and Conditions CAO approved (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.i Packet Pg. 2442 Attachment: JetPay Bank Disclosure (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.j Packet Pg. 2443 Attachment: JetPay Business Associate Agreement (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.j Packet Pg. 2444 Attachment: JetPay Business Associate Agreement (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.j Packet Pg. 2445 Attachment: JetPay Business Associate Agreement (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.j Packet Pg. 2446 Attachment: JetPay Business Associate Agreement (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.j Packet Pg. 2447 Attachment: JetPay Business Associate Agreement (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.j Packet Pg. 2448 Attachment: JetPay Business Associate Agreement (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.j Packet Pg. 2449 Attachment: JetPay Business Associate Agreement (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.j Packet Pg. 2450 Attachment: JetPay Business Associate Agreement (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.j Packet Pg. 2451 Attachment: JetPay Business Associate Agreement (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.k Packet Pg. 2452 Attachment: JetPay Merchant Application and Agreement (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.k Packet Pg. 2453 Attachment: JetPay Merchant Application and Agreement (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.k Packet Pg. 2454 Attachment: JetPay Merchant Application and Agreement (7348 : RFP 18-7284 Payment Processing and Related Services) 16.E.3.k Packet Pg. 2455 Attachment: JetPay Merchant Application and Agreement (7348 : RFP 18-7284 Payment Processing and Related Services) EXHIBIT A TO MERCHANT CARD PROCESSING TERMS AND CONDITIONS Coiliat- Couxty IWINnIiWllvn Sorvinoi DupaNnonl MaCUle,nenl5emcea Olvlaion COLLIER COUNTY BOARD OF COUNTY COMMISSIONERS REQUEST FOR PROPOSAL (RFP) FOR PAYMENT PROCESSING AND RELATED SERVICES SOLICITATION NO.. 18-7284 VIVIANA GIARIIVIOUSTAS, PROCUREMENT STRATEGIST PROCUREMENT SERVICES DIVISION 3295 TANIIAMI TRAIL EAST, BLDG C-2 NAPLES, FLORIDA 34112 TELEPHONE: (239) 252-8375 ViviartaGiarimoustas@colliergov.net (Email) This solicitation document is prepared in a Microsoft Word format (R.ev 8/7/2017). Any alterations to this document made by the Vendor may ba grounds for rejection of proposal, cancellation of any subsequent award, or any other legal remedies available. to the Collier County Government. SOLlC1TATION PUBLIC NOTICE REQUEST FOR PROPOSAL (RFP) 18-"1284 NUMBER• PROdF.CT TITLE: VMENT PROC AND REL GANGES IACATION: PROOI RE NT SERVICES DIVISION CONFERENCE ROOM A 3299 IAMI TRAIL T BLDG C 2 N CLORIDA 3 2 RFP OPENING DAY/DATElP[ME: r rNT 26 2 1S at 10• AM EST PLACE OF RFP OPENING: PROCU F SERVICES DIVISION 3295 TAMIAMI T L E ST BLOO C-2 NAPLES. FL 34112 All proposals shall be submitted ovllne via the Collier County Procurement Servlcea Divlaion Online Bidding Syst¢m: h / bid /b"tl s/ TRODU Aa requested by the Adminisba[ive Services Department (hereinafter, th¢ `•Department"), the Collier County Boartl of County Commission¢rs Procurement Services Division (hereinafter, "County") has i sued This Request for Proposal (hereinafter, "RFP") with the intens o£ obtaining proposals Nom intercatetl and qualified vendors t accordance witfi the terms, contlitions and specifications stated or anachcd. Th¢ vendor, at a minimum, must achieve the requirements of the Specifications or Scope o£ Work stated. The results of this solicitation may be used by other County departments or Conshmtional Offices once eward¢d according to the Board of County Commissioners Procurement Ortlinancc. The purpose o£[his RFP is to select a "single" ventlor m provide en enterprise application software and services solution for Point of Sale Transactions, Billing or Payments, Credit Cards and PCI Compliance for various departments. Collier County is composed of four major Departments the[ currently utilize various and separate solutions to processes approximaMly $90,000,000 annually via: POS applications, website entl mobile interfaces, and thirtl-party transections a (detailed below). Collier County's goal is to implement a single integrated system for County wide utaization. However, the solution must be flexible enough to encompass other functions, modules and features, as needed, in the future. The County understands that this will be a complex and extensive, multi- year eRbrt and therefore, interested parties are invited to respond to [his RPP outlining their approach to such a project mplementation, taking into account chat eh¢ County is open to hearing from interested partite offering di£fermt points ofview on the components outlined above. HA D Collier County's current Point o£ Sale Applications, Billing or payments, antl CreAi[ Card processing are fiighly decentralized with any firncHons, overall management and compliance are being performed by the individual departments. Currently, a Itmitetl number o£the divisions within the tlepartmen[s, process crctli[ card transactions through point terminals while a smaller number hentlle cretlit cards online through some sort o£o-business web :nte� ce. Since a growing number of additional tlivisions within the agency plan to implement credit cartl processing, it is imperative that the process o£authorizing, billing or receiving payments, end reconciling of credit card transactions be centraliz¢d i ingie solution, with both the technical ability to establish and maintain a cu credit card processing gateway, and the accounting acumen to menage the in easing volume of transactions. Additionally, tliatributed rcdit card processing implies distributed Nsk. By centralizing credit card processing, a singb vendor and solution is desimd to handle sensitive financial information end be responsible for developing and implementing requiretl processing controls. Public Utlutiea Department The Department currently processes approximately $29,000,000 in credit card trensactions annually with [he ability to accept chipped cabs. Approximately 2% is point of sale, 72% is web payments, antl 26% is IVR payments. The Departmrn[ does not talc¢ any payments over [ha Collier County telephone system. All phone calls are through [he IVR and that is a public telephone network line wcteniel to the county's firewall, through Transaction Warehouse. There is a point o£sale for solution Solid Waste facilities as well. Por credit card payments on [he web or IVR, the Department uses Transaction Warehouse (a partner of Harris) es a hos[ and Jet Pey as the 3rd party approver, and for point of sale, Jet Pay, seta as both hos[ and 3rd party approver. The Department also collects credit and monies for the Estoppel program over [he web through a locally developed software system, That is hosted and 3rd party approved by Jct Pay. Growth Mana¢ement Denar[ment The Department utilizes Magic Writer solely through the use of mobilo devices without any point of sale terminals to process approximately $8,500,000.00 in cretlit card transactions antl $5,000,000.00 in ACH transactions. This solution provitles a payment CAO platform which requires manual processing o£ell ACH and CrediVDebit Cerd transactions Th¢ Airport Authority utilizes OMNI machines in three separate locations throughout the county [o process approximately $2,250,000 in redi[ card transactions annually. The sales ere no[ directly conneMetl to a Point of Salo application. PCI compliance has no[ yet been achieved et [hese locations entl chip readers have not been installed. Manvai cash journal entries ate required to upload sales data [o the SAP Rrtencial reporting system. Pu bile Services Deoartment The Parks and Recreation Division c eptly utilize Actio¢ Network a n Activity Mmag¢men[ Software Solution (AMSS) that nobles staff to s ¢its customers with great¢r efficiency end to enhance internal operations. The solution currentty provitles £or asy m nagemen; allow for furore growth, end deploy easily to tbnctional areas of Parks 8c Recreation in the areas of Program regismetiona, Facility reservations, Memberships, League scheduling, Point of sale, Admissions, Payment processing, and Ad hoc reporting. Actio¢ Network currently requir¢s [hat all equipment be purchased separetely end, all hosting services ora separate Rom our County's IT Network. All transactims Yhrough Active Network a subject to a transaction fee. Cash/ChecK transactions processed by staff are subject to a 1.3%fee. All credit card transactions (online or entered by staff) are subject toe 4.25%transaction fee. The division processes approximately $6,000,000 annually total through chis solution with $3,000,000 in credit card trmsactions. Beach parks end boat launch areas utilize credit card machines provided I¢tPay. The division processes approximately $640,000 annually through these cretlit card machines. Atl 1 f Se 1 D The department rrenily utilizes Magic Writer in the Bmergency Medical Services Division [o process credit card and ACH payments. Otber ConaRtutlonal Offic¢s There is a possibility that other Collier County Consiitutionel Oftices will utilize this agreement during implementation or at a later date. TER The contract term, if an awards) is/are made is intended to be for Rvc (3) years with one (1) three (3) year renewal option. Prices shall remain ftrm for the initial term of this contract. Surcharges will not be accepted in conjunction with chis contract, antl such charges should b¢ inmrpomted into the pricing structure. ETAILED PE OF W The S¢Iected Ventlor will provide payment processing services for payments made to the County using the vendor provided payment charnels, such as but no[ limited to, walk-in payment locations, self-service payment kiosks, interneUweb, mobile and interactive voice response systems. Payments will be processed for various rece vables owed to [he County. The Selected Vendor will be regviretl to interface with each of iu line of business applications (see above end appendix xxx For a listing) using manufacturers approved interfaces. The Selected vendor will also be required to provid¢ an interfhce file for batch processing with the agency's SAP Rnanciai system (see section 5. Below). V d i tl d hl li 1 li h i h i i lemmtation. taKin¢ Into h h C i h h i d i I diff i f i h li ed above Selected Vendor will be responsible for, but not limited lo, the following requirements: 1. Cashfering Front -End Bless of a [channel. Provide all front -rod systems for Selected Vendor to process County payments, regar p ymen 2. ReflM[Ime Payment Processing County operations depend on real-time recording of payments against the receivable. 3. Interfaces Th¢ Selected Vmdar must create the interface between the Selectetl Vendor's own front-end payment processing software and the County's line of business systems establishing the ability for the Selected Vendor to: . query and search reel -time Yor County debt owetl by cusromer provide payment transaction information real-time to the County . retrieve County revenue reporting For reconciliation purposes Selccted Vendors must provide payment information through the with each of the County's line of business applications (see above and appendix xxx far a listing) using manufacturers approved interfaces. The Selected Vendor will also be required [o provide en interface file for batch processing with the agency's SAP financial systcm (see section 5. Below).. Selected Vendors must be able to provide the necessary information using a actor¢ authentication method and provide date formatted as required by the line ofbusiness applications vendors. Selectcd Vendor must work with the County's Informeticn Technology Division and the line of business application vendors m achieve the required secured connection end communication. The Selectetl Vendor must also create interfaces m [he County's existing (contracted -out) payment processing Selected Vemdor systems to: • process payment card payments • process ACH payments • process check images 9. Hosting Th¢ Selected Vendor will be responsible far hosting and maintaining the services and providing IT support for county staff: Please note, Collier County will not consider any solicitation the does not include hosting services. 5. Curremt Financial System Coliter County's £nancials are managed within SAP, which is a[ current and tLlly supported release levels, namely SAP ECC 6.0 - Enhan«men[ Pack O. The SAP application uses the following modules: PI, CO, FM, AP, MM, SD (Mist. Silting), BCS, HA, BN, and PV. In addition to these tort SAP modules, the invot a payment and approval process is manag¢d and optimimd using an SAP integrated solution celled Dolphin PTS -A P. 6. Payment Deposib The Selected Vcndor is required to initially and directly deposit, immediately or next banking day deprntling on payment type as directed by the County, all payments received on behalf of the County into a County awned banK account. All payments era m be deposited in whole, without reduction of any kind by the Selected Vendor. Selected Vcndor will use County obtained Merchant ants for any payment processing, as required. Selected Vendor must reimburse the County for any lost interest when payments to the County a not deposited as required to the designated depository. The lost interest will be calculated based on the average federal funds rate £or the period during which the deposits were not made as required. �. I2econc111aHon Selected Ventlor is required to reconcile each day's payment collections to County system reports of revenue recorded and to daily deposits into County bank accounts. All discrepancies must be investigated and resolved, and findings provided to the County for related at(justmenta. 8. Revenue Shortages Tha Selected Vendor is required to reimburse the County for ail vendor caused Revenue Shortages, payments collected on behalf o£ the County, which are not accounted foq are lost, misdirected. or otfierwise not provided to the County as required. 9. Returned Payments For ati payments originally processed by the Selected Vendor, the Selected Vendor is required io: • ni[or, menage and respond to any payment challenges Enter Information, as defined by the County, into County systerrts for ail returned payments, regardless of payment type. l0. Workflow Mapping Selected Vendor must provide and maimein application and business worKflowa for torten[ and revised workflow processes during the term of the Agreement. In the event of new technologies that become available and which may enhance or may otherwise be provided as en additional service under [he terms of the Agreement, the Selected Vendor may provide such bvs:ness transaction opportunities to the County. The County reserves the right [o incorporate such changes if deemed to be in the best interest o£the County. 11. Training Tha Selected Vendor must train and menage quality controls of its personnel to adapt the business processes associated with such training instructions end guidelines, and monitor performance on an ongoing basis. Selected Ventlor staffmusa establish the expertise to search £or all debt related to a particular transaction and provide the needed customer service needed to properly complete the trensaction. 12. PCI and Data Security Compliance In as much as the County is required to have its outside Selected Vendors comply with Che latest PCI requirements as determined by C'90 certified PCI Compliance auffioriti¢s, so Coo must the Selected Vendor be required [o submit tc tfiose stantlarda es may be applicable and to provide industry accepted documentation of their compliance. 13. HIPAA and HITECH Act Compliance Any information and transections involving personal information which require compliance with the most current H¢alth Information Portability and Accountability Act requirements moat be provided for by the Selected Vendor. 14. Security Protocols The Selected Vendor must provide for electronic and hardcopy security of all Collier County relatetl documents and all other related tleta while in the Selected Vendor's custody and control. S¢lected Vendor must provide to the County, upon requesq the identiflca[ion of personnel who will be providing services under the Agrc ant, and any details which may be required by the County of such personnel for security purposes. Personnel will also be required to be £fingerprinted and approved per the agency fingerprinting ordinance. 15. Reporting The Selected Vendor will be required to provide reports to the CounTy which will include, but are not limited to: a. Any instance of lost, stolen, misdirected, not delivered, or breach in urity, even i£ temporary, must immediately be reported to the authorized representative of the Department managing the Agreement. Selected Vendor will be respons:bl¢ for all costs associated with a breach indutling, but not limitetl to, notiticeticna and credit reporting to impacted individuals, I¢gel fees and tines, any other casts associated with a data breach. b. Any instant¢ ofa system application o other communication line being unavailable £or n customer's use (downtime), must be reported to the authorizetl representative of [he D¢partment managing the Agreement. w Selected Vendor must provide County with online access to daily and monthly rc ciliation reports tc allow County personnel to account for and reconcile receipts collected through the Selected Vendor's system. d. S¢lecrod Vendor must provide a usage report to Department at least on a monthly basis, end more £rcquently if so requested, indicating the following mevics per transaction mad¢ (or attempted to be made) for ell payments: range of tletes for the reporting period o dates and time o£day when transection occurred location where transection occurred o number of transactions made, by payment type check, ACH or image payment card ug. c rrency identify which transection resulted in a transaction error tuber of errors made tuber of reported problems time of downtime in creel o total amount of payments made e. Sel¢cted Vendor must provide a reporting Format to compare against the County's revenue collection report, to facilitate an efPcient account reconciliation review by [he authorized representative o£the Department. E Other reports as requested by the County. 16. Back-up Documentation Selected Vendor must provide a reliable process for maintaining a copy of each completed transection, in the ¢vent of system crash or other business interruption, such that the completed transaction record can be replicated, if necessary. 17. Convenience Fee Any Convenience Fee charged to the Cus[omeq if applicable, by the Selected Vendor must be agreed upon by the County and will be pursuant to [he Agreement bctwern the County end Selected Vendor. The Convenience Fee may ba a set fee or a percentage of the payment amount. t g. Customer Serviee Selected Vendor will be required to provide customer service support to customers in relation to payments processed by S¢lected Vendor. 19. RelLnda Selected Vendor will not process any retbnda, or return payments to customers after settlement, without expressed written authority from the County. 20. Scheduled Recurring Payments Th¢ Selected Vendor may provide scheduled payment processing services allowing County customers to provide needed payment information and have a series of scheduled recurring payments automatically submitted to the County £or posting m receivables of various debt types. 21. Single User Sign -On The Selected Vendor's intemet payment channel may provide the option for customers to c este a secure acwunt with the ability to voluntarily link debt from v s County r vablc systems. Customers creating such an account would be able to sign -on to [his account as needed to view and pay dab[ associated with [he account. RE PRO P PR CE Ll The Proposers will submit a qualiflcatlons proposal which will be scored based on the criteria in Section 5.0 Grading Criteria for Development of Shortlist, which will be the basis for short -listing firms. The Proposers will need [o meet the minimum requiremcn[s outlined herein in ober for [heir proposal to ba evaluated and scored by the COUNTY. The COUNTY will [hen grade and rank the arms and enter into negotiations with the top ranked firm to establish cost for the services needed. With successfbl negotiations, a contract will be developed with the selected firm, based on the negotiated price and scope ofaervices and submitted for approval by the Board of County Commissioners. l.2 The COUNTY will use a Selection Committee in the Request £or Proposal selection process. 1.3 The intent of [hes ing of the quali£cattons proposal is for respondents to indicate their interest, relevant experience, financial capability staffing and organizational structure. 1.4 Based upon a review of these quel:£ca6on proposals, the COVNTV will rank the Proposers based on the discussion and clarifying questions on their approach and related criteria, and then negotiate in good faith an Agreement with the top ranked Proposer. 1.5 1$ in the sole judgment of the COUNTY, a contract cannot ba successfully negotiated with the top-ranked firm, negotiations with that firm will be formally terminated and negotiations shell begin with the firm ranked second. 1£a wntract cannot be essfuily negotiated with the firm ranked sewnq negotiations with that firm will be formally terminated antl negotiations shall begin with the third ranked firm, antl so on. The COVNTY reserves the right to negotiate any element ofthe proposals. m the best interest of the COUNTY. DING ER1A FOR DE PMENT OF RTL[ST: 1.6 For [he development ofa shortlisq this evaluation criterion will be utilized by the COUNTY'S Selection Committee to scare each proposal. Proposers a raged to keep their submittals concise and to inclutle a minimum of marketing materials. Proposals must address the following criteria: I i C i i Maximum Points t. Cover Leiter /Management Summery 5 Paints 2. Certified Minority Business Enterprise 3 Points 3. Business Pian 20 Points 4. Cost of Services te the County 20 Points 5. Experience and Capacity of the Pimf 20 Points 6. Specialized Expertise of Team Members 20 Points 7. Local Vendor Pretercnca ]O Pointe TOTAL POSSIBLE PO1NT5 ]00 Pointy Tie Brooker: In the even[ o£ a tie at tinal ranking, award shall be made to the proposer with the lower volume of work previously awarded. Volume of work shalt ba calculated based upon total tlollars paid to the proposer in the twenty-four (24) months prior to the RFP submittal deadline. Payment information will ba retrieved from the Covnty•s financial system of record. The tie breaking procetlurc is only applied in the final ranking step of the selection process and is invoked by the Procurement Services Division Director or designee. In the event a tie stili exists, selection will be tletermined based on random selection by the Procurement Services Director before at (east three (3) witnesses. Each criterion and methodology for scoring is further described below. E ATION CR] 1 . 1. COVE TTE MA A E T SUM CS Total Pointe Available) Provide a r letteq signal by en authorized officer of the £rm, intlicating the underlying philosophy of the firm i provitling the s ws statetl herein. Include [fie n me(s), telephone numbers) and email(s) of [he authorized contact persons) concerning proposal. Submission of n signed Proposal is Vendor's certification that the Vendor will accept any ewartls as a result of [his RFP. Odd E ALUATI CR[TERIA NO. 2: CERT[FiLD MINORITY BUST E T RPRISE (5 Total Points Available) Submit certification with the Florida DepaRment of Management Service, Office of Supplier Diversity es a Certified Minority Business Enterprise. V TER[A NO 3: BUSINESS P (20 Totfll Points Available) In this tab, include but not limited to: • Detailed plan ofapproach (including major tasks and sub -tasks). Describe end demonstrate the techni<al expertise and capabilities to process [he outlined transaction volumes, amounts, and tracking [o without interruption. • Detailed time line for implementatien of the project. • Include with the Business Plan or as an attachment, an example of work product(s). This sfiould be for one o£the projects listed es a re£ercnce. ATI CRITERIA NO 4: C F ERVICES TO THE CO Y (20 Total Pointe Availflble) In This tab. include but not limited to: - Provide the projected total cost and estimated mlender day duration (including projected hours) { r which your firm will provide the work es tlescribed in this RFP. - Provide a schedule of merchant or related Etas, m intanance, chargebacK fees, etc. which shoultl include pri mg for any convenience f es. Please discuss any special rules pertaining to convenience £ees and crediVdebit card fees. • Provide pricing variation for each transaction type (ACH, crctlit certls, e[cJ per transaction EVALUATI N CRTT Rl EXPERIENC PA ITY OF THE I (20 Total Points Available) In this tab, include but not limited to: • Provide information that tlocuments your firm's and subcontractors' quali£cations to produce the required deliverables, including abilities, capacity, skill, and financial strength, and number o£ years of experience in provitling the required services. • Respondent must provide evidence of their PCI DSS compliance, including ev:tlence £or any subcontractors, third party processors and any other involved parties. • Describe the various tram members' successful experience in working with one another on previous projects. The County requea[s the[ the vendor submits three (3) completed reference forms from clients wboae projects are of a similar nature to this solicitation a a par[ oP their proposal. Provide infortna[ion on the pr jec[s completed by the endor [hat best represent projects of similar size, scope and complexity of this project using form provided on the online bidding system. Vendors may include two (2) additional pages for each project io illustrate aspects of the completed project that provides the information to assess the experience of the Proposer on relevant pr ject worK. E LUATION T SPECT D E PERTISE O MEMBERS (20 Total Points Available) In this tab, inclutle but not limited to: • Description of the proposed mntme[ teem and the rola to be playetl by each member of the team. • Attach brief resumes of all proposed proje<t team members who will be involved in the management of the total package of services, as well es the delivery of specific services. - Attach rosumes of any sub -vendors and attach letters of intent from stated sub -vendors must be included with proposal submission. EVALUA T 12[A NO 7: LO D R PREFERE (10 Total Pointe Availabiej Local business'is de£ned as the vendor having a cameo[ Business Tax Receipt issued by the Collier or Lee County Tau Collector Cor at least one year prior to proposal submission to do business within Collier County, and the[ identifies the business with a permanent physical business atltlress located within the limits of Coliier or Lee County from which the vendor s staff operates and performs business in an area zonetl for the conduct of such business. RANCE AND B UIRE insurance /Bond Type Required Limits 1. ®Worker's CompansfltPon Statutory Limits of Florida Statutes, Chapter 440 and ell Federal Govermnent Statutory Limits end Requirements Evidence of Workere' Compensation coverage o a Certificate o£ Exemption issued by the State of Florida is required. Entities that ere formed as Sole Proprietorships shall not be required to provide a proof of exemption. An application for exemption can be obtained online a[ h �// s fldfs.com/bocexemoV 2. X Employer's Liability $_300,000 single limit per occurrence 3. X Commeroial General Bodily i jury and Property Damage Liability (Occurrence Form) patterned after the current $l.OD0,000_single limit per ocwrrcnce, $2,000,000 aggregate for Bodily I jury ISO form Liability and Property Damage Liability. This shall include Premises and Operations; Independent Contractors; Products and Completetl Operations antl Contractual Liability. 4. X Indemnification To the maximum extent permitted by Florida law, the Contractor/Ventlor shall defend, indemnify and hold harmless Collier County, its officers and employees from any and all liabilities, damages, losses and costs, innluding, but not limited to, reasonable attorneys' fees and paralegals' fees, to the extern caused by the negligence, recklessness, intentionally wrongful conduct of the Contractor/ Vendor o anyone employed or utilized by the Contractor/Ventlor in the performance of this Agreement. 5. Q Automobile Liability $ Eaoh Occurrence; Bodily I jury 8c Property Damage, OwnedMon-owned/Hired; Automobile included 6. � Other insurance as noted: Q Watercraft $ Per Occurrence � United States Longshoreman s and Herborworker's Act coverage shall be maintained where applicable to the completion of Ota work. $ Per Occurrence Maritime Coverage (Jones Act) sfiail be maintained wfiere applicable to the completion of the work. $ Per Occurrence Q Aircraft Liability coverage shall be canted in limits of not less than $5,000,000 each occurrence if applicable to the completion of the Services under the Agreement. $ Par Occurrence � Pollution $ Per Occurrence O Protbsaional Liability $ Per claim 8c in [he aggregate Q P jec[ Professional Liability $ Per Occurrence Q Valuabte Papers Insurance S Per Occurrence X Cyber Liability $5,000,000 Per Occurrence X Technology Errors Za Omissions $5,000,000 Per Occurrence �. � Bid bond Shall be submitted with proposal response in the form ofcertified funds, cashiws' check evocable IeHer of credit, a cash bond posted with the County Clerk, or proposal bond in a sum equal to 5% of the coat proposal. All checks shall be made payable [o the CAO Collier County Board of County Commissioners o a bank or trust company located in the State of Floritla and insured by the Pederal Deposit Insurance Corporation. 8. O Performance and Payment For pr jec[s in excess o£$200,OOD, bonds shall be submitted with the executed contract Bonds by Proposers r ing award, and written for 100% of the Contract award amounq the oat borne by IhetProposar receiving en a ard. The Performance and Payment Bonds shall be und¢rwritten by a racy authorized to do business in [he State of Florida and otherwise acceptable to Owner; provided, howeveq the surety shell be rated as "A=' or better as to general policy holders rating and Class V or higher rating as to financial size category and tha amount required shall not exceed 596 of the reported policy holders' urplus, ell es reported in the most current Best Key Rating Ouide, published by A.M. Beat Company, Inc. 0£95 Fulton Street, New Vork, New YorK 10035. 9. ® Vendor shall ensure that all subcontmciors comply with the same in ante requirements that he fs required [o meet. The same Vendor shall provide County with certificates of insurance meeting the required insurance provisions. 10. ® Collier County must be n mad as "ADD1TtONAL INSURED^ on the Insurance Certiflcete for Commercial General Liability where required. This insurance shall be primary and non-contributory with respect to any other insurene¢ maintained by, or available for the bene£[ of, tha Additional Insured and the Vendor's policy shall be endorsed accordingly. 11. ® The C¢rtiflcate Holder shall be named as Collier County Board of County Commissioners, OR, Board o£ County Commissioners in Collier County OR Collier County Govemmenq OR Collier County. The CertificaMs o£Insurence must state the Contract Number, ar Project Number, or specific Pro}act description, or must read: For any end all work performed on behalf of Collier County. 12. ® Thirty (30) Days Canc¢Ilatlon Notice required. CAS Date: Email: VlvianaGierimoustas�colliergov.net CSO lBY GON.H'C y Telephone: (239) 252-8375 Adrtdnisirative Servloea Division Interested Parties Pu�ch¢ning RFP 78-7284 Payment Processing and Related Services ADDENDUM #1 Memorandum Date: January 2, 2018 From: Viviana Giarimoustas, Procurement Strategist To: Interested Parties Subject: RFP 78-7284 Payment Processing and Related Services The terms for this agreement have changed. Previously the terms were for five (5) years with one (t) three (3) year renewal option. Tha five (5) year initial term remains the same, however the renewal option will now be two (2) three (3) year renewal option. If you require additional information please call Viviana Giarimoustas, Purchasing Department at 239- 252-8375 or by a -mail at Viv'anaG'arimoustas(dzcolliercov.net .Thank you. G� BCC Collier County Collier County Information Technology Requirements 2017 I N D E X 1. Technical Architectural Compatibility Se Supportability (TAGS) 3. Architectural diagram. 4. Total Cost Ownership (TCO). 5. Vendor Background Checks County Ordinance No 2007-64 a. Ordinance 2007-64 b. Field print Instructions for Vendors c. Contractor FingerprinT Form 01-20-2015 d. Collier County Contractor Fingerprint Packet 03-20-2015 e. CC50 Background Check Form f. Canadian Background Check Process 6. Vendor Network Access Agreement 7. IT Account Management Requests /Modifications form 8. County Practices and Procedures CMA's a. CMA 5401 Information Systems Lifecycle Management b. CMA 5402 Remote Access Policy c. CMA 5403 Third Party Access Policy d. CMA 5405 Computer -Technology Use &Attestation e. CMA 5406 Computer Software license Control f. CMA 5905 Restricted Network Access Agreement g. CMA 5908 Media Reuse or Replacement Policy 9. Change Management 8. Change Advisory Board lO.Ente rprise Incidents 11. Elevated Network Access Policy 12. Fla. Stat. § 501.171 Florida Information Protection Act C'AO 1. Technical Architectural Compatibility St Supportability (TAGS) �'AO Cg0 T teM1niml AxSlmcm�el. CamgXblllry eed Sogo�Yabillly RepulrcmwM �owmmt (TAGS) Cg0 2. CCIT Construction Standards Version 5 2-24-14 Thu sectim> has been re>noveai as it does not apply to this project. 9 O 3. Archi[eciural diagram. IT Customer- Portal -Architectural Diagrams and Reviews Page 1 of 1 sYra.¢Pou,l [Mmpnn..nra— M ? _ Architectural Diagrams and Reviews ..xnu.aa¢rm Dm .> a.rq ww.we IRer,xatl ,z M.y zg[sr n.a rt Dl.naen ,eya..mx ma[ an narw¢.k mmnaaham xunnna ann naarnwN an arcbn.arrml m,.a.am. Nngmex.r.al tll>a..m, ams naw¢wx nnml tha ronmwl.r9 nrrma,ex: posetl solation ixleaxNle belo.e zrynlMant reswrmz are spen mn lmpanrenteGm anJmnxxaxxtlw mnpad en nntwa.k anJ rysfemx Per!¢nrenw p�alep laatl unJarsnr Js a 1 rbe pans n! the aP Vllca¢>r. M1ow tF. a rplRatian works anO ary tlryanOendes she ayplrutlan M1ez. Je p.mroamrl arcNmnme will ba ewlnat¢a! >9¢Inat Pnrmasible servle¢ lave! mmar^Unnln9 mml m nelp Ix1enJN venae Ix neoJM So ynuk [M1e aelunan s9^rn9 r¢Inmk ll4eanO hove It Nz wnF ¢avnOerary mcnitectwe ea bnPact m! changes nq ryswm !allures 1w[M1 Inallvltluslly ansl any propmetl/plannetl anv'rromnern K mn rvll [rM Pa.m ¢ntl lalmaea Irve arw now rhry Intama rs Orrduair,y tYpasl ze0 [email. AD, etq 0 mnLqumrlmnx IPnna, wnrnmions. eeq ntl what nntl M1sry thm/ mmmunlrn¢ wlth.a.f ntM1ar petl arivlexx le nJH sorrwu eearamen<Imr Rny wRware Jepenslantlez Yadutliny vertlun reyuhnmems Examdex induJelaw.l^te.^et Evplwa.o.o[M1ar brewsan.Imermtmb.matlw, 5erven arc. o(IM1e GmcumenmOw set neatlmJ xm malnuln [M zolu[imn eshouhng [pal b. ryrt<rn /a�lwez o. analNnctlunx .ry ppentul ucunry baucr VnJersunding tha sukanllKy or Oe solution b. Japlsryrren[un multrtenet Jetllca[eO.ezourr.ax PrchRenmal Olay.a nx ¢¢osis! o! tlrc follmwirry: m!w wrtn an m. rwcax, rana ana aamr.,,mmarmne maa.eatla mn tn¢ ¢m¢rny. mraxl.aaatam. em wpanapx p,a mn nae aa„ntyx mrcaxo-..aa.r.¢. xph mx mexa ...�w �r°a epraa m. Sanw... ¢x a zaannrr max>, na ram. r.eatl tm be baemw. rs ryrc tlrng rypez) mSvkez uxad !erns!!. FD. esd wall aenn9a.aaw.e romrex, aexnnayenx. ata) mponamz, zmNcax mJ wM1m and Few tory camnnmom won macM1 mher Summa9�he Prore.eJ aalWr>na(wnrtl E¢cl PrtFuecaaml r¢Nawz ere r u zeJ when: ,w the Scwe mI WOR RON'1 Ii JaeelupaJ fiRar Pmc.pazrmmt but Vaa. m tlegeymnrn Ir [M1e pmposaJ ardX[enure oMn9es vMnm ml chnngec Any[Inm Yauex azv evcalat W t¢ IT nronagamo-n [ r J¢c[ dozenw 0 http://bccsp02/sitas/ITCP/W iki % 20Pages/Architectural^/o20Diagrams % 20and % 20Reviews.... OS/1 1/16 Providing socuro Autx-�en Crcae■ng confrguraiion u�nr5 F'ravantlng tienA»ng pca�matar axco;rtfonc rrtiv+ipule Uan Browser - i ' xi Protacting a�enaitivs eaxa P'revanting xNS910n hi�ckirrfl and cookie replay eett3cles Yfab Server 1•i si b A�ptiG8t1 G n Authdiz in uarirs Validating Input Proiectlng 59n WtIVa dQea Apptic ation � ULZabass Server �. $srvsr i ii► APt=��+'�aoons ► OarRabss� I ', Aatditng arxt iogg+nq see r�iey snd iransarctianxa Auei�eratic tat I n g and awliw ruing upstream iderTtiti�s Encrypting or h ashi ryg can aitiva data 4. Total Cost Ownership (TCO). Vendor solution maintenance support projects out 3 years to 5 years for O 8r M cost for budget planning. Provides full transparent disclosure of any partnership costs to integrate their vended solutions to other vendor solutions. The vendor must identify and disclose how much the integration will cost and whether it is included in vendor bid or identify it as an additional expense Collier UBCS would be asked to absorb in project. Including future maintenance costs. Roll Ovar Fundln9 [al Funtlina Avallal Software Tralning 0.00 Yaarl Maintenance 0.00 Yearly Portal Maintenance 0.00 Yearly IVR Maintenance 0.00 Llcensin /Software 0.00 Protluctivity Tools 0.00 CM1an a orders O.DO Services 0.00 Platform Serv¢r Hardware 0.00 ServerO crating5 stem O'DO Dezkto Hardware 0.00 Virtual Deskfop/OS 0.00 Stara a D.00 Database 0.00 Network 0.00 Disaster Recovery O.00 IT Operational Support Tier 2 Application Support 1 FTE - IT Staff O.DO Tier 2 MIS Support O'00 Educes<mn/Tralning O.DD Migration/Upgrade Services 0.00 Soft Casts -Business Unit FfE's Dasl n / conRguranon o.oD Test D.OD Su ort 0.00 Tota15 endln per FY 0.00 OV.7 5. Vendor Background Checks County Ordinance No 2007-64 a. Ordinance 2007-64 b. Field pr(nt Instructions For Vendors c Contractor Pingerprint Form 01-20-2015 d. Collier County Contractor Fingerprint Packet 01-20-2015 e. CC5O Background Check Porm F. Canadian Background Check Process Opp WNEREAE. SaOYOn 126.5801. Fbrltls Smlulaa. (200A). autmnzaa me Boare of count' Cmvnlaebnem m am01 tnla Ortllnenm m meMate emu aM laearel enminsl nlclory racortle ceaGka Im epplmenm tp1 ampbyment m paaNbro Ot empbymanl daamed Dy Ina Boa.a ro be edtlml w aecudy Gr ro vablb eclat': ane W REREpB. Ifw Cdllar Cmnry Bmrtl q CGmmbalonem Geame IM1aI all Caunry mpbya6s aM povNbne ere eMiml to aeany ar to puMIG aetay; antl W HEREAB. Cnllur COumy employaw era placetl In msNlane of lruet anO poslllone wmm� ragrlra mem lO lnteraol wM Glliann, vlellOm antl wrMora In COYIar COunly. antl m audr sY Colner Courcy employees ere m msulona tlaematl crtlMsl t0 a«urly or publb aauy� arp WNEREAB. Teva erlmlrrnl M1IROry ranortls cnwks oen apply to prlWm IndNbual cmVaeWv. enployeva Or oTaf rapreaanmlNaa of mnbedors IrKlutlllp ventlare. rpill paraon0. Or daYW ry peraone. arc/ Of wMm are Mametl by Ts Board l0 ba andoal wdn rapva to aacurly m to publlo carob. Imlualn0 mneeme wlln tapeta to any emn Colllar COunH ownatl or meralaG bul101nD or ladl6y anWY amml bmrd Dulblrq antl parka; and WNEREAB. tne6a onMnsl nletory racortla enecks IMutla naNnp Ina appllmnt amployae. prHata IntlNltluel mnireobre, ampbyaae ar odrer rapreaenmrlvae of mnVaemra IMutlup Vantlore. repelr Poraone, or daYvery pamms Ilnparpdnletl aM audrllXbp tna IntllNtluall Itrrparpdnu m me FlOrlda Oepenlrgnt Or L0W EntO/Oamant (lar a Gals cnminal baekpround aNOuk) antl to IM1a Federal Bureau OI Invssuga8on Ior a nellonel onmkal nlelary ramrde olwck: antl WHEREAS. \M Inlormerlm oDWned Irpn \na MmIrW nletory remrda tlmeke will m a.ad w mm.mm. Te map.oOW Inmvm.,al•e d1ElaYy Io..mpl oynr.m mw oonnna.d amploYmam uy Ta Cmnb or ev env mmrador wun venom Inst count' mlpM mrwacr: Cpg_IyLB /%1734667ry8 O '� NOY 8007 `� ��.�. RECEIVED - �N `��rL'rrzzLz�z� �� ORDINANCE N0. 2a0'f-g9_ - o �� AN OROINANC@ OR COLLI@R COUIITY. FLORID0. AMEND NO ORDINANCE O ' � a' .-.� ¢j. PVRSYANI TO SECTION 12D.61Oa. FLORIDA BTATVTIH. MANDATING STAT! ] 1--�", AHO FlOIRAL CRIMINAL NISTORV RECORD CNECI(8 FOR ALL POE/RONE OF - - ENPLOYMEM IN COLLIER COYNeV Ofl BV OVT9IOE COMRACTOR@ OR � — VENOOR9: PROVIOINO FOR INCWBION INTO THE CODE OG LAWS pN0 �- _ AROVIOINO FOP CONPLJCT AND BEVERAIILfTYI PROVIDING AN —__ -� EFOINANCIBp GECliVE Dpre. -' WNEREAE. SaOYOn 126.5801. Fbrltls Smlulaa. (200A). autmnzaa me Boare of count' Cmvnlaebnem m am01 tnla Ortllnenm m meMate emu aM laearel enminsl nlclory racortle ceaGka Im epplmenm tp1 ampbyment m paaNbro Ot empbymanl daamed Dy Ina Boa.a ro be edtlml w aecudy Gr ro vablb eclat': ane W REREpB. Ifw Cdllar Cmnry Bmrtl q CGmmbalonem Geame IM1aI all Caunry mpbya6s aM povNbne ere eMiml to aeany ar to puMIG aetay; antl W HEREAB. Cnllur COumy employaw era placetl In msNlane of lruet anO poslllone wmm� ragrlra mem lO lnteraol wM Glliann, vlellOm antl wrMora In COYIar COunly. antl m audr sY Colner Courcy employees ere m msulona tlaematl crtlMsl t0 a«urly or publb aauy� arp WNEREAB. Teva erlmlrrnl M1IROry ranortls cnwks oen apply to prlWm IndNbual cmVaeWv. enployeva Or oTaf rapreaanmlNaa of mnbedors IrKlutlllp ventlare. rpill paraon0. Or daYW ry peraone. arc/ Of wMm are Mametl by Ts Board l0 ba andoal wdn rapva to aacurly m to publlo carob. Imlualn0 mneeme wlln tapeta to any emn Colllar COunH ownatl or meralaG bul101nD or ladl6y anWY amml bmrd Dulblrq antl parka; and WNEREAB. tne6a onMnsl nletory racortla enecks IMutla naNnp Ina appllmnt amployae. prHata IntlNltluel mnireobre, ampbyaae ar odrer rapreaenmrlvae of mnVaemra IMutlup Vantlore. repelr Poraone, or daYvery pamms Ilnparpdnletl aM audrllXbp tna IntllNtluall Itrrparpdnu m me FlOrlda Oepenlrgnt Or L0W EntO/Oamant (lar a Gals cnminal baekpround aNOuk) antl to IM1a Federal Bureau OI Invssuga8on Ior a nellonel onmkal nlelary ramrde olwck: antl WHEREAS. \M Inlormerlm oDWned Irpn \na MmIrW nletory remrda tlmeke will m a.ad w mm.mm. Te map.oOW Inmvm.,al•e d1ElaYy Io..mpl oynr.m mw oonnna.d amploYmam uy Ta Cmnb or ev env mmrador wun venom Inst count' mlpM mrwacr: Cpg_IyLB wnewEAs. a«n bdMaeq awlHnv ror emmr employment. e. wno N roan ampbyea pv ma wens. m eny pmxibn wen ammea by mN omm.nm (o. eoe.a Re«canon eaavtae p..:eeent m rola olmnerwal N b. omlml b «cony o. ro pubno eefay. mn m aenlaa Omploymant (or If alreatly .mplOyetl. 9uen aTpkryn�anl can bo Nmflna[W). 1/ qa IntltNtlud nes been or la mneleted M eny leb/ty 0I any TladaTaenor M Me n:at depro9. arq [na mtulcnan neod :wt pe rgat« to Ne roapao[Iw pmlllon of empbymanl ar eppolnbmnt NOW, TNEgP_FOpE, BG T OpBYNEO BV THE BONRO OF COUNTY COMMISEIONERH OF COLLIER COYN1'y. FLOp10P. [nal: 6B4TION ONE: AMENDMENT TO THE CODE OF LAWS ANO OROINANOES. n.ww-,zouon z -Be of me cqn.. count' eoae oe I.awa ane o:dln.nma (In wn1oN ul or cnepNr z) le nereby.memee «.ata. ro ro« « Igmw.: SVC. 2-Bn. Cnn:lnal HNiwy RecO:tl Cnmb Pppllmbls to IMNWUOIB Employed b Posftlons d Employm.nt C«metl by IM BmN of wunry Cammbelorera to be Gr1Yml to Swatly or Publlo SSNry. (a) Eacn Cn re •pealtbn of smploymenC Yetaa-below C`mnN-CemmWwwwHs daemea to m Onrcu b saewry Or publb ealOy. FaeJPa C'uenH WONaLpwWKlrlatr IGL•Poelllon of empbymanl' h nOl limited to bu0 smployma. pul ane11 be IIOOrally OMebuetl 10 Inolutls aecJl IndlubuN wno Ie •appolnNd' b Ina maL\bn; e:W oleo Indudae BaoM1 IntlMduel Who, baceupa pi nlWhe! Tletbn l0 an eMh toot has enWmtl Nlo a wnbael wlln tna Ceunry. wno, bamuca el tnel re NtbnMlp, wlll pa adwastl eny opmnunlry to pa a naK m ceeunry w b publN eatery. euM m. bol not Ilmllad t0, aam Intlleb uel who. wlln or wIIM1Out suNorliatlon, wub vain pnyeXal aoceea to anY Pleea (/aelnctatl nCCeN IOcenon) when euen IntllvWuel mVltl pplmn w OIM1BM'Isa wnlamimu any pc labia wemr final mlpnl be awvllae by Ina wont'. Or by me conNr cmnh Weler-Sower Cialncl, to a!ry mryumar or erM-uear; w wno. because M auto relelbmnlp, moa pnyalwy ns.m or aeslmy arh furwuorwxy of any ponYN. water P.yyp2yf.,6 CAO lecllly Ownatl oI cMlydlOtl Oy CWIOI COarny oI M e0W OMWOF or uMo eoultl tlan�apa of tlaetrvy sny binwmmuNUVona ays\am ar major \sl0eamnwMCO\bns Iua111y 0I eompul0r syOMm ar networla{ sntl prpvltleG Nc IntlNltluel will nol always be vuGjac\ \o wn\inume. tlircel sntl ImmetlWb fuparvltba Oy Bt IBYI one (1) IrplNtlu al wM10 M1ad PBvatl Ilw QeakpnauN tlM1etlkf. 1\1 Poc11bn00f Employment: n �� v"•" ayf_a C90 (w11}LpLNtltlNlonel Po.INon.: -Eeeh eddlb.wl po.Nm o1 Gemlllutbn aEtlatl b Mia aubfwuan Imm Omo-fo-Nnq by Rewluuan(e) of Iha BOe M. (p)(21 pnoumnr.� Ee h IntlNldual wbo aunmlls w epp114uon t0 COIIIBI County \o be wneltlaled qr Bmpbymenl bell be Onpa.ptlnlaQ aN IYw.e IlnpelpMlp ppGll ba .ubmlNeG to Me Flollfla Oepetlmanl0l Law EMOrcemeM (b1 a alala wlmlllal nl.bry recome meek) .md a4o to Ma Fatlaral Burvvu d InvBMlpallon 1019 natlp.ul wlminBl hlelwy recorGB Cbeck. Tha In(ormatlon obyb+etl from Noh .avpBMlva edminel hlvbry reeoM wIN b9 uaad fe tlatmmlM Ibe appllcanYe NIyW11Ny ror anploym.M (w cwNnuetl employmam) to Ma re.pwlly. paaNlaq ar. I[ Inan .nployad. wllNnuaC aniplbymenl In any poellbn Mm Ia raqu(ratl to au�aEluNy Pua Ina reapenllVa Mml.wl blslary remM MscNa. (a)i9] Olb.r pwNlona d amploynwM (o. apwlnlmanV tlaameG by Ina 0cartl o/ Count' Cwnmlubnem to ba cnllwl tc awu.lry ar to publlo wlaty can bB flCdad to Ihla OMlnarca by RwduNop(a) atlol>tad Lom 1Nne9o-lime by Ms 6oeM. MFtsl conv.M. a.n Mv.d.m IM1aI ewn .uG. po.mon domed m m anllcal to .wa.Ny w publlo ufaly eYull uMerya Ilres crlminel hlelary reeowe chwki. ant blfwmaOon abblMG tram. w a. s result d. any auto Ieoords Meok u.n be Ma wla bul. b plane Cgyq_ay[6 IYnlutlOne on Na dams tlw:9nonp W116rY auto balrWuab MaN ba eedea aN pM1yeloe/ acvu at eY tlnle.. H](S) Tnls OrtllrwnW enaN Ds IlbereYy oonatnaae. TMs Ominenm dOae nd aNYot em/ law, enY olner ddlnanm. or snY mle or rvpuWlbn ral9tBa 10 oilmbyl nlatOry reecres viwvke owcept Nst purvu»t [o Eeelbn 126.8801 ena eub 11on 112.011(2)(c), FbndN $!e/Y1>a. »Cn Inarylauel applYlnp for County omdoymem lar wnc Is in» amploysd by Na crony) In a poelu» Nat Is Nen a»mea er Nle omin.nN. for reaobuon wnd.a by Ne Bura YMer 1Ms Ordlnarp) tc M Cdlnw110 BBWaIy O/ t0 pubW aalBty. le n0[ prdeded by S'eollon 112.011. Fbtlda Slarufa; aM, NarelOre, »cn IneNlevY un ba tlenlod employment (w 11 tMn dr»ey emPloyea, ina emplOyrn>N oan OY wmYnetaa) 11 Nat Irblvbwl nes D»n or Is vtttvlct» d any bony or any MWemaan0! O/ ina 11n1 ea0ra a, wMlner or nd Ne eenMetlon la w1a1M to Inst ampleymaM. 9ECl1pN TW0[ CONFLICT qNO EEVERAOILITY. In Na ovent tna O/dlrerKa wnlllc is w1N any oltter walnenro ce Cdller counry w otnar eppflmbla law, Ne m0la r»trbllw enell apply. 11 any pore» or ponlon 01 tole OralrtMce le vela mralla w unwnaututlontl by any own d mmpat»t JaaaaldlM, alien ponlon enW OB deenwd a eayvala, WaBnd aM IMBpanaant pmNBlon Byte euGt noldn8 anell not ae/sm tM velblry o/ w ramalnln0 Ponbna. EECTtON TNREE: INCLVSION IN THE CODE OF LAW B ANO ORDINANCES. Tole Oralnanca enall ba metle a part Ol tba [ieaa ei t9we ane -0rtllnen»e O/ Calller County, Floaaa. as -- Oan 2!B � of IMI Cotla. Tha sadbne of NB OraNarca mq be ranumbetBa o! talaLarad lO anccampllan Nat reeuN, aM tM word •Ortllnenm'mey ba cnanpae to •Seclbn: •gnble�or any o�Mrepproprlate word. 6ECTION FOYR: EFFECTIVE OgTE. TM1Is ONInanCY Yiall M aNedl» upon INNp w11M1 Ina Florida Department o/ 91ata. pypc.NyCd Cq0 vABBBB ANO ou�Y Anovrec oy ns Beem a county Comml..laro.v or eom.. co.nN. Pk.dde. Ikle ?-3^ePderm nGr ORF_ zppZ. ATTEST: BOARD OF COUNTY COMMISSIONERS p1vIpM11 E. BIOek. Clva[ COLLIER COUNTY. PI.ORIOA Callavn M. Olaa AvelelaM CqunH Altomry P9ys_6yffi Thls eidinoncv flird wltF tFe s.nRm.y of se otti�. tno 1.9— any of orgy , �.L end ncknowledgemem { tlw. Illl�n9 Ived tFls � day O STATE OF FLORIDA) COUNTY OF COLLIER) I, DWIGHT E. HROCK, Cleric oP Courta in and Eor the Twentieth Judicial Circuit, Collier County, Florida, do hereby certify that the foregoing is a true and correct copy oE: ORDSNANCE 2007-66 Which was adopted by the Board o£ County Commissioners on the 23rd day o£ October, 200'], during Regular Session. WITNESS my hand and the oE£icial seal of the Board o£ County Commissioners o£ Collier County, Florida, this 26th day o£ October, 200'1. DWIGHT E. HROCK Cle r)c o£ Courta and Cleric Ex -officio to Boa��. ,1Q£ County Commissl:CS4�'rs...�%+� �.. '� �'' _ By: Martha V g ga ,_ Deputy C e y �' 9 O Instructions for using Fieldnrint Go to ht't ns//f lorida fieldorint com/User/5 i>;nIn • Enter your a -mail address in the "New Users � Sign Up" section New Uears � Sign Up Il you are a naw user, please re glstar with Flaltlptl nUID in ord artp sch adula yo urfln gerp Gntlng appoltltm ant. Begin tha rB 915tratlon pra ce ss by antedng your a -mail adtlre ss below. Email etltlresa: Enter your password and security question information • Select "I know my Fieldprint Code" on the "Reason•' page Reason why you need to ba fin gerp rinted knovi nv Fb Morint COEc See tdo rG 1 1 sale c[... � �T Provide our access code: o FPCollierCoGov1 Enter your personal information Schedule a time and location • Confirm the appointment Go to the local FieldPrint office that was specified for fingerprinting. For any questions/concerns, please contact the Fieldprint customer Service Team: Fieldprint� Inc. 400 Lippincott Drive Suite 115 Marlton, N] 08053 Toll-free phone: (877) 614-4364 Cu stomer5ervic e(dfieldorint.com collier County Department of Facilities Management Government Security Section 239-252-2222 O O co�r coT.tT�ay Administra4va Sarvlcae Division FaGlltiss ManeBamanl Department of Fec111tias Management -Government 5¢cprity Section Contractor Fingerprinting and Background Check Request Form -- To Be Completed By Collier County Protect Manager (PM) /Sponsor" -- First Name: Division Last Name: Department E -Mail Atltlress: Phone: ®mNe.gnv.net (: Does contractor require card access��: VES � NO It yes, please send a -mall authorization to DL-FMOPSQcolliergov.net. *'/f this section /s not comp/erect, the contractor wt// be issued anon -access idem/f/cotion bodge. To Be Completed By The Individual To Be Fing¢rprinted (Para Ser Comp/etodo Por E/ Controtlstp ) Your Name (Tu Nombre) x Employer (Empleador) x lob Tffle (Thula de Empleoj I understand that Collier County Ordinance No. 04-52 (amended in October 2007) requires state and federal criminal history record checks for all contract workers through fingerprinting. The cost of the fingerprinting Is the responsibility of the contractor. The cost Is currently x`40.00 and may be paid by check or mon¢y order made out to "BCC" or exact cash. Credit and debit cords are not accepted. Criminal histor/es are genera//y va//d for jive (5) y¢prs. Contractors /dentendJng to cont/nue work after shot Time w/// fhen be required to repeat the f/ngerpr/n t/ng process and pay the current fee. /denf/f/cpt/on badges ore vo//d for one (1J yeprfrom dote issued and may be renewed of no cost to the contractor. I. x (Please print legal name / Escribe su nombre con tetras de molds) have read and understand the information above and consent to The above mentioned fingerprinxing and criminal history records checks. Signature (Firma) x Date (Fechaj x -- To Be Completed By Department of Facilities Management Staff -- Fingerprint ID ti: Date Fingerprinted: Badge Photo/Face Taggetl: VES � NO O Employee Initials: Comments: Address: 3335 Tamia ml Trail E Ste 101 Building W (Facilities Management) Naples, FL 34112 O(u¢stlons3: Office: (239) - 252 - 8380 E-mail: OL-FMOPStacolliergov.net Revised 1pnuory 20th, 2015 c 'r co �.-n_ty Administrative Services Division Facilities Management Department of Facilities Management Government Sacu rity Section Background Check Guide Local ContractorsNendors: o Complete the Collier County Fingerprinting Packet. o Bring the completed packet, valid U.S. Federal or State issued 10, and payment to: • 3335 Tamiami Trail Ste 301 • Building W (Facilities Management) . Naples, FL 34112 o If ycu will be working In Collier County Sheriff's Office facilities, you will also need to complete their background check process. We have included their form and instructions for your convenience. . R¢mote Contractors/Ventl ors: o Completely read the Fie ldprint Instructions For Vendors document. o Make a Fieldprint appointment and send us an a -mail notification of your appointment that contains your name antl your compo m/s name. • We do not see employment Information on Fie ldprint, therefore this step is crucial to prevent any delays in processing your background check. . Canadian Coniractors/Vendors o Completely read the Canadian Background Check Process document. o Make an appointment with the Royal Canadian Mounted Police for a background check and send us an a -mail notification of your appointment that contains your name and your company's name. Contractors/Vendors from outside of the U.S. antl Canada: o Please contact us dtrecily for assistance with your International background check. PLEASE NOTE: . U.S. background check results typically take 24 to 48 hours to process. Grim lnal histories are generally valid for five (5) years. Contractors intending to continue work after that time will then be required to repeat the fingerprinting process and pay the current fee. Identification badges are valid for one (1) year from date Issued and may be renewed at no cost to the contractor. TFIs document was lost updvted on Thursday, Januory 29, 2035 pnd /s subject to chanOe bas¢d on /cga/ and/or con[ractuo/ requ/remen [s. Please contact us at 239-252-5380 or OL-FMOPS[Acollieraov.net If you hay¢ any additional questions. O O _ ..�'' ii\ �� Collier County SM1art1 mployeas aceaeein, have prospective col SheNWa Offlca. Tha Ravaurcee. Collier County Sheriffs Office 33'19 East Tamiami Trail Naples, FL 34112 (239) 774-4434 will then Da will contluct e eatabaaee. or Email Atltlrecs and Phones Number: 2. ALIAS NAMES (MAIDEN, ETC.) 9. DATE OF BIRTH: 4. SOCIAL 8ECURITY NUMBER: 6. RACE ANC 8EX: 6. ORIVER'8 LICENSE NUMBER (INCLUDING STATE): y. STATES OF PRIOR RE8IDENCY: 0. PLACE OF BIRTH: In nomdlamv wHh Flenee 3lalub H 9.9N(W. tM1li examen( ver OF APPLICHNT) tls on Ihly form ere hue to m rel.non to Signature FOR AGENCY USE ONLY: »•••-`••-`••• WInO&: FCIC / NCIC: 10 (H applicable): � IAQ (ICE Cheo1Q: I Dyt of AOsney Member completing ChacK Dete RECOMMENDATIONS:APPROVED/DISAPPROVED SIOnMure / ID: Oats: Data Fingerprinted: Results Data: _ Agency Supervisor Hours of Access S Door Access Purpose for Employment (Job Function) ID Card Issued Date 8. Initial v farfha collMlon antl sav your SSN oNy 1w the ie Inwatl9veenv, to Inclutla olalk or court ehaoks, antl any (9ea AHaahae PrIntOVte) (bee Ahachatl Prtntoub) (baa Attachae Prtntouls) (Sae Attachae Printout) i Copied to Pauline oa'� How to Obtain a Certified Criminal Record Check Civil Fingerprinting Screening Services NOTE: After 90 tlays, the Canadian Criminal Real Time ItlentlFlcation Servires destroys Flngerprint submissions relative to civil screening when the search process is completed. The fingerprints are not atltled to the RCMP National Reposltqry of Criminal Records and are not searchetl for future purposes. Full s¢[ of fingarpri nts r¢quired . To contl uct a crl urinal record check we requl re aPull set of fingerprints, Including both rolled and flat Impressions oP all ten fingers. . Complete all fields on the fingerprint form. Vou must have your Flng erprinis Ca ken on Porm C -216C at your local police station or private accredlietl Flngerprinting agency. Oepentling on the police Juristlictlon, a Pee may be requiretl. Reason for Raqueat Clearly Indlcafa Cha reason for your certified criminal record check: . Employment - fetleral, provinclai, municipal governments Applicants must specify the )ob [lila or position sought in the "REASON FOR APPLICATION" portion of the fingerprint form. Iden[itication of police aervic¢ or fingerprinting agency Verify the Information recorded by the ofFlcial caking your fingerprints and ensure Thai the offldal's name and signature, and Che name of the agency Is Indicated on your fingerprint form. Final step (chacKliat): Before sending your request, make sure it contains the following: Original Flngerprint form Full name Date oP birth Sex/Gender Mdiling address Phone number and/or email adtlress Reason for application Processing fee (If applicable) TMtrd party consent letter O $0Yd CMG reSYlta ta: Security Chief Douglas Hendley Collier County Department of Facllltles Management 3335 Tamla ml Troll E Ste 101 Naples, FL 34112, USA a'� 0 RCMP Approved Vendors L-1 Id entity Solutlons ht[ w w.I1i .com a es fi out more tour-canadf - rvices Contact Us to Begin Using L-1 Centers In Canada for Vour Processing Needs • Phone: (800)749-7554 • Fax: (902)835-4167 • Email - Llinfo@Ilid.com C di E II T/F' I t L t a Alberta • British Columbia • Manitoba Newfoundland a New Brunswick • Northwest Territories • Nova Scotia Ontario • Prince Edward Island a quebec • Saskatchewan Frequently Asked Questions How long will It take fat digital flngerprints to be processed by the RCMPT If tM1e applicant docs not have a crlminal record and has never been fingerprinted for a crlminal offence In Canada, the RCMP will make every effort posslbb [o process the request wltMn 72 M1ows of racelving the electronic submisslon. This means thaC the RCMP will put the results In the mall for malltng back to the applicant or third party within 72 hours. In view of this, pl¢ase ensure sufficient time Is allowed for recelpf of tM1e results In the mall befgre commencing Inquiries about tM1e status of flngerprint records. If a crlminal record Is ¢ncountered during the yerlflcaHon process, processing will be increased to 32D days. How ran 1 find out about the status of a submisslon once It has bean sent io [ha RCMPT Once L-3 Id¢ntlty Solutlons submits your Hngeprintz elec[ronlcally you will redeye conflrmatlon via ¢-mall (If an e-mail adtlress Is proyldetl qn yom appllcaHon) <M1at your ling¢rprints have been successfully r¢rslvetl by the RCMP. If you require further Information ar bay¢ questions regarding your fing¢rprints you can contact the RCMP Civil Flngerprint Screening 3ervlces eKher by phone at (613) 998-6362 or by a -mall a[ Llnk Tes[ Oo 1 need en appointment to be flngerprintedT Appointments ar¢ not ne¢tled at most of our locations. Please see Canada Locations for a compl¢[¢ IIsi of locations. tllr¢cNonz, contact Informatlon and busin¢zs Fours. Naw long will it take for my Flngerprintz to b¢ tekenT Our digital process Is fast, eHl[lent and clean. A complete fingerprint s¢sslan normally tak¢s approximately 20 minutes to complete. Our tratllHanal Ink and tall gngerprinting s¢ssbns take approximately 10 minufes to complet¢. Now are my results pbtelnatlT EacF applicant's criminal retard v¢nflcatlon results can be sent dbectly [o the Individual ar [o a tlesignated [M1trtl party, such as an employeq immigration or partlon's ag¢ncy. If an applicant Is under She age of 18, results must be rMumed dbectly io the M1ome atltlress of th¢ applicant Please ensure that all of [he addr¢ss Informatlon for tF¢ appllcan<or tMrtl party Is available during the application process. Can I ge<a copy pf my appllcatlonT All applicants can rerefve a Kut copy pf th¢ tligltal submission to the RCMP or a copy of Cbe Ink antl roll submission. An additional cbarge may apply. WFat Identlflce[lan do 1 ne¢d to bring with m¢ to my appolntmentT Vou must provld¢ two pieces of valid government Issu¢tl ItlenClflcation, at least one of wMCM1 must have a pFota of you. TFe following typ¢s of Identlflcaflon ar¢ acceptable: • Passport • Cltlx¢nshlp cartl or Docum¢nt • Immigration Document (SLutlent Vlsa, Work Vlsa, Lantling Papers) • Birth CertlRcate • Drovers krcense • Permanent R¢sltlent Card or Recortl ¢f Landing for CltlzensMp applicants • Govemmant 10 Qf you ar¢ ¢mployed by a federal or Provindal brancM1 of tFe Govammen[) • Health cartl with pM1oto (please note not all provinces accept FealtF cartls as yalitl govemm¢n[ Issued ID. Please refer [o provindal regulations or call the office nearesf ypu. Please note Yhat It Is re<ommentl¢d Sha[ applicants have wlLh th¢m a 1¢tter for file number from the reques[Ing agency If apPllcable and [M1a[ ALL dlgifal Flngarprinting requests for Canadian CltlzensM1lp must Include a letter from Cltlzenshlp and Immigration Canada. TFIs letter must indutle [he address for SM1kd party results submissions and sM1ould M1ave a CIC RI¢ numb¢r. Please ensur¢ <Fls letter Is avallabla during your flng¢rprirrting sesslpn. Commissionaires t // 1 1 1 / 1 1/ / 1 I/ I fl t 1 / How to Get Your Fingerprints Applicants should bring two pieces of valid government Issued identifica[lon and one must be a photo ID. The following are types of acceptable identification. Please check with your local office for additional types of Identification which may be accepted: • Passport • Driver's License • Btrth Certificate Ca nadlan CRizenship Card • Permanent Resident Card �6J Certificate of Indian Status • Immigration Documents Le. work or study permits • Military Family ID card (MFID) • Reca rd of Landing for Citizenship Applicant • Certificate of Live Birth • Nexus card Note: • All identification must be cu rreni and not expired; Paym¢nT Methods We accept major credit cards, debit or cash at most of our locations. Please check locations to confirm. Appointments Please check locations to confirm hours of operation and determine if an appointment Is necessary. Locations Frequently Asked Questions about Fingerprinting What is digital fingerprinting? Digital fingerprinting Is the electronic capture of a person's fingerprints via an optical scanner of a capture station. The scanned fingerprints, along with the application details, are then formatted iota a sianda rd ized electronic package Shat is attached and emailed, via a secure link, direct to the RCM P's Canadian Criminal Real Time Information System (CCRTIS). CCRTIS compares the fingerprint package against the RCMP's criminal record databas¢. If no record is prese nf, She RCMP will issue a certificate indicating a clear record. If the applica n< does have a criminal record this well be indicated in [he rewlts. WIII the results of my Hngerprints Include a transcript4 Ves, fingerprint results will Include a transcript. A transcript is a record of the applicant's criminal record and will clearly indicate either a clean record or it will Ilst convictions. The tra nscripf also details the nature of She conviction(s). This transcript is released to the applicant, or If can be released to third parties if the applicant provitles consent at the time of fingerprinting. How long will It take for digital fingerprints to be processed by the RCMP? If the applicant does not have a criminal record and has never been fingerprinted for a criminal offence in Canada, the RCMP will make every effort possible To process the request within 72 hours of receiving the electronic submission. (This means that the RCMP will put the results ^In the mall" for mailing back to the applicant or third party within 72 hours.) In view of this, pleas¢ ensure sufficient time Is allowed for receipt of the results in the mail before comm¢n ting inquiries about the status of fingerprints. If a criminal record is encountered during the verification process, processing will be increased io 120 days. How can I find ouT about the status of a submission once it has bean sent to th¢ RCMP? Commissionaires provides the best serv{ce to all our clients. Clients are advisetl that once the RCMP Informs Commissionaires (hat the electronic submission has been received and Is successfully processing, the RCMP will not release any further transaction status Information to Commissionaires. Clients (e.g., applicant ar au(horized third party) may inquire about the status of their electronic and / ar [rad Rfonal Ink and roll submission by contactlng the RCMP CNII Fingerprint Screening Services at 613-99g-6362 or clyllnos[�rcmo-erc.ec.ca. 06 Oo applicants n¢ed an appointments Appointments are recommended although some locations welcome walk-ins. Please check locations [e confirm hours of operation and def ermine If an appotntmenf is necessary. How long will It take to get fingerprints tokens Our digital process is fast, efficient antl clean and normally Sakes approximately 20 minutes to complete. Our tra ditlonal ink and roll methods cake approximately 30 minutes to complete. How ere results obtaineds _ Each applicant's criminal record verification results can be sent directly to the individual or to a designated Third pa KY, such as an employer or immigration or pardons agency. If an applicant is under the age of 18, results must be returned directly to the home address. Please ensure that all the address Information for the applicant and third party are ready during the appilcation process. May applicants gM a copy of the applications All applicants can receive a true copy of the digital submission to She RCMP of a copy of Ink and roll submission. An atldltlonal charge may apply. Is Commissionaires agovernment agencys Commissionaires is not a government agency. Commissionaires Is anot-for-profit organization employing former milliary and police as well as responsible citizens of all ages In rewarding careers. conn cow..-nty Administrative ServirPs Division Facilities Management Department of Facilities Management Government Security Section Notice of Collection of Social Security Numbers The Collier County Facilities Management Department, as a department of the Collier County Government Agency, in conjunction with its background check duties and responsibilities authorized by Florida Statutes Section 125.5801 and County Ordinance No. 2007-64, requests your social security number to complete criminal history checks with State and federal authorities. Your social security number is collected for the Following reason: 1. FBLFDLE Fingerprint background checks. Vour Social 5ecu rity Number will only be collected and disclosed for the listed purpose(s), and as may otherwise be authorized by law, and once collected, will be maintained as confidential and exempt records under Chapter 119, Fforlda Statutes by this agency. Proylding your social security number is voluntary. Refusing to yolunta rlly provide your social security number will not result in the denial of any right, privilege or benefit provided by the County but may result In the dental of your eligi bllity for employment with the County. Additionally, refusal to provide your social security number may result in delays processing your background check. Employee/Contractor Signature (Firma) Building Automation Technician Slgnatu re REV ISED — 04/03/2012 G4� 6. Vendor Network Access Agreement Form Collier County Government Vendor Remote NetworK Access Agreement I agroe that I will not use my network access to the Collier County network in any manner inconsistent with the work I am contracted to do. This includes only accessing information systems or data files required in the performance of my work. I agree to notify tfie appropriate Collier County contact of all accesses, and details of actions or modifications that I have performed on systems while connected. I further affirm that I have read and agree to abide by the Collier County End User Computing Policy and Remote Access Policy as provided to me. I also agree to notify the Information Technology Department as soon as network access is no longer needed, so that my access can be removed. I understand that violation of any of these policies could lead to loss of access, termination of vendor or contractor status, or prosecution under the applicable statute. I understand that vendor access is restricted to the hours o£ 8:OOAM to S:OOPM Collier County Local time, unless otherwise agreed to and noted on this agreement. Printed Name Signature Date _—J 7. IT Account Management Form_33012016 Information Technology Department IT Service Desk Li0 6Y Ci0'I�.i1ty Phone (239) 252-g888 Fax (239) 252-6346 ��T !lei«.. � I. This form is to be used for new account crea[ioq disabling existing accounts, account name changes (existing employee changing Cheir name), account position changes (existing employee moving to another department), new shared calendars, new generic email accounts, new distribution lists, and updates to email, calendar, or distribution list ownership .Please complete the section of this form relating to your request, sign the bottom of the document, and fax it [o the IT department using the fax number listed above. Questions regarding this form may be e-mailed to BCCAccountReeuestic7collier¢ov.net. Thank you for your cooperation. Please math one o£the following options and fill out the corresponding section: Q Create an Employee Account Sect/on #1 Required Q Modify an Employee Account (Add /Remove Access) Section #1 Required* � Disable an Existing Account Section #1 NAME ONLY Q Account Name Change (Employee Name change) Section #2 Required Q Account Position Change (Employee Dept/ Job Title change) Section #3 Required New Shared Calendar or Shared Mailbox Section #4 Required New Generic Email Section #4 Required r] New Distribution List (DL) Section #4 Required Section #1 New ACCOtI)1L Cr¢atiOn/MndF V This section is for new em to ees on1 Employee Nerve (please print) Employee Department Employee SAP ID* Full/Part-time Employee Q Volunteer/intern ("expires in 30 days w/o SAP) � ContractorNendor Share oint account onl •Special applications or access that the employee will needs Q Active Sync RDS (Terminal Services) Internet Access MinuteTraq (please circle the ones that apply: Prime, Prepare, Approve) Office 365 Cost Center "' (rcyuircd) � OWA Q SAP Q VPN (for working from home/remote location) Q NeoGov-Online Hiring Center circle all that apply: Hiring Manager to view applicants, Approver to approve requisitions ,Originator fo create requisitions) Special distribution lists (other than Subscribes), such as DL -SAP CAO #2 Accnanl Nnnte Ch nn a For existiv em Io ea who have Chan ed their name Employee's Previous Name Employee's New Name Rection #3 ACCO#nt poSttton Chanti�c (For existivg ¢mployea that have moved to another de artmevt/lob Position Employee Name Previous Department New Position Title New Department "'Important nota for account position changes: 1 _ Please move any relevant data from the employee's F drive to the G drive for the previous department prior to the employee moving to the new department. 2. The F drive of an employee moving to another department will still be accessible to that employee in his/her new position. 3. The G and H drive associated with the employee will be changed to those specific folders in use by the new department. If access is also required for the previous department's Gand/or H drives, the director for the previous department must authorize this by sending an email to BCCA tR t<<l ll' net. 4. Employee E -Mail will NOT be affected by the change. Ce.�t:.... i3d S ecdnl C<tletrdnr E'»tett account, or Distrihutton LLct Name of Calendar, Email, or Global DL (Distribution List) New/Current Responsible Party's Name RF. [ltRED Phone Number Initial Access List (employees or groups with access to this calendar/email/list): "^'� PI¢ase note: The following section is res wired Por all rcauats. ^"'^ Please note: Account requests may tape up to S business aaysJor processrng. 'By selecting this, you sign ly Utat you have Budget Authority to spend money In the Cost Center listed. Go 8. County Practices and Procedures CMA's a. CMA 5401 Information Systems Lifecycle Management b. CMA 5402 Remote Access Polity c. CMA 5403 Third Party Access Policy d. CMA 5405 Computer -Technology Use � Attestation e. CMA 5406 Computer Sofrware License Control £ CMA 5905 Restricted Network Access Agreement g. CMA 5908 Media Reuse or Replacement Policy �O CMA 5401 INFORMATION SYSTEMS PROCUREMENT AND LIFECYCLE MANAGEMENT § 5401-1. Purpose. § 5401-2. Procurement and Deployment. § 5401-3. Ongoing Support and Maintenance. § 540Y-4. Application Retirement. § 5401-5. Waivers, Mitigation and Remediation. § 5401-6. Currency. [Effective Date: April 18, 1999 (Revised: October 3, 20015 Revised: October 1, 2003. Revised: January 21, 2016)] § 5401-1. Purpose. The purpose of this Instruction is to deFine a standard, efftcienq and effective method for procurement and lifecycle management of information systems and services that are compatible with the agency's information architecture, suppottable, interoperable, secure and comply with the County Information Technology Division (IT) standards and practices. All purchases must comply with the requirements of the County procurement ordinance and policy. § 5401-2. Procurement and Deployment. A. A completed Technical Architectural Compatibility Standards (TAGS) signed by the IT Director and the procuring Operating Division Director is required prior to procurement. The current TAGS form is available on the IT Division's Intranet website. All requirements must be met. Exceptions may be granted with suf£cient mitigation or a waiver see. § 5401-5. Waiv¢ra, Mitigation and Remediation. B. Operating Division Director must determine permissible service levels including the maximum number of Failures on an annual basis, the maximum downtime per incident and the acceptable data loss per incident in minutes. C. Information systems must comply with all local, state and federal laws. Health Insurance Portability and Accountability Act (IiIPAA), Personally IdentiFable Information (PII) and Payment Card Industry Data Security Standard (PCI DSS) requirements must be identiFied and addressed if applicable. PCI DSS certifications must submitted on an annual basis by the Operating Division Director. D. An architectural diagram must be prepared and review conducted in compliance with IT poticy. Approval by the IT Division Director is required prior to procuroment and deployment. § 5401-3. Ongoing Support and Maintenance. A. Systems must have an active vendor maintenance agreement that includes patches and upgrades. B. Systems must support platform patches within 30 days of release. If patches cannot be installed appropriate mitigations must be identiFed and deployed within that timeframe Page 1 of3 CAO CMA 5401 INFORMATION SYSTEMS PROCUREMENT AND LIFECYCLE MANAGEMENT by the Operating Division Director (see § 5401-5. Waivers, Mitigation and Remediation). C. Vulnerabilities identified and published by the Department of Homeland Security's United States Computer Emergency Readiness Team (US -CERT) must be mitigated by the Operating Division Director within 30 days of notice by IT (see $ 5401-5. Waivers, Mitigation and Remediatim). D. The Operating Division Director is responsible for submitting a completed Technical Architectural Compatibility Standards (TAGS) to IT on an annual basis. All requirements must be met Exceptions may be granted with sufficient mitigation or a waiver see § 5401-5. Waivers, Mitigation and Remediation. § 5401-4. Application R¢tir¢ment. A. All system components must be shut down and decommissioned when systems are retired. This includes servers, databases, storage and uninstalling associated applications on PCs. B. Budget inventory changes must be made at system retirement. C. The Operating Division Director is responsible For public records compliance £or all retired system data and contacting the agency's Records Manager to determine the appropriate retention period. The operating Division Director is responsible for maintaining the systems to read The backup media including any required hardware and software and all associated costs. D. Operating Division Director will review retirement plan with IT to ensure compliance with this CMA. § 5401-5. Waivers, Mitigation and Remediation. A. Mitigation is required for systems that are not TAGS compliant or require the use of older version of/or insecure components. Viable mitigation options include the use of technical controls, replacement or upgrade o£the system and retiring the system. a. The Operating Division Director is responsible For working with IT to develop an acceptable mitigation strategy. Scenarios involving technical controls are subject to the same review process as new systems. b. The Operating Division Director is responsible For all costs, including support staff, associated with mitigation. These costs may include, but are not limited to: i. Support for 1. Non-standard databases 2. Operating Systems 3. System components 4. Web servers ii. Creation and maintaining development environments iii. Initial and ongoing support for Firewalls and Intrusion DetectioNPrevention systems and monitoring B. Waivers may be granted order extenuating circumstances. Page 2 of 3 CMA 5401 INFORMATION SYSTEMS PROCUREMENT AND LIFECYCLE MANAGEMENT a. Ali waivers must be reviewed by the IT Director. b. The Operating Division Director may grant a waiver where the impacC is limited to their division. c. Department Heads may grant waivers where the impact is limited to their department. d. The Information Technology Executive Committee (ITEC) will make a recommendation to grant a waiver where the impact is at the agency level with final approval by the County Manager or his designee. C. Remediation costs associated with a breach or system failure as the result o£a waiver must be fully funded by the Operating Division Director. § 5401-6. Currency. The Information Technology Division is responsible £or maintaining the currency of this Instruction. Pega 3 of 3 9 O CMA # 5402 REMOTE ACCESS POLICY § 5402-I. Purpose. § 5402-4. Enforcement. § 5402-2. Sachground. § 5402-5. Defin3Bons. § 5402-3. Policy. § 5402-6. Currency. ]Effective Date: January 1, 2005] § 5402-1. Purpose. The purpose of this Policy is to define standards for connecting to Collier County's network from any host (computer or other device that connects to the network). This Policy will also ensure Collier CounTy's compliance with applicable license, copyright, local, state and federal laws and regulations. § 5402-2. Dacltground. This Policy is required to minimize the risk that any individual device could be configured or used in a manner which could compromise the integrity and availability of the network and associated resources. Damages include the loss of productivity due to downtime, damage to public image, and damage to critical Collier County internal systems, and access to non-public data, which could insult in possible violations of law concerning privacy (HIPAA, etc.). This Policy applies to all Collier County employees, contractors, vendors and agents that connect to the Coli3er County network. This Policy does not apply to access of the County's e-mail system via the Internet (Outlook Web Access) nor any publicly available service provided by Collier County on the Internet. § 5402-3. Policy. A. Requirements: (1) A71 requests for remote access will be submitted to the Information Technology (1'17 Department. (2) All trusted network connections and devices must be configured to meet the authentication and configuration requirements of the Collier County network. <3) With the exception of approved vendors, only computers owned and supported by Collier County will be permitted to connect to the Collier County network. (4) Vendors requesting access to the Collier County network will be provided a copy of all applicable policies governing remote access and will demonstrate acceptance $402:1 09 - t3 - 3000 OFFICE OF COUNTY MANAGER ADMINISTRATIVE § 5402-3 PROCEDURE § 5402-5 of those policies by signing a Third Party Access Agreement; o£ which a copy will be retained by the IT Department. (5) The approved methods of remote access to the Collier County network are as follow VPN, dial-up, trusted network via direct connection, un -trusted network via firewall. (6) Collier County employees and vendors with remote access privileges mus[ ensure [heir computer or workstation that is remotely connected to Collier County's corporate network is not cormected to any other private network at the same time with the exception of personal networks that are under the complete control of the user. ('1) All remote access clients £or VPN access will be configured by IT personnel according to IT Department procedures. (S) I[ is the responsibility of the County employees who have been granted remote access to ensure that the computers used for this access be connected to the network at least once in a thirty -day period so that it can receive the proper security patches and updates. Computers requiring security updates will be prevented from accessing the network until the required updates are completed. § 5402-4. Enforcement. A. [t is [he responsibility of remote access users [o comply with all applicable Collier County computer usage policies. E. Any employee found to have violated this Policy may be subject to disciplinary action, up to and including termination o{ employment. § 5402-5. Definitions. As used in this Policy, the following terms shall have the meanings indicated: HOST —Computer or other device connected to a network. PRIVATE NETWORK — A network secured from external access from other networks and the Internet. REMOTE ACCESS — All present and future methods by which hosts connect to the CCBCCs private network, such es dial-up, VPN, PC Anywhere, etc. TRUSTED NETWORK — A system that has She necessary controls to ensure that security policies will not be compromised UN -TRUSTED NETWORK — A system with no verifiable security controls that would present a security risk to the CCBCC network. t. Edlbc'a Nolc: 9tt CP1A 5300. ThIN Pvrly Aceese Polley. end I(e aeeompnnying n:mel:meme. 5402:2 os - rs - zaov a'� 0 § 5402-5 REMOTE ACCESS POLICY § 5402-6 VPN —Virtual Private Network. An encrypted connection to the CCBCC network via the Internet. § 5402-6. Currency. The Information Technology Department is responsible for maintaining the currency of this Instruction. 5402:3 os - � s - ¢oo> CMA # 5403 THIRD PARTY ACCESS POLICY § 5403-1. Purpose. § 5403-6. Currency. § 5403-2. Concept. Third Party Network Access § 5403-3. Policy. Agreement § 5403-4. Enforcement. § 5403-5. Definitions. [Effective Date: January 1, 2005] § 5403-1. Purpose. The purpose o£ this policy is So define standards for vendors, contractors, consultants, and others who connect to Collier County's network from eny host. These standards are designed to minimize the potential exposure to Collier County from damages thaz may result from unauthorized use o£ Collier County resources. Damages are defined to include, but not limited to: Che loss of productivity due to downtime, loss of sensitive or confidential data, loss of intellectual property, damage to public image, damage to critical Collier County internal rystems, etc. § 5403-2. Concept. A. This policy applies to all Collier County contractors, vendors and agents with a Collier Countybwned or personatly owned computer or workstation used to cotmect to the Collier County network. This policy applies to direct and remote access cormections used to perform work on behalf of Collier County including reading or sending a -mail and viewing intranet web resources. B. Access implementations covered by this policy include all methods of direct and remote access to the Collier County network. § 5403-3. Policy. A. General. p) It is the responsibility of Collier County that vendors, contractors, consultants, and others having access privileges to Collier County's network ensure their access connection is given the same consideration as the user's on-site connection to Collier County.' (2j The following policies must be reviewed by vendors, contractors, consultants, and other parties for details of protecting information when accessing the Collier L EYlto„'s Notef See tM1c T41rtl Pnrty Nctwo�la Aeeeaa A6rcement a[ [4c enJ of tM1b CMA. 5403:1 os - is - aso� a`� 0 OFFICE OF COUNTY MANAGER ADMIMSTRATIVE § 5403-3 PROCEDURE § 5403-4 County network via remote access methods end [he acceptable use o£ Collier County's network: (a) End User Computing Policy.• (b) Remote Access Policy.+ B. Requirements. (]) Secure access must be strictly controlled. Control will be enforced via one-time password authentication or public private keys with strong pass -phrases. For information on creating a strong pass -phrase see the End User Computing Policy. (2) At no time should any third party (as described above) provide their login, password, or a -mail their password to anyone. (3) Those with access privileges must ensure that a Collier County -owned or personal computer or workstation which is connected to Collier County's corporate network is not connected to any other network at the same time. (4) All hosts cormected to Collier County networks must use the most up-to-date anti-virus software from a reputable vendor. (5) Equipment used [o connect to Collier County's networks mus[ meet the same requirements as Collier County -owned equipment. (6) Organizations or individuals who wish to implement non-standard solutions to the Collier County production network must obtain prior approval from the IT Department. (']) Vendors, consultants and other third parties will be permitted to access the Collier County network only during normal business hours (5:00 a.m. to 5:00 p.m. local Collier County time), unless otherwise agreed to. (8) Vendors, consultants and others will notify the IT Department in writing of afl changes that will be made or work that will be conducted while logged into the Collier County network. (9) Vendors, consultants and others will notify [he IT Department immediately if passwords are lost, accounts are no longer required or of any attempts of intrusion ere detected. § 5403-4. Enforcement. Any third party found to have violated this policy may be subject to loss of Collier County network access privileges or other penalties as prescribed in the vendor's contract with Collier County or by applicable laws. 3. EJaoe's Nom: See CMA 505. 3. Edibi s Notn see CMA SiOS. 5403:2 os - is - moi G� § 5403-5 TH[RD PARTY ACCESS POLICY § 5403-6 § 5403-5. Deflnitinns. As used in this CMA, the following terms shall have the meanings indicated: HOST —Computer or other device connected to a network. PRIVATE NETWORK — A network secured from external access £rom other networks and the Internet. REMOTE ACCESS —All present and £uture methods by which hosts connect to the CCBCC's private network, such as dial-uq VPN, PC Anywhere, etc. TRUSTED NETWORK — A system that has [he necessary controls to ensure that security policies will not be compromised. UN -TRUSTED NETWORK — A system with no verifiable security controls that would present a security risk to the CCBCC network. VPN (Virtual Private Network) — An encrypted connection to the CCBCC network via the Internet. § 54113-6. Currency. The Information Technology Department is responsible for maintaining the currency of this Instruction. 5403:3 00 - is - z000 GAO 'THIRD PARTY ACCESS POLICY CMA 5403 Attachment 7 Collier County Government Third Party N¢tworK Access Agreement I, ,agree I will not use my network access xo the Collier County network in any manner inconsistent with the work I am contracted to perform. This includes only accessing information systems or data files required in the performance of my work. I agree to notify the appropriate Collier County contact o£ all accesses and details of actions or modi£catior�s which i have performed on systems while connected. I further affirm that [ have read and agree to abide by the Collier County End User Computing Policy end Remote Access Policy as providetl to me. I also agree to notify the Information Tecfinology Department as soon as network access is no longer required so my access can be removed. I understand that violation of any of these policies could lead to loss of access, termination of vendor or contractor status, or prosecution under the applicable statute. I understand that vendor access is restricted to the hours of 8:00 a.m. to 5:00 p.m. Collier County local time, unless otherwise agreed to and noted on this agreement. Printed Nama Signature Date CMA 5403 Attachment 1:1 os -is -zoos CAO CMA 3403 COMPUTER/I'ECHNOLOGY USE [ElTective Date: June 10, 1999 (Revised: December 1, 20005 Revised: February 12, 2001; Revised: October 1, 2001; Revised: October 1, 2003; Revised: May 30, 20095 Revis¢d: June 11, 2004; Revised: January 1, 2003; Revised: April 1, 20065 Revis¢d: July I, 2009; I2¢viaed: December 16, 2009; Revised: March 18, 2011)] § 3403-1. Purpose. A. The goal of this instruction is [o ensure the integrity, proper operation and security o£ the County's technology resources by setting rules of conduct for use by all County employees, contract employees, and business partners. B. This instruction applies to the Collier County Boerd of Commissioners Agency's internal business network and associated systems and resources. Tlds instruction does not apply to the Library's public use network, the Transportation Signalization Network, tha Public Utilities Plan[ Control and SCADA Networks, Emergency Management non -IP two way communication systems and their associated systems and resouroes, except where they interface with the Agency's internal business network. C. This instruction sets Forth the Agency's practices and procedures governing the utilization of technology resources and disciplinary recourse for violations. This policy also sets forth guidance for compliance with applicable laws governing the handling o£ specific kinds of data created with or transmitted by network resources. § 3403-2. DeFanitions. A. AUTHORIZED ADMINISTRATIVE STAFF — IT staff and other staff authorized by the Director, Information Technology Department who have elevated privileges and access rights for the purpose. of maintaining network resources and services. B. BUSINESS PARTNERS — any person no[ directly employed by the Board of County Commissioners who is authorized to utilize County technology resources. Examples of business partners would include, but not be limited to: vendors, contractors, and advisory board members. C. DATA —Information stored by technology assets, or transmitted from or through the network. D. DATA CUSTODIANS -Staff with the authority for acquiring, creating, and maintaining data within their assigned area of control. E. INAPPROPRIATE CONTENT -Conten[ [hat is Fraudulent, harassing, embarrassing, sexually explicit, profane, obscene, intimidating, defamatory, or contains sexual comments, obscenities, nudity, pornography, abusive or degrading language, antisocial behavior, or inappropriate comments concerning race, color, religion, sex, national origin, marital status, or disability or is otherwise unlawful is inappropriate for the workplace and may not be sent by e-mail or other Form of electronic communication or displayed on County computers or stored in the County's systems. F. LIMITED NON -BUSINESS USE —Use of the County's technology assets that does not impact employee productivity and complies with all other aspects o£this policy. Page 1 of 11 �0 CMA 5405 G. NETWORK —The data, voice, and multimedia communication system made up o£ devices (switches /routers /firewalls end the like), wires, fiber optics, jacks, access points (physical and wireless), software and services. H. NETWORK RESOURCES —Any services which may be accessed through the Collier County network. Examples include, but are not limited to: software applications, a -mail, data, Telecommunications, the 800 MHz Public Safety Radio System, and lntemet resources accessed from or through the network. I. REGULATED DATA —data that requires special handling due to statutes, regulations or agency policies. At this time, regulated data includes, but not limited to: Protected Health In{ormation <PHI) protected under HIPAA rules and statutes, Payment Card Industry (PCI) and other perso�l financial information <PFI) (e.g. credit card and bank account numbers) and personal identifying information (Pll) (e.g. social security numbers), addresses and names of judges and law enforcement ofTicials, and other data exempted From the State o£ Florida's Public Records Laws by statute. I. SLATE — a form £actor £or a computing device that meets the following criteria: 1. Does not run Windows operating system as its base operating system, and 2. Uses "touch" as its primary mode of user interface. K. TECHNOLOGY ASSETS —any devices owned by Collicr County [hat are pan o£ or used for data or voice communications. Examples inclutle, but are not limited to: computers, network switches and routers, servers, databases, personal data assistants, smart phones, cellular air cards, printers, telephones, 800 MHz radios, and associated software and accessories. L. TECHNOLOGY RESOURCES —includes all of the following: TECHNOLOGY ASSETS, inFonnatioNdata stored or in transit, the County's private data network, NETWORK RESOURCES, and all resources and services associated with other networks accessed from or through the County network, including the Internet, Internet Services, and other agencies' or corporate networks and services. M. USER —Inclusively, staff; elected /appointed o{ficials, and/or business partners authorized to use County technology resources. § 5405-3. Concept. A. Compliance: I) This policy applies to alt users of Collier County technology assets, network and/or network resources including authorized administrative staf{except when utilizing properly authorized elevated privileges or access rights in the discharge of their duties. a. Authorized administrative staff's use o£ elevated privileges is governed by IT Department policies. b. Employee violations will be assessed and disciplinary actions will be governed by CMA 5351 —Discipline, and CMA 5371.1 -Standards o£Conduct. c. Business partner violations will be subject to loss of the use of technology assets, network and/or network resources and contractual sanctions. Page 2 of 11 C9p CMA 5405 2) Because of the interdependent nature of network and communications systems, interruptions of service can have a broad impact with the potential for large adverse financial consequences or impact to health and safety. Loss of technology resources and/or misuse of network resources can cause financial damage to the County, the taxpayers of Collier County, and those who depend on County services, therefore, these resources must be protected. As such, violations of this policy may unduly expose the network to intended or unintended risks, which may or may not result in actual losses. a. Department Directors are required to consult with the Director, Information Technology when assessing penalties For violations of this policy. b. The severity o£ infractions will be assessed by the Director, Information Technology who will forward arisk /threat assessment to the supervising Department Director for use in making recommendations for disciplinary actions in accordance with CMA 5351 -Discipline. c. The Human Resources department will advise Department Directors in order to ensure consistency in the handling of employee violations of this policy. 3) Collier County, at its discretion, reserves the right to monitor any use of network resources, to monitor computer and interne[ usage, including, but not limited to: sites visited, searches conducted, information uploaded or downloaded and to access, retrieve and delete any data stored in, created, received, or sent over the network or using network resources £or any reason and without the permission or prior knowledge of any user. Collier County may monitor [he use o£ technology assets, content of electronic communications and the usage o£ network resources to support operational, maintenance, auditing, security, disciplinary, and investigative activities. 4) County employees and authorized business partners using County owned technology or network resources have no right or expectation of personal privacy For any voice communications, e-mails, Internet searches, intemet sites visited, or data stored in, created by, received with, or transmitted using technology resources. Use of passwords or other security measures, whether mandatory or voluntary, does not in any way diminish Collier County's rights or create any privacy rights of users. Collier County has administrative tools that permit it to monitor all activities on the network end access all data stored within technology resources. 5) All Collier County employees and business partners who have access to technology assets and/or network resources must affirm that they have read and understood ell applicable policies annually. B. User Responsibility: 1) Authorized network users are responsible to ensure that network resources are used only for their intended purposes. a. Except for services intended £or use by the public (kiosks, terminals and public wireless services) technology assets, technology resources, network resources, the network and data are intended exclusively for the use of authorized employees and business partners only. Pegc 3 of L 1 C10 CMA 5405 b. Technology assets, technology resources, network resources, the networK and data are the property of Collier County Government. Collier County provides these systems to be used For County business purposes, although limited non -business use is permitted. All communications and date transmitted by, received from, passed through, or stored in these systems are the exclusive property o£ Collier County. At all times, employees and authorized business partners have the responsib311ty to use these resources in a professional, ethical, and lawful manner. c. Use of technology and network resources is a privilege that may be monitored, restricted or revoked at any time. Collier County reserves the right to revoke the privileges of any user at any time. d. Conduct that interferes with the normal and proper operation o£ Collier County's network or networK resources, which adversely affects [he performance of the network or the ability of others to use the networK or networK resources or, which is harmful or offensive to others will not be permitted. Such actions may subject employees to disciplinary action in accordance with CMA 5351 -Discipline. Such actions by business partners may result in the loss of network privileges and/or contractual sanctions. e. The Directoy Information Technology can authorize actions to remediate networK or application performance problems during an incident where networK or application performance has been adversely affected. f. A user may not use the County network or technology assets [o connect to or maKe use of other computer systems unless speciFically authorized to do so by the operators of those systems. g. Because network and data security are dependent upon physical security, all Collier County employees have a responsibility to ensure that only authorized employees and/or business partners or properly escorted visitors have access to areas where networK access is available and that only authorized employees have access to secure spaces where network resources are located. 2) Staff and authorized business partners are issued credentials (user name and password) for accessing tine network and network resources. Users are responsible £or periodically changing their passwords and safeguarding their passwords. a. Users are responsible for all transactions made using their credentials. b. Users are responsible for protecting the confidentiality of their credentials and are prohibited from sharing their credentials with anyone. c. Users shall not leave their computers unattended while their account is logged in without first locking the computer, using the Windows "Lock Computer" functionality. d. User passwords for County networK accounts or passwords For County application / system access may not be printed or stored online in any file, database or Internet service. It is the user's responsibility to safeguard their password. If a user suspects for any reason that their password may have been compromised, they must immediately change i[. e. No user may access the network or network resources with another user's credentials. If access to another user's account is required, access can be granted by the IT Service Desk upon request from the user's manager. f. All network access muse be accomplished by user specific credentials, and as a normal course of business, generic or "shared" networK accounts are not issued. In special cases the IT Service Desk Manager can authorize the use of shared accounts with proper authorization from tfie users' management under circumstances where Page 4 of 11 C90 c1tzA saos individual accounts can't adequately meet business needs and their use will not compromise identity integrity and auditing. g. Misrepresenting, obscuring, suppressing, or replacing a user's identity on the network is forbidden. The user name, e-mail address, County off kation, and related information included with electronic messages or postings shall reflect the actual originator of all messages or postings. 3J NetworK Security a. Users shall report any suspicion of violations o£ any provision o£ this policy to their supervisor or the Information Technology Department Service Desk. Users shall notify the Service Desk of any instances where they observe or have reason to believe that data is inappropriately accessible to employees, [he public, or business partners. b. Users shall promptly report all information security alerts, warnings, suspected system vulnerabilities, etc. to [he IT Service Desk. c. Vsers shall not exploit Inadvertent rights oc deficiencies In information Systems security to damage systems or data, obtain resources beyond those to which they have been authorized, or to obtain or Sake resources away from other users or gain access to other systems for which proper authorization has not been granted. d. Users who receive virus alerts or notice unusual system behavior, such as missing files, frequent system crashes, misrouted messages, eic., should immediately notify the IT Service Desk. To prevent possible damage to Collier County data, technology assets and network resources, users are not permitted to remove viruses on their own. I£ users believe they may have been the victim of a virus or other malicious sdftware, they must immediately inform the IT Service Desk. e. In order to ensure that virus signatures, patches and security software are up m date, any workstations or portable computers that have not been updated within 30 days will be removed from the network. Updates occur upon login. Action by the IT Service Desk will be required to restore connectivity. 4) Inappropriate Use a. lntemet browsing an websites with inappropriate content is prohibited. Use of the Internet will be monitored and corrective actions will be taken by the user's department, in coordination with Human Resources and Information Technology. b. Except for employee services administered on the County's Intranet by the Human Resources Deparunent, Collier County's technology assets, network and network resources may not be used for dissemination or storage of commercial or personal advertisements, solicitations, promotions, political material, inappropriate cont¢nt or any unauthorized use deemed inappropriate. c. Users are not permitted to store, download or transmit copyrighted materials with network resources unless written permission has been granted. Examples of copyrighted materials include, but are not limited to: commercial music, video, graphics, or other intellectual property. Collier County will not provide a defense for violators of copyrights. Collier County allows reproduction of copyrighted material only to the extent legally considered "£air use" or with the permission of the author/owner. All doubt about whether software or other material is copyrighted, proprietary, or otherwise inappropriate for duplication should be resolved in favor of not duplicating such information. d. Users are not permitted to make any defamatory statements using network resources. Pagc 5 of 11 7 O CMA 5405 e. County F.tnployees are not permitted to subscribe to information services without the approval o£ Chair supervisor. f. Users are not permitted to capture, store or create digitized images of signatures (other than their own) or attach or affix a digitized image of a signature (other than their own) to any tlocument or a -mail or use such image of a signature in any way that could be interpreted as representing information as being originated, approved, or sanctioned by another person without the express permission of the signatory. C. Business Partners. 1) Bmployees are responsible to ensure that business partners requiring access to the network or network resources are properly authorized. Business partner accounts will be issued on a monthly basis and will expire on the last day of each month. Employees are responsible for requesting extension o£ business partner accounts i£ required. Generic business partner accounts will not be issued. All business partner accounts must be issued in the name of the user. 2) Any business partner requiring access to the network or network resources must complete the Third Party Use Agreements, file them with the IT Department, and maintain compliance with [he terms o£ that agreement. 3) Once granted access, business partners must comply with this policy in its entirety. Business partner violations of this policy may result in loss o£ access and purchasing sanctions. D. E-mail i) All a -mails entering or leaving the County's email system are duplicated and retained in an administrative mailbox in addition to each user's mailbox. As such, users are free to delete e- mails from their mailbox when their usefulness to the user has ended. However, if the user would like furore access to such e-mails, [hey should retain them. At the designated time, all e-mail in Outlook will be archived. At this time, a -mails are never deleted {rom the archive. 2) BCC staff are required to use the county email system and only the county email system £or county business. Use of extemel email systems compromise the Agency's ability to execute complete public records requests. 3) Users shall not send unsolicited/non-business a -mail to persons without their consent. Chain letters or other non -business relatetl use of network resources is prohibited. 0.) Mass e -mailing For business purposes must be coordinated with the IT Service Desk. Nom business related mass e -mailing is prohibited. 5) The use of the "Subscribers" and "BCC -Agency" distribution lists are restricted to department directors, division administrators and the County Manager's ofiEice. 6) Tampering, forging, or altering a -mail identity information is prohibited. Sending an a -mail which in any way appears as though it was sent by someone else (who ditl not send it) is prohibited. Pegc 6 of 11 C� CMA 5405 ']) InappropHate content may not be sent by a -mail or other form of electronic communication or displayed on or stored in the County's computers. Any message received that contains intimidating, hostile, offensive or inappropriate content should be reported immediately to management so that appropriate measures can be taken. 8) Users must not originate or £onward any a -mails with inappropriate content as de£ned in section 2CE) and 3(D)6. Reference CMA 5311.1 (Standards of Conduct). 9) Users receiving o -mail messages with inappropriate content as defined in section 2(E) or 3(D)6 must immediately notify their supervisor, manager, or department director. Reference CMA 5371.1 (Standards o£Conduct). a. The following information must be provided: (1) the date and time the o -mail was senUreceived; (2) the sender's e-mail address (or, if unavailable, any identifying information); (3) and the subject line. b. Do not forward the o -mail. Once the information specified in Section D.(8)s. is passed on to a supervisor, the e-mail should be deleted. c. Supervisors, managers or directors receiving such reports from their employees shall provide these reports to the HR Generalist for their departmenVdivision. Additionally, if the user reports having received repetitive inappropriate or explicit e- mails from the same external sender, tfiese reports and all supporting documentation should be provided to the IT Service Desk as well as Human Resources. 10) Signatures, tag lines, and background settings should be professional in nature and reflect positively on the County. a. Signatures may contain some or all o£ the fallowing: Name, Agency Name, DepartmenVDivision, Title, Address, Telephone Number, Fax Number, Cell Phone Number, a -mail Address. Colors and fonts other than the default settings are acceptable. b. Tag lines conveying personal, inspirational, or political messages are subject to interpretation and are, therefore, prohibited. Tag lines may contain agency, department or division mottos, mission or vision statements, or logos. o. To portray a professional image, no backgrounds should be used in o -mail settings. E. Hardware/P_quipment: 1) County technology assets, network and network resources are provided as a tool to enhance productivity and perform job duties. Access to County technology assets is a privilege. a. Only devices which are managed by the IT Department are permitted on the Agency's business network. b. The processes and procedures £or purchasing technology are on the Agency's Intranet and updated periodically. [mpropedy purchased technology items may be refused network access. c. The use o£personally owned computing devices is permitted but such devices will be limited to publicaily available websites and interne[ resources. Personally owned computing devices are not managed by the IT Department and are not permitted access to the Agency's business networK. d. SLATE computers may be approved for purchase £or special purpose applications in limited numbers after review and approval by the IT Department. At this time, SLATE computers are not managed by [he IT Department end are not permitted Page 9 of I 1 CMA 5405 access to the Agency's business network, however a list of SLATE computers that can be managed end will be allowed internal network access will be developed and posted on the intranet as they are quali£ed. Special considerations that may apply to the purchase, governance, recurring charges, and use of SLATE devices can be found on the Agency's intranet. 2) Unauthorized Equipment. a. Users may not connect any device to County technology assets or the network. Only authorized administrative employees are permitted to add devices to the network. This prohibition includes, but is not limited to, personal network hubs, routers or switches, wireless access devices, USB hubs, portable computers, smart phones, and storage devices. IT Employees are required to disconnect and remove any such equipment upon discovery. b. Portable storage devices Ilke USB "thumb" drives are permitted £or the transport of non -executable (data) files as long as their use does not require any installable software or cause the installation of software. Executing programs stored on these devices is prohibited. These tlevices shall not be used as primary storage. Transporting regulated data Fles via these devices is prohibited. c. Employees and business partners may not use cameras, cell phone cameras, digital cameras, video camera, or other form of image -recording device in the worKplace without the express permission of the supervising Department Director and o£ each person whose image is recorded. This provision does not apply to employees who must use such devices for business purposes in connection with their positions o£ employment. 3) Users shall not temper with technology assets in any manner. All repairs must be coordinated through the IT Service Desk. a. Users shall not connect or disconnect any technology asset or network resource without prior coordination with and approval from the IT Service Desk. All hardware installations, repairs, moves, additions or changes must be coordinated through the IT Service DesK. b. Users shall not install, deactivate, uninstall or change any settings for any software provided by the County on any technology asset. Software provided includes, but is not limited to, virus detection and correction software, Internet ftltering software, monitoring software, power management settings, screen savers, and agents for software distribution. c. Users are prohibited from setting BIOS passwords. d. Settings in windows that are user accessible (e.g. desktop wallpapeq power management settings, color schemes, etc.) and application settings that are user accessible (e.g. browser Favorites) are not covered under [his Instruction and may be set and personalized by the user, although they may be altered by operating system patches and may or may not be transported in machine replacements. 4) Supervisors have the discretion to allow Collier Cavnty computers to be used by employees at home for County -related work purposes. The restrictions pertaining [o the use of County computers at home will be the same as if they were directly connected ro the County network and aII policies apply. Use o£ County technology assets and network resources are for the exclusive use of avthoriud users only. iT support for home use will be limited to telephone support, or users will be required to bring County equipment to the workplace and will be Page 8 of 11 CAS CMA 5405 provided assistance during business hours. The IT Department does not provide on-site support for home use o£computers. F. Operating System/Software I) Users are prohibited from possessing or distributing computer viruses, spyware, or other malicious software development and/or distribution tools. Users found to be in possession of such soRware may be subject to disciplinary action, including discharge, and possible civil and/or criminal penalties. 2) Users are prohibited from possessing tools commonly used £or gathering technical in£otmation about the network or network resources useful for attempts to hack or breach security. Users found to be in possession of such software may be subject to disciplinary action, including discharge, and possible civil and/or criminal penalties. 3) Installing Software. a. Users ere not permitted to download executable software. b. Users are not permitted to install executable software on IT Assets. The IT Service Desk will assist users with authorized software installs. c. Users with Windows Administrative Rights have been gamed these rights solely to permit them to use software that requires these rights in order to run properly. Users with Windows Admirdstrative Rights are not permitted to install executable software on IT Assets, unless they have an agreement authorized by the Director, Information Technology to do so. d. Users with fully executed "Special Service Level Agreements," which have been paid and are in good standing, are permitted to install the software identified in that agreement on the speciftc IT ASSETS speci£ed within the agreement. 4) License Compliance. a. The IT Department is responsible for the Agency's compliance with certain software license agreements. Users are forbidden from making unauthorized copies of software. Collier County will not provide a defense for violations o£ licensing agreements. b. Collier County allows reproduction of copyrighted material only to the extent legally considered "fair use" or with the permission o£ the author/owner. All doubt about whether software is copyrighted, proprietary, or otherwise inappropriate £or duplication should be resolved in favor of not duplicating such information. c. The IT Department provides license compliance services, however i£ the user prefers not to use IT's compliance service, they shall be responsible £or proper and adequat¢ physical security and protection of software in their possession. A locked Rle cabinet or locked desk drawer should be used to safeguard software. d. Users shall not copy or use County owned software on their personally owned home computers, laptops, or other electronic devices. e. Users shall not provide copies of County owned soRware to any business partneq client, or third person, or perform any other action that would cause non-compliance with any licensing agreement. f. Unlicensed or unauthorized software will be removed immediately upon discovery by [T employees. Staf£ found to be in possession o£ unlicensed or unauthorized software may be subject to disciplinary action, including discharge, and possible civil and/or criminal penalties. Employees who become aware of any misuse o£ software Page 9 of t 1 C1O Cr CMA 5405 or violation of copyright law should immediately report the incident to their immediate supervisor. G. Data Management: 1) Users should be aware that deletion of any data may not truly eliminate She information from systems. Most data is stored in a central back-up system in the normal course of data management. 2) In order to protect overall network performance, [he Coumty reserves the right to repriori[ize and/or apply size limitations on data stored in or transmitted over the network. The County reserves the right to disconnect or otherwise manage circuits during incidents which jeopardize network performance. 3) Users may not access or alter in any manner data that is not involved in the execution o£ their job functions. e. Users are no[ perrnitted to access, modify, delete, and/or utilize date, which they may have access to, for any purpose except their job duties, Collier County business objectives, or business practices. b. Users shall utilize information that they are authorized to access only for the specific purposes for which it is intended. c. Except for authorized public records searches and special investigations, data and communications (e.g. e-mail and voice communications) shall be treated as confidential and accessed only by the intended custodiaNrecipient(s). Users are strictly prohibited from accessing any data or communications to which they are not intended to have access or are not the intended recipient. 4) No user may encrypt data for transmission over or storage on network resources without written permission from the Director, Information Technology. The system and metfiods required to encrypt and decrypt data must be approved by the Information Technology Department If the encryption method relies on secret keys, the Information Technology Department must manage the storage and security of such encryption keys. The Information Technology Departrttent has methods in place to store secret keys securely, assuring the secrecy of encryption keys and the ability to decrypt data. If encrypted data is discovered, tfie data owner must provide clear texVunencrypted data along with the encryption system and secret keys to the Director, Information Technology upon request. 5) Regulated Data. a. Generally, all data and records created, stored, sent, or received on the Collier County network end network resources are public records except those exempted in Chapter 119 and 435.09 of the Florida Statutes or in any other applicable laws. Protected Health Information (PHI) protected under HIPAA rules and statutes as well as Payment Card industry (PCI) data, personal Financial infottnation <PFI) (e. g. credit card and bank account numbers) and personal identifying information (PII) (e. g. social security numbers) are specifically excluded from the public record. b. Based on the content o£ data, statutes and/or agency policies may apply to the proper handling. It is the responsibility of the user to know the statutes/policies/rules that govern the handling of the regulated data to which they have access and to act in accordance with [he applicable statutes/rules. Employees should consult with the Page I O of I 1 CMA 5405 County Attorney's Office to resolve any questions regarding proper legal handling o£ data. The data custodian shall be responsible to inform [he Director, Information Tecfinology of any regulated data that is collected or stored in any network resources so that i[ may be handled appropriately. The County has taken measures to ensure the confidentiality, integrity and availability of sensitive information, including PHI, PFI, and PII and that access to sensitive information is restricted to authorized users. Users must take steps to minimize the possibility of unauthorized access including, but not limited to, making sure that the position of their monitor is not subject to unauthorized viewing, not leaving regulated data on an unattended computer screen, and, proper custodianship of printouts. Regulated data shall not be stored on any computer's local storage or any other type o£ portable storage device. Regu]ated data shall never be stored on a portable computer. Any inadvertent access o£ regulated data by users who shoultl not have access must be reported to the Director, Information Technology. c. Users shall not make copies of regulated data, encryption keys, or secure (encrypted) data in its clear text (unencryp[ed) state. The approval o£ the Director, Information Technology is required if it becomes necessary to make a copy or replicate regulated or encrypted data. This includes storing such data in documents, data warehouses, secondary databases, portable computers, or portable storage devices. H. Social Media Services: Internet based social media services (SMS) (e.g. Facebook, Twitter, MySpace) accounts may be authorized for agency or departmental promotion, outreach, or other public relations purposes and must be authorized by the County Manager's Office. All use of social media must comply with the provisions set forth in CMA 1200, Media end Public Relations. Upon approval, a request £or access must be submitted to IT by the Department Director. IT will provide approved site owners with the tools and instructions to archive their information £or compliance with Public Records statutes and agency procedures. Each department is responsible £or the proper archiving and retention o£social media records. § 5405-4. Currency. The Information Technology Department is responsible for the currency of this policy. Page 11 of / 1 Agreement to the terms. conditions and restrictions of CMA 5405 ATTESTATION: I hereby attest [hat I have read and understand CMA 5405, Computer /Technology Usc, dated Marchl8, 2011 and agree to be bound by its terms. Printed Witnessed by (manager): CAO CMA # 5406 COMPUTER SOFTWARE LICENSE CONTROL § 5406-1. Purpoaa. § 5406-3. Practice. § 5406-2. Concept. § 5406-4. Currency. (Effective Date: November 5, 2003 (Revised May 1, 2004) § 5406-1. Purpose. The purpose of this policy is to ensure all software license agreements are strictly followed and enforced in a fiscally responsible manner. § 5406-2. Concept. Vendors and soRware companies regulate use of their products tlu�ough license agreements. When software is purchased, the agreement establishes whether i[ is licensed by machine, by user, or by a maximum number of users who can access [he software at any given point in time. Licenses for major sottwa'e installations can be very cosily and must be managed and controlled to assure that all employees who need to use the system can do so, the number o£ licenses is within the number purchased by Collier County, and that licenses are not issued to employees who do not access the system. § 5406-3. Practice. The County's Information Technology Department is responsible for installing ail computer software and, therefotre, maintaining control over all software licenses. Software licenses are customarily nontransferable; therefore, all licenses shall be registered in the name of the agency (not the department or the individual employee). The authority for distributing and assigning user licenses for softwaro programs will be as follows: A. Boxed/Off-the-Shelf Software: Owned by the department that makes the purchase and distributed as per the department's direction; off-the-shelf software is licensed to a single user or machine, will be installed by the Information Technology Department in accordance with the licetsse agreement, and can only be moved i£ it is first removed from one machine and reinstalled on another. B. Multi -User License/Single Department Purchase: Owned by the department that makes the purchase; licenses will be assigned and reassigned by the Information Tecfivology Department as per owner department direction. C. Multi -User License/Nluld-Department or Cross -Agency Purchase: When purchases of this type are made, ownership is generally assigned to the agency. License distribution shall be controlled and monitored by She Information Technology Department in accordance with direction from the County Manager and/or user departments. License allocation will be determined at the time of purchase and additional licenses will be 5406: I oo - is -soon CAD OFFICE OF COVNTY MANAGER ADMINISTRATIVE § 5406-3 PROCEDURE § 5406-4 purchased by departments that determine a later need. The IT Department retains the right to recapture and redistribute unused licenses and licenses {ram users who consistently do not access the system during a speciRed period (not less than three months). When this becomes necessary to avoid purchasing adtli[ional licenses or avoid costly fines for usage exceeding license limits, IT witl c ordinate with department heads and, i{ necessary, will provide £air value in return to retain the integrity o{ the £und that acquired the licenses. D. Other: Any licensing schemes or structures not mentioned above will be handled in accordance with the respective license agreements and in coordination with [he department making the initial purchase. § 5406-4. Currency. The Information Technology Department is responsible for the currency o{ this policy in accordance with CMA Instruction 5405, Section 204:2 Prohibited Activities, 5, Misuse a£ Sottwarc. $406:2 09 - 15 - 3DD0 CAO CMA # 5905 RESTRICTED NETWORK ACCESS AGREEMENT § 5905-1. Purpose. § 5905-3. Guidelines. § 5905-2. Definitions. § 5905-4. Currency. [EffeMlve Date: April 1, 2006] $ 591/5-1. Purpose. The purpose of this form is to document the agreement of Collier County non -employees who have been granted network accounts and permission to access the Collier County Data Network using only County workstations. § 5905-2. Definitions. As used in this CMA, the following terms shall have the meanings indicated: COUNTY DATA NETWORK —Availability restricted to those individuals granted special permission and who can only access the network From County workstations. COUNTY DATA SERVICES —Unrestricted availability for those individuals using Internet access from any workstation. $ 5905-3. Guidelines. A. Access Description. The undersigned user is granted restricted access to the Collier County Data Network resources and applications. Access is limited to only using a Collier County owned and maintained workstation. Access from other workstations is restricted to those services accessible using the Internet. B. Agreement Acknowledgement Form. Users Printed Name: User's Title: User's Telephone Number: User's Office and Location: I have read [he Collier County End User Computing Policy, and understand and accept the responsibilities as described therein. I also understand that misuse of CounTy resources will be cause For system privilege revocation, as well as possible criminal or civil penalties as provided by law. 5905:1 os - u - soov OFFICE OF COUNTY MANAGER ADMINISTRATIVE § 59053 PROCEDURE § 5905-4 I agree that I have no expectations of privacy with regards to any information entered into or passed through the County's Data Network. Any such information will be subject to Fioridas statutes regarding public records unless speci£cally exempted. I also agree [o promptly report any violations or suspected violations o{ information security policies to the Information Technology Department. User Signature: Date: For the Collier County IT Department: Date: § 5905-4. Currency. The Information Security Manager (ISM) is responsible £or maintaining the currency of this document. Contents will be reviewed on an annual basis, or sooner when situations warrant that review and possible changes are necessary. 5905:2 09 - is - zoov X40 CMA # 5905 MEDIA REUSE OR REPLACEMENT POLICY § 5908-L Pvrpoae. § 59083. Guidelines. § 5908-2. Definitions. § 5908-9. Currency. �EYfectivev Aprit 1, 2006 § 59084. Purpose. This policy describes how each area of the IT Department will implement appropriate procedures for managing devices used to store electronic data. The purpose of [his policy is [o improve Collier County`s ability to protect electronically scored data using the various devices and media used by the Collier County IT Department. $ 5908-2. DeRnitlons. As used in this CMA, [he fallowing terms shall have the meanings indicated: COiINTY ASSETS —Collier County's electronic informaxion and data, in all its forms, is an asset of Collier County government Throughout its life cycle, County data must be protected to comply with the policies o{ the Collier County BCC and meet the requirements of state and federal laws, such as the Health Insurance Portability and Accouniabiiiiy Act (HIPAA). ELECTRONIC MEDIA —This policy and related procedures apply to the hard drives, storage systems, removable disks, floppy drives, CD-ROMs, PCMCIA cards, memory sticks, and all other forms of removable, electronic media and storage devices. § 5908-3. Guidelines. The Collier County IT Department's Operetions Group will develop procedures and controls for protecting data that is electronically stored on devices or media under its control. At a minimum, these procedures will include the {ollowing measures: A. Prior to destroying or disposing of any storage device or removable media, steps must be taken to ensure Chat [he device or media does not contain electronic protected health information (EPHI). B. If [he device or media contains the only copy o£ EPHI required or needed, a retrievable copy of the EPHI must be made prior to disposal. C. I£ the device or media contains EPHI that is no longer required or needed, and is not a unique copy, a data destruction tool must be used to destroy data stored on the device or media prior to disposal. Atypical reformat is not sufficient since i[ does not overwrite the existing data. 5908: i 09 - 15 - ]AO] CAS OFFICE OF COUNTY MANAGER ADMINISTRATIVE § 5908-3 PROCEDURE § 5908-4 D. if removable media is used for [he purpose o£ system backups and disaster recovery, and the aforementioned removable media is stored and transported in a secured environment, the use o£ a data destruction tool is not necessary. E. When storage devices and removable media ere used to transport EPHI, a procedure must be implemented to track and maintain the movement of these devices and media, and list the individuals trosponsible for the devices and media during their movement. § 5908-4. Currency. The Information Security Manager (ISM) is responsible £or maintaining the currency of this document Contents will be reviewed on an annual basis, or sooner when situations warrant that review and possible changes are necessary. 5908:2 os - � s - zoao �� 9. Change Management 8: Change Advisory Boartl GAO IT Customer Portal -Change Management Page 1 oF2 SharePoint OrcegaAnnia- $' ? IT Custom¢I' Pottal r Search this site }T- L____ Change Management ea¢kgrnnne CIt»nge management has be¢n In place since 208> for tb¢ Information Technology Department. It is using an In-house, t¢mporary application Io log requests for change that was M be rcpla<etl by an in[egratetl system in 2008/2009. There is a n nitiative [o replace the temporary application with the MI<rosof[ Service Manager product The change management application can b¢ installeA by the IT Service Desk at xd888. • Reque s for changes submitted v this temporflry application by [M1e usm(s) that are Involved with plan ng and implementing the Manges The appli o[ion Is ztmight-forward and has bWlt-in 6¢Ip to a is[ user's with submitting ffieir requests for changes • Depending on [M1e type of requesC [Nene may or may not be a w by the Change Advisory 8oartl (CAB) antl IT Management. Wban Htese reviews ar¢ necessary will be descAbed later in this procedure. Cbanga Types The following types of regnests for change have been implemented in the t mporary appllw[lon: • Emergency - Urgent . Logging • Minor/M jor The purapos of [his change r¢quest type Is to collect minimal informatlan related [o ane ergency change. Emergency changes a definetl caber ritical systems ands available antl a change Is needed with little o coordlnatbn and c unI<atlon. Emergency changes shaultl be zoUated to a issue antl work order Since most a ¢rgency chan9¢s a done wl<h litd¢ [ short notic¢. [M1e form is sed m re to document [hat a [hange made to a system. The only items that need Co be entered a when tb¢ change made, the work ord¢r number, and a d¢scriptlon of [M1e change. The username and date that [be farm was zubmit[¢d is captured b¢M1ind the £mmp(az of Emerg¢ncy C/rpnges: File and print server locked up and customers c o[ print Exchange no[ functioning, and r¢qulres a rebootn Network equipment failure with no re<fundancy in place In ost cases, a ergenry change requests are filled oul after [he event The Change Ativisory 8oartl (CAB) does not r¢view emergency change requests pAor to imnlememadon. urgene Urgen changes re the same a minor/majo changes cept fur the approval t Urgent changes of emergen s but normally eed io be doneain a Furry duesto political reasons, such as consultant avallablllty, possible hartlware failure, or simply tlue to scheduling Ewvmples o/Urgent C/wnges: TM1e County Manager wants a prndu<'t rolleA out to all desktops by the end of [be week A ven<lar can be on-site ahead of schedule [o implement a blgM1 prlwity moAlfication http://bccsp02/sites/ITCP/W ilei%20Pages/Change%20Management.aspx OS/11/76 IT Customer Portal -Change Management Page 2 of 2 Urgent [hangas typically require [he approval of the IT Dbecrvr and/or hlz designee,. and typically origlnata under the direction of the IT Direc[oc Since there Is no lead time for this type of request, the Change AtlNsory Board (CAB) does not reNew urgent change requests prior to nplementatlon. b991n9 Many changes r¢pathive and do not need to pass through the formal Change Advisory Board approval proc s Chey hav¢ been pre - approved These changes still should be logged using [he normal process t0 document antl schedule IM1e changes The primary goal of logging [M1eza pre -approved changes la [o minimize scbetlWing congicts. The log will also provide an audiC trail of changes made tU systems E rnpfes oI Logging Chonycx Adding pr oy or storage to an existing virtual machine Deploying upda<e patches Logging changes are typically no[ reviewed by [he Change Advisory Board (CAe) prior to implementation. Minor/MajoY Minor/mato changes follow the standard prose. nd should he submittetl two weeks in advance of the actual Implementation of [he change These changes need [o l>e properly communicated and coordlnateA with other changes. Minor/major changes require assessment and approval by [he Change AtlNzory Board (CAB). Cbenge AtlWaory BOerd (CAB) The Change Advisory Board (CAB) is [he 9overnl^9 body responsible for assessing the request for changes in terms of risks, Impacts and scheduling conflicts Curtently [he agency is s[rvggling with the appropriate roles and responsibili<ies of [he Change Advisory Board (CAB) In 11¢u Of several other nlasing Infonnatlon T¢chnolo9y Infrasbuctm'e Library (ITII) dnpendendes uch a onflguraUon m 'ragem It databasn antl a s nn cablog. TM1iz snugflla will he cackled Ihrougb an iterative proc z In wFicF the ChaHge Advimry Board (CAB) will deFlne its roles and c respanslbilitles fmm a core then build upon thn core througM1 a trial and ¢rrar procoss. Chonga Advisory Boats (CAa) menrhers ore. • Agency Applications (Geordi George) • Opara[ions (Mark FOwski) • Pr jest Management {RichaN Badge) • Service Desk (Shaun Pmnam) CAB Reaponsibllltles The Change AdviSUry BUaM fCABI respOn51611ities are t0 ensure: Idendfica[lon of risks a oclafed with the implementation of the change Identi0catlon of Impacts to zeMces when [he change is Implemented CAB Maatinga TM1e Change Advisory Boartl fCAB) meats weekly to review and approve requesks for [Nangex Tbey currently meet On Tuesday at 8:3a em. TO allow the Change Advisory Boartl (CAB) m mbeR enough time to /evl¢w the rnqueztz for <Ilangas it must ba submitted by Monday 12:96 pm. TM1e Change AdWsoy Boartl (CAB) may defer requests t0 [ba next meeting if Cbe submittal deadline Iz not me[. CAS ht[p://bccsp02/siTes/ITCP/W iki%20Pages/Change % 20Management.aspx 08/ 1 1 / 16 10. Enterprise in citl ents �O iT Customer Portal -Enterprise Incidents Page 1 oP4 IT Custom¢r Portal Enterprise Incidents Revision History: (5 July 20t 7) Purpesa: Explain how fo report and document an Enterprise Incident (EI) per the associated Enterprise Incident Policy. Procedure: 1. Open MS SCSM 2. Highlight your Groups Work Order queue. (BCC -IT -Applications Analyst Work Orders/ BCC-IT-O¢v/GIS Work Ortl¢rs/ BCC -IT -Network Administramr Work Orders/ BCC-IT-S¢rvic¢ Oesk Work Orders) iU' syswm eGneur �v'arNcrr rwer.oper cavae SIS ,t Ortlam m�uvio,< rr� y n 1:] i - � ara ortlara Jrr - 1�oeG-R-Sawrm oeie�Wgrkwnaea tilJc I{3 r e. alts « .. e.u: 3. Right Click your Groups queue ee sel¢<t "Create Incident". This will open a New Work Order. .� �.:..�...�.. urw..:V ...v <a rM !--« ...-r ir�lw�li�tr�l 4. ATf¢ct¢d Uz¢r: Enter (Last name), if known. If not, ent¢r your nam¢. an«uc....r. < � "xenad � L- n Ln neu.:cwn _.. 5. Title: Use first line of EI T¢mplate (Issue). �9 ht[p://spl6/sites/ITCP/V✓iki%20Pages/Enterprise^/a20incidents.aspx 08/17/17 O IT Customer Portal - Enterprise dncidents Page 2 of 4 t. Issur. Description of what Issue is 2. Current Status: Duwn/ Intermite nt/ Up/ Resolvetl 3. ImpacT: Who Is Impacted by [his Issue 4. Roo[ cause: Explanation of What the Cause is (EI c io[ be Closed without Root Gause being Identified. tf not be found, you will need your Manager's AV Proval to Close EIJ 5. AcHone Actions taken [o Resolve Issue (NeeA to include Immediate, a well as the Root Cause f -ix. If I�Q Rool Cauz¢ Fix c n be Identified, you will n ed your Manayer's Approval to Close EL) 6. Notification: How were you Notified; User/ Monitoring Teols/ etc 7. Respensibla: LEAD B. Priority: High/ Medium/ Low 9. Original Data tY Tlme: MM/DD/YY, HH:MM AM/ PM 10. Resolution Oata St Time: MM/OD/VV, HH:MM AM/ PM l 1. Number of Users Impacted: Estimated n tuber of Users Impac[¢tl f 2. Total Tima Down: Total Down Time for Issue, HH:MM 13. Total User Hours Oown: Number of Users Dawn •Total Time for Issue Oescriptien: Contains ALL information from EI Templet¢. (Copy FY Paste EI Template info Description Field) t. If you are not sure of Information, leave that line 81ank. It can be updated later. rnla:• __ El � [TTUC <ityviaw oocumenis not pflntin5l DescdPtiom Issue: Utyview tlocuments not printing Cvnent SLaNs: Completco Imp9cc CltyYaw u5lrs 7. Classification Category. You will Only use those listed under "Enterprise Incident". These are the Possible Causes, no[ the Actual Issue. t. If Classification Is Unknown, use EI -Unknown. It can be changetl later with updates. 8. Source This is for How You Were Matl¢ Aware of the Incident; Phone, Instant Messenger, Emall, In Person (Walk - In), Reporting Tools (Configuration Manager, Operations Maneg¢r, et<) u v,.emn - r8sv 9. ImPecb http://sp 16/sites/ITCP/Wiki^/o20Pages/Enterprise%20Incidents.aspx 08/17/17 � � _ 8. Source This is for How You Were Matl¢ Aware of the Incident; Phone, Instant Messenger, Emall, In Person (Walk - In), Reporting Tools (Configuration Manager, Operations Maneg¢r, et<) u v,.emn - r8sv 9. ImPecb http://sp 16/sites/ITCP/Wiki^/o20Pages/Enterprise%20Incidents.aspx 08/17/17 IT Customer Portal -Enterprise Incidents Page 3 of 4 1. Low is l person. By Definition, an EI has fo affect More than t person. 2. Medium, Up to t oepartmen( is affected. 3. High, More than 1 Department is affectetl. r..c..c- t0. urgency: n, w..rr t. Low, Users ar¢ still able to function, with No Loss of Productivity. 2. M¢dium, Slight to Moderate Impact to productivity. kwar.w ea 3. X{gh. Affected users are unable to perform duties/ functions. y -} 1 g-� �_ �.. uWw�w., - n u..�r- un.n.r.' rm.,n uuium - rie¢...� - a l t Support Group: This needs to be the IT Group you belong Io_ t. Applications Analysis -Apps Supporq Developers - Dev Supporq Network Administrators - Network Admins, Service Desk -Service Desk t 2. Assigned To: This is [he iT Person responsible (yourself), unless entering fors meone else 13. Primary Owner: Same as Assign¢d To. Can also b¢ any BCC Employee, who may be involved wish resolving (Aaron Cromer, Jemes Price, et0. >yyy..y r..c..c- a..•ww.. n, w..rr si.edm _ _... erawa a s�owao,e.q. kwar.w ea *.N+.ae...� y -} 1 g-� �_ t 2. Assigned To: This is [he iT Person responsible (yourself), unless entering fors meone else 13. Primary Owner: Same as Assign¢d To. Can also b¢ any BCC Employee, who may be involved wish resolving (Aaron Cromer, Jemes Price, et0. l4. Updates 8< ReselW ng: When updating She information, uptlate the information in the Oascrip[ien. This is what displays for reports. 1. You can enter other information in the Action Log "Comments' Section. 2. Vou will also need to send this Information to the 5¢rvice Desk, so that the EI Announcement can be updated as well. Cp0 h[tp://sp 16/sites/ITCP/Wilci % 20Pages/Enterprise % 20Incidents.aspx 08/17/17 >yyy..y r..c..c- a..•ww.. n, w..rr si.edm _ _... erawa a s�owao,e.q. kwar.w ea *.N+.ae...� l4. Updates 8< ReselW ng: When updating She information, uptlate the information in the Oascrip[ien. This is what displays for reports. 1. You can enter other information in the Action Log "Comments' Section. 2. Vou will also need to send this Information to the 5¢rvice Desk, so that the EI Announcement can be updated as well. Cp0 h[tp://sp 16/sites/ITCP/Wilci % 20Pages/Enterprise % 20Incidents.aspx 08/17/17 IT Customer Portal -Enterprise Incidents Page 4 of4 3. When YM1e EI is Resolved, Click on the Resolve Link on tM1e RigFt Side of [Fe Window, enter in Headed information fY forward io the Service Desk, for Closing. t5. Wh¢n forwarding to the Service Desk, Remove your name from the "Assigned To" field, fX change tM1¢ "Support Group" to Service Desk. t6. 5¢nd an email to DL-SyztamOwners notifying everyone [ha[ there is an active EI using tFe following format: 1. Subject: Ent¢rprise In<itlent—/ncideni O¢so(pt[on 2. Body: L Issva: 2. Currenf Sfa[us: 3. Impact: 4. Root c ¢. 5. Actionau 6. NOHficatlon: 7. Rasponsiblo: 8. Priority: 9. Original Oata >A Tima: l0. Razolvad Oaea Be Tima: l t. Work Order #: t7. Immediately upon resolution of the EI send a ail to that updat¢s the status of the notification email. The subject should be modified by prepending "Resolved". The items in the body of [h¢ email should be updated to reflect the current status. 18. Within 5 businexs days prepare and file an Enterprise In<tdent Report using the template (G:\Documentation\Admin\Enterprise Incidents\EI template v20t TOOOS.tlocx). The EI Report should provide a de<alled description of: t. What M1appened 2. The root causes) of the is 3. Th¢ root cause c ective actions) t9. Enterprise Incident Reports are <o be filed in G:\Documentation\Atlmin\Enterprise In<iden[s\year folder. The file name should be formatted: yyyynamdd WO workOrderNumber WorkOrderOescrtpfton C see folder location for mples). 20. Ent¢rprise Incident Reports should be rev wed and approved by your manager/supervisor prior to posting. 2l. Incitlen[s with no Root Cause identification shoultl be escalated to your manager/supervisor for escalation to The IT Director. http://sp 16/sites/ITCP/W iki%20Pages/Enterprise % 20Incidents_aspx OS/17/ 17 11. Elevated NeTwork Access Policy CAD UaCAMS\AFP\TecM1nicel 5pecv\II_Elevffietl NetworK Recess PolicyAoc 1/4 CAt1 Approvals Collier County IT Department Security Policy lvame race Bar H. Axelrod E. Mionael Barrios Title ELEVATED NETWORK ACCESS POLICY ]efe A. Bolen ]onn ]. Daly Bert Miller Tamm sn.mn SOP Number Page 1 of 04 Pages Pre erred b Jeff Bolen Checked b Rovislon Date Change Description Draft ] 10/312006 Draft for Review by IT Staff Draft 2 ] ]/07/2006 Draft for Review by IT S[aff Draft3 1/]2/67 Added Section BB FINAL 2/6/O'J Pineliud per]AB Policy Number ITS- 001 DsttPtlun Feb 6, 2007 UaCAMS\AFP\TecM1nicel 5pecv\II_Elevffietl NetworK Recess PolicyAoc 1/4 CAt1 INFORMATION TECI3NOLOGY ELEVATED NETWORK ACCESS POLICY SUBJECT: ELEVATED NETWORK ACCESS POLICY I. PURPOSE This policy establishes computer usage guidelines for the Collier County Board of County Commissioners (CCBCC), Information Technology Department staff during the course of their job duties on CCBCC Computer Systems. Guidelines stated herein are intended to protect the rights and security of CCBCC clients as well as those of the department staff. II. DEFINITIONS Sp¢ciai Access: Individual with password and privileges to use a special account on a CCBCC computer or subsystem, or having privileges above and beyond those of a normal user. III. GUIDELINES A. Special Access One of the keys to trust in the services and integrity of the Information Technology Department is assurance that information stored on the network is secure. Members of the CCBCC IT Dept. staff are required to abide by all the items outlined in CMA 5405 as well as those policies outlined here. In addition to being the guardians/supporters of CCBCC resources, department staff members also serve as examples of professionalism £or others in the CCBCC user community. All members of the IT staff have some level o£ special access. The first time a member of the CCBCC IT staff requests special access, he/she is asked to read and sign the Administrative Network Access Policy Agreement (See section C, below). This agreement presents general guidelines for using special access in a responsible and ethical manner. The agreement also specifies behaviors and practices that are prohibited. All members of the CCBCC IT staff will reference the information in chis document and the CCBCC Human Resources Practices and Procedures Manual whenever they have a question regarding proper use of special access. Exceptions to this policy may be allowed for special situations, investigations and emergencies and must be requested through your manager, and approved by the Information Security Manager (ISM) or the Director. In case of the ISM or IT Director's unavailability, other IT Management staff may approve exceptions. B. Specific Rules of Special Access I. Do not share special access passwords with anyone. 2. Do not share wireless encryption keys with anyone outside of the IT Department. [J:\CAMS\RFP\Technical Speca\l1_Elevat<tl Nerwark Access Pplicy.doc 2/4 CIO 3. Do not write down the special access passwords. 4. Do not read or send personal mail, play games, edit personal files or surf the web using a special access account, (Special access accounTs are those accounts that are used to log into servers, etc). 5. Do not browse other user's files, or E-mail using a special access account, or any account with special access, unless in the course of normal duty. 6. Do not make a change on any system that is not directly related to your job duties without consulting IT Management. 7. Do not possess, or use programs, software, hardware, materials or any other device or system that could be construed as "hacking", unless you are approved to do so in writing by the Information Security Manager. 8. Do not remotely access a users PC until or unless the user gives their permission to do so. Exceptions to this would be in the course of a security investigation or other situations approved by Management. Definitions; Special Access —Those accounts with a higher level of access than a regular user, <all IT Stall regular accounts). Special Access Accounts —Those accounts with elevated permissions which are used to log into servers, network devices, etc. U:\CAMS\aFP\Technical Specv\t t_Eleveted Network Access Policy.tloc 3/4 C. Administrative Access Policy Agreement The following agreement must be signed thus signifying that the individual understands and will comply with the conditions stated in this policy. The individual whose signature appears below understands that failure to conform to the "Administrative Network Access Policy Agreement" and to alt other applicable policies may result in severe disciplinary action up [o and including dismissal from Collier County Government employment. I, have read and understood all aforementioned policies and will comply with the conditions stated above. Signed: IV. CIJRRENCY Date: The Information Security Manager (ISMj is responsible for maintaining the currency o£ this document. Contents will be reviewed on an annual basis, or sooner when situations warrant that review and possible changes are necessary. U:\CAMSU2FP\TecM1nical Specs\I (_Elevated Network Access Policydac 4/4 ny O PreviousNest Fla. Stat. § 501.171 Copy Citation The Florida code and constitution are updated tluough the 2016 regular session. LexisNexis�9 Florida Annotvted Stvtu tes Title XXXIII. Resolution of Trade. Cmn coerce. Investm¢n ts, and Solicitations (Chs. 494- 5101 Chxnt¢r 501. Consu mer Protection Part L General Provisions. 501.171. Security of confidential personal information. (1) Definitions. — As used in this section, the term: o (a) "Breach of security" or "breach" means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used For a purpose unrelated to the business or subject to further unauthorized use. o (b) "Covered entity" means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. For purposes of the notice requirements in subsections (3)-(6), the terrrt includes a governmental entity. o (e) "Customer records" means any material, regardless of the physical form, on which personal information is recorded or preserved by any means, including, but not limited to, written or spoken words,. graphically depicted, printed, or electromagnetically transmitted that are provided by an individual in this state to a covered entity for the purpose of purchasing or leasing a product or obtaining a service. o (d) "Data in electronic form" means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices. o (e) "Department" means the Department of Legal Affairs. o (f) "Governmental entity" means any department, division, bureau, commission, regional planning agency, board, district, authority, agency, or other instrumentality of this state that acquires, maintains, stores, or uses data in electronic Form containing personal in Formation. o (g) . 1. "Personal information" means either of the following: - a. An individual's Frst name or first initial and last name in combination with any one or more of [he following data elements for that individual: . (I) Asocial security number; - (In A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity; - (III) A Fnancial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual's financial account; - (I� Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or • (� An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. • b_ A user name or a -mail address, in combination with a password or security question and answer that would permit access to an online account. - 2. The term does not include information about an individual that has been made publicly available by a federal, state, or local governmental entity. The term also does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable. o (b) "Third -party agent" means an entity that has been contracted to maintain, store, or process personal information on behalf ofa covered entity or governmental entity. (2) Requirements for data security. — Each covered entity, governmental entity, or third - party agent shall Sake reasonable measures to protect and secure data in electronic form containing personal information. (3) Notice to department of security breach. o (a) A covered entity shall provide notice to the department of any breach of security effecting 500 or more individuals in this state. Such notice must be provided to the department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred. A covered entity may receive 15 additional days to provide notice as required in subsection (4) if good cause for delay is ptrovided in writing to the department within 30 days after determination of the breach or reason to believe a breach occurred. o (b) The written notice to the department must include: - 1. A synopsis of the events surrounding the breach at the time notice is provided. • 2. The number of individuals in this state who were or potentially have been affected by the breach. - 3. Any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions as to how to use such sere ices. • 4. A copy of the notice required under subsection (4) or an explanation of the other actions taken pursuant to subsection (4). • 5. The name, address, telephone number, and a -mail address of the employee or agent of the. covered entity from whom additional information may be obtained about the breach. o (c) The covered entity must provide the following information to the department upon its request: - 1. A police report, incident report, or computer forensics report. - 2. A copy of the policies in place regarding breaches. • 3. Steps that have been taken to rectify the breach. o (d) A covered entity may provide the department with supplemental information regarding a breach at any time. o (e) For a covered entity that is the judicial branch, the Executive OfFce of the Governor, the Department of Financial Services, or the Department of Agriculture and Consumer Services, in lieu of providing the written notice to the department, the covered entity may post the information described in subparagraphs (b)l: 4. on an agency -managed website. (4) Notice to individuals o£security breach. o (a) A covered entity shall give notice to each individual in this state whose personal information was, or the covered entity reasonably believes to have been, accessed as a result of the breach. Notice to individuals shall be [Wade as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no tater than 30 days after the determination of a breach or reason to believe a breach occurred unless subject to a delay authorized under paragraph (b) or waiver render paragaph (c). o (b) IFa federal, state, or local law enforcement agency determines xlrat notice to individuals required under this subsection would interfere with a criminal investigation, the notice shall be delayed upon the written request of the law enforcement agency £or a specified period that the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay as of a speci£ed date or extend the period set Forth in the original request made under this paragraph to a specified date if further delay is necessary. o (c) Notwithstanding paragraph (a), notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity Chen or any other financial harm to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least 5 years. The covered entity shall provide the written determination to the department within 30 days after tfie determination. o (d) The notice to an affected individual shall be by one of the following methods: - 1. Written notice sent to the mailing address of the individual in the records of the covered entity; or - 2. E-mail notice sant to the a -mail address of the individual in the records of the covered entity. o (e) The notice to an individual with respect to a breach of security shall include, at a minimum: - 1. The date, estimated date, or estimated date range of the breach of security. - 2. A description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security. CAS - 3. [n formation that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual. o (f) A covered entity required to provide notice to an individual may provide substiTute notice in lieu of direct notice if such direct notice is not feasible becaaase the cost of providing notice would exceed $250,000, because the affected individuals exceed 500,000 persons, or because the covered entity does not have an a -mail address or mailing address for the affected individuals. Such substitute notice shall include the following: ' - 1. A conspicuous notice on the Internet website of the covered entity i£the covered entity maintains a website; and - 2. Notice in print and to broadcast media, including major media in urban and rural areas where the affected individuals reside. o (g) Notice provided pursuant to rules, regulations, procedures, or guidelines established by the covered entity's primary or functional federal regulator is deemed to be in compliance with the notice requirement in this subsection if the covered entity notifies affected individuals in accordance with the rules, regulations, procedures, or guidelines established by the primary or functional federal regulator in the evenx oFa breach of security. Under this paragrapfi, a covered entity that timely provides a copy o£ such notice to the department is deemed to be in compliance with the notice requirement in subsection (3). (5) Notice to eredit reporting agenci¢s_ — If a covered entity discovers circumstances requiring notice pursuant to this section of more than 1,000 individuals at a single tune, the covered entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as deFned in the Fair Credit Reporting Act, 15 U.S.C. s. 1681 a(p), of the ti mivg, disvibution, and content of the notices. (6) Notice by third -party agents; duties of third -party agents; notice by agents. o (a) In the event ofa breach of security oFa system maintained by a third -party agent, such third -party agent shall notify the covered entity o£th¢ breach of security as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred. Upon receiving notice from a third -party agent, a covered entity shall ptvvide notices required under subsections (3) and (4). A third -peaty agent shall provide a covered entity with all in£onnation that the covered entity needs to comply with its notice requirements. o (b) An agent may provide notice as required under subsections (3) and (4) on behalf of the covered entity; however, an agent's failure to provide proper notice shall be deemed a violation of this section against the covered entity. (� Aonual report. — By February 1 o£each year, the depaatment shall submit a report to the President of the Senate and the Speaker of the House of Representatives describing the nature of any reported breaches of security by governmental entities or third -party agents of governmental entities in the preceding calendar year along with recommendations for security improvements. The report shall identify any governmental entity that has violated any of the applicable requirements in subsections (2)-(6) in the preceding calendar year. (g) Requir¢ments for disposal of customer records. — Each covered entity or third -party agent shall take all reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Such disposal shall involve shredding, erasing, or otherwise modifying the personal in£orrna[ion in the records to make it unreadable or undecipherable through any means. (9) Enforcement. o (a) A violation of this section shall be treated as an unfair or deceptive trade practice in any action brought by the department under s. 501:207 against a covered entity or third party agent. o (b) In addition to Che remedies provided for in paragraph (a), a covered entity that violates subsection (3) or subsection (4) shall be liable for a civil penalty not to exceed $500,000, as follows: • 1. In the amount of$I,000 for each day up to the first 30 days following any violation of subsection (3) or subsection (4) and, thereafter, $50,000 for each subsequent 30 -day period or portion thereof For up to 180 days. • 2. If the violation continues for more than 180 days, in an amount not to exceed $500,000. • The civil penalties for failure to notify provided in this paragraph apply per breach and not per individual affected by the breach. o (c) All penalties collected pursuant to this subsection shall be deposited into the General Revenue Fund. (10) No private cause of action. — This section does not establish a private cause of action. (11) Public records ¢xemption. o (s) All information received by the department pursuant to a notification required by this section, or received by the deparUnent pursuant to an investigation by the department or a law enforcement agency, is confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution, until such tune as the investigation is completed or ceases to be active. This exemption shall be construed in conformity with s, 1 79.071(2)(c). o (b) During an active investigation, information made conFidential and exempt pursuant to paragraph (a) may be disclosed by the department: • 1. In the furtherance of its official duties and responsibilities; • 2. For print, publication, or broadcast if the departmenx determines that such release would assist in notifying the public or locating or identifying a person that the department believes to be a victim oFa data breach or improper disposal of customer records, except that information made confidential and exempt by paragraph <c) may not be released pursuant to this subparagraph; or • 3. To another governmental entity in the furtherance of its official duties and responsibilities. o (c) Upon completion of an investigation or once an investigation ceases to be active, the following information received by the department shall remain confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution: • 1. Al] information to which another public records exemption applies. - 2. Personal information. - 3. A computer forensic report. • 4. Infor-rnation [hat would otherwise reveal weaknesses in a covered entity's data security. - 5. Information that would disclose a covered entity's proprietary information. CAO (d) For purposes of this subsection, the term "proprietary information" means information that: - 1. Is owned or controlled by the covered entity. - 2. Is intended to be private and is treated by the covered entity as private because disclosure would harm [he covered entity or its business operations. • 3. Has not been disclosed except as required by law or a private agreement that provides that the information will not be released to the public. • 4. ]s not publicly available or otherwise readily ascertainable through proper means From another source in the same configuration as received by the department. - 5. Includes: - a. Trade secrets as defined in s. 688.002. • b. Competitive interests, the disclosure of which would impair the competitive business of the covered entity who is the subject of the information. (e) This subsection is subject to the Open Government Sunset Review Act in accordance with s. 7 19.15 and shall stand repealed on October 2, 2019, trn less reviewed and saved from repeal through reenactment by the Legislature. S. 3, ch 2014-189, eff July t, 2014; s. 1, ch. 2014-1 <JO, eff. July 1, 2014. Annotations Notes Section 1, ch. 2014-1 R9, provides: "This act may be cited as the `Florida Information Protection Act of 2014.' " Section 2, ch. 2014-790, provides: "The Legislature finds that it is a public necessity that all information received by the Department o£Legal Affairs pursuant to a notiFcation o£a violation of s. 501 . 171 _ PI<rida Statutes_ or received by the department pursuant to an investigation by the department or a law enforcement agency, be made confidential and exempt from s. 1 19.07(11. Fbrida Statutes, and s. 24(al. article I of the State Constitution for the following reasons: "(1) A notiFcation ofa violation of s. 501 171 PI 'd St t t- is likely to result in an investigation of such violation because a data breach is likely the result of trim final activity that may lead to further criminal activity. The premari�re release of such information could frustrate or thwart the investigation and impair the ability of the Department o£Legal Affairs to effectively and efftciently administer s. 501.171, Florida Stauues. In addition, release of such information before ewnpletion of an active investigation could jeopardize the ongoing investigation "(2) The Legislature finds that it is a public necessity to continue to protect from public disclosure all information to which anotfier public record exemption applies once an investigation is completed or ceases [o be active. Release of such information by the Deparhnent of Legal A££airs would undo the specific statutory exemption protecting that information. "(3) An investigation of a data breach or improper disposal of customer records is Ilkely to result in the gathering of sensitive personal information, including social security numbers, identification numbers, and personal Fnancial and health information. Such information could be used for the purpose of identity theft. In addition, release of such information could subject possible victims of the data breach or improper disposal of customer records to further financial harm. Furthermore, matters of personal health are traditionally private and confidential concerns between the patient and the health care provider. The private and confidential nature of personal health matters pervades both the public and private health care sectors. "(4) Release ofa computer forensic report or other informaxion that would otherwise reveal weaknesses in a covered entity's data security could compromise the future security of that entity, or other entities, i£such information were available upon conclusion of an investigation or once an investigation ceased to be active. The release of such report or infot-tnation could compromise the security of current entities and make those entities susceptible to future data breaches. Release o£such repot or information could result in the identification of vulnerabilities and further breaches of that system. "(5) Notices received by the Deparnment of Legal Affairs and information received during an investigation of a data breach are likely To contain proprietary information, including trade secrets, about the security of the breached system. The release of the proprietary information could result in the identiftcation of vulnerabilities and further breaches of that system. In addition, a trade secret derives independent, economic value, actual or potential, from being generally unknown to, and not readily ascertainable by, other persons who might obtain economic value from its disclosure or use. Allowing public access to proprietary information, including a trade secret, through a public records request could destroy the value of the proprietary information and cause a Fnancial loss to the covered entity submitting the information. Release of such information could give business competitors an unfair advantage and weaken the position of the entity supplying the proprietary information in the marketplace:' Amendments. The 2014 amendment added (11). �O Florida Information Protection Act Attestation: I hereby attest that I have read and that I understand the provisions of Florida Information Protection Aci (Fla. Staff. 501.171). 1 also understand that 1 can be subject [o disciplinary action up to and Including dismissal for violations of this act. Signed: Dafe: Printed Name: Witnessed by (manager): Date: r� EXHIBIT B PROCESSOR'S PROPOSAL TO #18-7284 "PAYMENT PROCESSING AND RELATED SERVICES" (FOLLOWING THIS PAGE) JetPay Payment Services, TX, LLC is a registered ISO/MSP of BMO Harris Bank N.A., Chicago, IL 30 CAO EXHIBIT B TO MERCHANT CARD PROCESSING TERMS AND CONDITIONS Collier County Board of County Commissioners Request for Proposal (RFP) for Payment Processing and Related Services Solicitation No.: 18-7284 February 26111, 2018 Offeror Contact Information: Christopher F Battel, Chief Operating Officer JetPay Payment Services, FL, LLC 316 South Baylen Street, Suite 590 Pensacola, Florida 32502 (850) 858-3321 Telephone (850) 444-9331 Fax chris.battel@jetpay.com www.jetpay.com COVER LETTER/MANAGEMENT SUMMARY: February 26, 2017 Viviana Giarimoustas Procurement Strategist Procurement Services Division 3295 Tamiami Trail East, Bldg C-2 Naples, FL 34112 Re: Payment Processing and Related Services Solicitation No.: 18-7284 Dear Ms. Giarimoustas: It is my pleasure to submit the attached proposal from JetPay Payment Services, FL, LLC ("JetPay"). a wholly-owned subsidiary of JetPay Corporation (Nasdaq: JTPY), in response to Collier County Solicitation NO. 18-7284 Payment Processing and Related Services. Based upon our understanding and experience serving Collier County Utilities since February 2012 (added service to Landfill, Parks & Recreation and Animal Services in 2016) and from reviewing the RFP, I am confident that JetPay and our Proposal is an excellent fit and overall solution for Collier County and its customers. JetPay's Proposal provides: (i) electronic bill presentment, (ii) payment acceptance and processing in every payment channel (point-of-sale, on-line, mobile, IVR, AutoPay/scheduled payments, kiosk, SMS text, emal, etc.) including posting transactions back in real-time, attainment of all application integration, data and reporting requirements, (iii) a highly secure environment that limits Collier County's PCI scope, (iv) at no cost, access to our embedded customer communication tools which could be used to send electronic reminder invoices that are dynamically created to your customers via SMS text or email (increased customer satisfaction and improved collections), (v) exceptional and responsive service to the staff and customers of Collier County, and (vi) a lower cost to recognize JetPay's longstanding service to Collier County. When integrating in our preferred methods, all of your customers' payment card and banking information is only on JetPay's servers—this materially reduces Collier County's Payment Card Industry Data Security Standard scope and risk of a data breach. As a certified PCI Level 1 Service Provider (the highest level), JetPay maintains policies and practices that have been tested and proven to successfully protect sensitive payment card data, banking data and Personally Identifiable Information ("Pill'). Payment data and PII is always encrypted while at rest or in -transit, as well as is encrypted point-to-point when swiped or dipped at point-of-sale. We tokenize data when customers elect to establish an account and save their payment card and banking data for use in the future. Our payments business is headquartered in Carrollton, Texas and we are a leading provider of credit card, debit card and e -check payment processing services to state and local government entities throughout the U.S. Our clients are comprised of counties, cities, townships as well as two statewide electronic payment processing contracts (Illinois and Missouri). Our parent, JetPay Corporation (Nasdaq: JTPY), is one of the very few card processors that is a principal and is real-time connected to the Visa, MasterCard, Discover and American Express payment networks (end-to-end connected on authorization of payments as well as on the clearing and settlement of funds). As a result, we are able to offer low all -in pricing (includes o Interchange, Dues, Assessments, gateway and all other costs associated with accepting and processing electronic payments) and unmatched transaction/settlement execution for your customers' credit card and debit card payments. JetPay is one of the leading merchant processors—we have processed over $15 billion of credit and debit card payments per annum. CAO Also, JetPay is based exclusively in the United States of America, and we will not use any subcontractors to perform the services in our Proposal. Collier County customers may utilize their preferred mode of payment (point-of-sale, web/ mobile or IVR) and their preferred brand of credit or debit card at any time to submit a payment. We continue to see individuals and businesses express interest in new and innovative methods to submit electronic payments and we will continue to introduce new payment technologies that address these desires. JetPay is Collier County's partner in increasing staff operational efficiency in billing and collection while maintaining customers' satisfaction. We will integrate our Solution with your departments' applications so that there will be perfect account validation, no double entry of data and payment transactions will be automatically posted back into the software systems. In addition to processing electronic payments, our platform Solution enables the County to send communications (i.e. bills/invoices, court date reminders, etc. that are dynamically created) to customers in their desired method (email or SMS text) which will improve customer satisfaction (reminder to take action and lessen fines and penalties) and improve collection of amounts due. Collier County's accounting and finance staff can experience increased efficiency with JetPay's reporting and proprietary settlement process that enables daily reconciliation in minutes compared to a typical merchant account which is difficult to reconcile and takes extensive time daily. JetPay is committed to providing responsive customer service every day in every payment transaction. We experience a very low level of customer service tickets in our business—on average, approximately 1 ticket per 1,000 transactions. Furthermore, we are proud of our record of conclusively resolving 97% of all customer support tickets within 1 business day. Similarly, JetPay is proud of maintaining a continuously available system for customers to make payments. The JetPay Team is committed to ensuring that the credit and debit card processing services provided under this contract are performed diligently every day. Likewise, we will provide exceptional customer service to the customers and staff of Collier Coto unty. On behalf ofnthe entire JetPay Team, we welcome the opp Y customers and staff! Best Regards, Christopher F. Battel, President of Government Services, Chief Operating Officer 850-858-3321 direct, 850-607-3659 mobile Chris.Battel@JetPay.com a CERTIFIED MINORITY BUSINESS ENTERPRISE: BUSINESS PLAN: JetPay Payment Services, FL was founded in 1999 to serve exclusively the government sector. We serve state agencies (we have state-wide electronic payments processing contracts with the states of Missouri and Illinois), counties, cities, tax collectors and municipal utilities throughout the U.S. JetPay is committed to providing an exceptional experience for your customers in submitting payments, while increasing the operational Maste Card, Discover, o your staff. JetPay's web -based payment processing system processes all payment types; point-of-sale, mobile, and Amex, all branded debit cards and e -Checks, via all collection modes including web, IVR, p pre -authorized payments. In addition to its payment processing services, JetPay also offers e -Bill presentment and customer communication platform. The JetPay project management team has decades of combined experience in electronic payment processing, distributed system implementations, and technical data conversions. The team has extensive experience working in collaboration with our clients in a large variety of project implementations, maintenance, and support. We process on average approximately 500,000 transactions per day. We do not have a maximum number of simultaneous users. Our processing platform is highly scalable, and we coordinate with our clients to identify estimated processing volumes and any expected spikes in activity. We then assign the necessary computing our processing system in resources to ensure n optiml payment experience. We d JetPay has rienced aasituationain which ch we were not able toprocess payments due to bandwidth issues ime nissu sor duet the never eape system being overloaded with transactions. Even though JetPay currently serves Collier County, we will hold an organizational meeting to discuss any new departments or payment types that the County requests JetPay to begin processing. In addition, we will discuss the method of integration with the County's customer information systems. There may be opportunities to streamline integration that results in increased efficiency and lower costs. Prior to any new service implementation, JetPay will meet with appropriate County and IT staff to establish client profiles anddatabases within our on odescfully tioning test user names environment. The profiles include fee schedules, organizational units, payment type and passwords, as well as all other critical information required to accept and aroces s over, American boarding ardi Express, process involves establishing all necessary accounts for processing Visa, and ACH transactions. In parallel, Jet] integration staff works with the appropriate County and Department luding APIs, Data Interoperability, and general System personnel to identify overall system requirements inc Attributes (payment types, distribution accounts, settlement methodologies, user groups and rights, etc.). For new departments or integration requirements (fully hosted or payment re -direct), we typically experience the boarding/conversion of a client similar in scope to Collier County within 6 weeks; however, in certain cases where a client has third party software partners ih involved, the timing could extend up to 12 weeks where the additional time is associated with schedule conflicts associated with the additional parties involved. JetPay will engage with the County prior to the implementation of the boarding/conversion process. The typical deployment timeline for a client similar in size and scope is: 1. Week 1 a. Agreement executed with client as result of RFP award b. Points of contact and responsible parties (County, departments, & third -party vendors) established c. Requirements review performed by our team in conjunction with County and third - party vendor (organization structure, payment types, systems interoperability) 2. Week 2 — Week 5 a. County test instance established i. Team works with third party to ensure proper system interoperability ii. End user testing initiated for County acceptance b. County production instance established i. End user testing initiated for final County acceptance c. Production instance initialized with production data (user profiles, organization profiles, payment types) CAC d. Integrate County's and/or Third Party's software which accepts payments with our Payment Processing Solution using our Fully Hosted or Virtual Terminal integration (all payment card and banking data on our system) i. Utilize web service calls or file import/export process for validation and posting data back into County's and/or Third Party's software e. Necessary merchant services accounts established 3. Week 6 a. Training (onsite) if needed b. Establish rollout process and schedule with the County for offices/locations using the JetPay solution in a point-of-sale or face-to-face environment. c. Go live date established d. Site live 4. Week 7 — Week 12 a. Handle any holdups in implementation and boarding process due third -party vendors, or issues out of our control Below is an example of a GANTT Chart for a typical Client boarding: CCAIL 6vafrtt . Mix 1 ii9i1E �,�aM uc.c..n r.sa ussl f°bii £.xY Z:r.�. �a+rr✓ei �k H»wnrs'm N�9t,t4 fiiRir:eE ?4 j �,gy,asveW� ^M^i.rr✓+Y+t �.-�'ra,i-.-sw.n..*r>i>3>..�.+:.:.x rn F,v:re. r�:a,�, w. MiYNriniwLti.'6 Y>ti 4Y1R OytlinE o]br'it is 1r.yasiM H�'trYtYYRL.F EiIWY �aia�Y YMYI]1Y a:M]faTY. �rsxf•+u r+vY�+r>rt5i1 :._ riuudd. _ . A+tttf3*t k►iErtt O�OV1t fii r.aKre�:>.:.:g.➢-r.*.�'.e•rr�,gee.»r��,+�a`. CiW IM;IMrMwil' Et qy%t t :imli SYe ... '. _....... . L r.# a?fRt Wif TN arf 9Yia'kP'Wn< iiNY_'1F4�'A a�Elx agv�i KNEV"O! ..,;. P,�w Wyyt:wrrai�+��C; M+R KF �ya..�m=a Wf wrage gnErrtpgd,�w awrvtcYiW'wt htOA-tt Nuwf Y ird�a>�"p>airsfiorki frau Enaaoa'sE 'q!aswaarsrs�w.:sayr.rts�dar.vws�a.:>,t.:.a."rm ,twt _ `.moi iihkeMeas'.Ms^Aai'M�e"M� aywiwrx a.:wJ THE �rlrer avalnE .as•,YuiYta' *'ui.a� stir sE+it^tt S46 ..�,-. r.. grY4aalf^r3e _. i�rtwrro5rea.r t.:"..yi,.,gi� Nt ' 4SHT{ria9iN•b'ii?:'w fY w 4T1 +'W!!�T t}4MN K ya4<>•�itie t Va l { �w'h YO yYC3tftil .e^ , . ,. ea..pcay riaN+' W!?fiiM<:wY?�✓++t S4iriYN1Y'C art"J^!IY..lW Y.bN-Y 61,E'tl Si�WS{ M0 KYl#1!.M M�V4f . MtlIF4... t*Mtlt Vlwr.�#J./�:N •Mw bE74'�! W"1q ,.; ea+nwe. Stw+ag;c'rsj OtEdrtis bi<iM '!a a+ �a C.,q" "Itu 't CCAIL COST OF SERVICES TO THE COUNTY: Collier County Request For Proposal Merchant Services RFP 18-041 PRICING PROPOSAL JetPay's business model is such that we strive to generate 100% of our revenues from transactional fees that are paid by the consumer or, in some cases, the client. By presenting one simple pricing structure, much of the ambiguity typically presented by card processors has been removed, making it easier for the County to anticipate the true cost which they or their consumers must incur. Additionally, this simple fee structure can be utilized across the County's various departments and their respective various transaction amounts. Further, our platform could enable cost reductions and increased customer satisfaction through the use of our e - communication tools which enable the County to engage with its customers using SMS teat, email or outbound IVR on any topic including electronic bills, payment reminders, etc. CONVENIENCE FEE 2.00% + $0.25 per Credit/Debit Cards transaction $0.20 per transaction e -Checks Other Fees items services are offered at no additional charge to the County or its The following and constituents: $0.00 e -billing $0.00 IVR $0.00 Installation/Implementation Fees $0.00 Training $0.00 Customization Services $0.00 Software Maintenance $0.00 Hosting $0.00 Licensing $0.00 Support $0.00 2nd Year Maintenance $0.00 3rd Year Maintenance The following items will incur additional charges: $0.00 EMV Equipment per device EMV device is the Pax S300 or Pax S500 JetPay's preferred (other models available) Purchase price includes a full warranty for the duration of the contract $0.00 Pax S90 or Check Scanners Non-EMV encrypted Magtek wedge swipe devices $0 $10 Chargebacks Returned Checks (fee paid by customer) $20 EXPERIENCE AND CAPACITY OF THE FIRM: JetPay Payment Services, FL, LLC, is a leading provider of credit card, debit card and a -check payment processing services to state and local government entities throughout the U.S. Our clients are comprised of counties, cities, townships as well as two statewide electronic payment processing contracts (Illinois and Missouri). Our parent, JetPay Corporation (Nasdaq: JTPY), is one of the very few card processors that is a principal and is real-time connected to the Visa, MasterCard, Discover and American Express payment networks (end-to-end connected on authorization of payments as well as on the clearing and settlement of funds). As a result, JetPay is able to offer low all -in pricing (includes Interchange, Dues, Assessments, gateway and all other costs associated with accepting and processing electronic payments) and unmatched transaction/settlement execution for your customers' credit card and debit card payments. JetPay is one of the leading merchant processors—we have processed over $15 billion of credit and debit card payments (excludes volume from all e-check/ACH transactions) in over 50 million transactions per annum. JetPay is committed to providing an exceptional experience for your customers in submitting payments, while increasing the operational efficiency of your staff. JetPay's web -based payment processing system processes all payment types; Visa, MasterCard, Discover, Amex, all branded debit cards and e -Checks, via all collection modes including web, IVR, point-of-sale, mobile, and pre -authorized payments. In addition to its payment processing services, JetPay also offers a -Bill presentment and customer communication platform. JetPay's primary value proposition is providing complete payment processing solutions that are fully integrated with our government clients' systems and operational processes that result in: (i) an exceptional payment experience for customers, (ii) increased staff productivity of our clients, and (iii) a highly cost-effective solution overall. For electronic bill presentment, JetPay dynamically creates the bill/invoice that is Section 508 compliant for all customers to view, including visually impaired and blind persons (typically, our competitors provide PDFs in their e - bill offering which are not accessible for blind persons). Likewise, unlike many competitors, JetPay puts all of its fees into payment transactions—there are no fees or expenses other than for processing payment transactions, i.e. no integration fee, no hourly software development charges, no charges to present electronic bills/invoices, no charges to send SMS text, email or outbound IVR messages to customers. Overall, JetPay believes that we provide an excellent solution from a feature/function/integration perspective (we do not see any competitor with a superior solution) at a highly competitive price. continue to meet all of its financial obligations when they become due in JetPay Corporation is solvent and will to the future as we have done historically. Based upon the most recent public filing of our financial statements with the Securities and Exchange Commission as well as those filings by our peer group of publicly traded processors, JetPay Corporation is growing, increasing cash flows and had a Total Debt to EBITDA ratio that is less than all of our peer group of payment processing public companies. In addition to our cash flow as a source of satisfying our financial obligations, JetPay Corporation has access to the public and private debt and equity capital markets to raise additional funding. The JetPay project management team has decades of combined experience in electronic payment processing, distributed system implementations, and technical data conversions. The team has extensive experience working in collaboration with our clients in a large variety of project implementations, maintenance, and support. The key personnel servicing Collier County will include, but are not limited to: Christopher Battel, Chief Operating Officer and Executive Officer Rick Griffiths, Director of Account Management and Project Manager Joe Lennon, Director of Sales and Business Development & Senior Relationship Manager Lynn Yelverton, Customer Service Manager Rick Carroll, Chief Financial Officer Heath Gardner, Software and Development Director Paul Shave, Information Technology and PCI Director Shirley Everage, Technical Account Manager Joseph Lennon, Director of Sales and Business Development & Senior Relationship Manager Phone: (850) 858-3319 joe.lennon@jetpay.com 9 Joe Lennon joined JetPay in the first quarter of 2015. Mr. Lennon has spent 30 years delivering customized customer experiences and solutions to prominent national, regional and boutique businesses in the hospitality and health care industries. He has comprehensive leadership experience and knowledge in entrepreneurial, analytical and sales oriented environments. He is responsible for the leadership and implementation of Customer Relations, Sales and the Business Development strategy of JetPay Payment Services, FL, with a focus on customer satisfactions and business growth. Mr. Lennon will serve as the Relationship Manager for this contract, and will serve as the primary point of contact. Christopher Battel, Chief Operating Officer Phone: (850) 858-3321 chris.battel@jetpay.com Chris Battel joined JetPay in September of 2013 after a 25 year career in investment banking. Mr. Battel is a Chartered Financial Analyst, with 25 years of investment banking experience at prominent national, regional and boutique investment banks serving clients in technology, business services, financial services and health care industries. He has comprehensive leadership experience and knowledge in entrepreneurial, analytical and sales oriented environments. He is responsible for directing the leadership, strategy and operations of JetPay Payment Services, FL, with a focus on business growth and performance. Prior to joining JetPay, Mr. Battel held executive leadership positions at corporations and financial institutions,and coordinated more than 100 transaction processes involving mergers, acquisitions, public offerings, private placements of debt and equity securities. Mr. Battel received his Bachelor of Science in Finance from the University of Virginia, Masters of Business Administration from Georgia State University, and holds the globally recognized Chartered Financial Analyst credential for finance and investment professionals. Rick Griffiths, Director of Account Management and Project Manager Phone: (850) 858-3309 Rick.griffiths@jetpay.com Rick Griffiths joined JetPay in January 2014 and services as Director of Account Management. Prior to joining JetPay Mr. Griffiths served as a Corporate Account Manager for WebMD, and was a founding partner of Health Data Services, Mr. Griffiths has over 16 years of experience in account management. In addition to his role as the Director of Account Management, Mr. Griffiths has served as a key project manager for JetPay. He was instrumental in the migration of JetPay Payment Services, FL clients to our recently developed Magic platform, and has worked on large and complex clients' on -boarding such as the State of Illinois ePay program and their various participants throughout the state including state agencies, counties, cities, universities, etc. Lynn Yelverton, Director of Customer Service Phone: (850) 858-3303 lynn.yelverton@jetpay.com Lynn Yelverton joined JetPay in June 2011 and is Director of Customer Service. Mrs. Yelverton manages JetPay Payment Services, FL's Customer Service efforts and the JetPay Help Desk. Mrs. Yelverton is partially responsible for client training in conjunction with the client's relationship manager, and the JetPay help desk is responsible for all Tier 1 service calls. servi serviceYelverton sty for over 112 years. Mrs. Yelverton earned her bachelorars of experience in customer service, 's held nlofficehSystems and MBA from Troy University, Rick Carroll, Chief Financial Officer Phone: (850) 858-3315 rick.carroll@jetpay.com Rick Carroll, a Florida licensed CPA, joined JetPay in June 2012 and currently serves as Chief Financial Officer. He is responsible for development and implementation of the corporate strategic plan with emphasis on increasing market share, data management, and cost control. X90 Prior to joining JetPay, Mr. Carroll had his own practice for over 10 years. Before that, Mr. Carroll held financial positions in the Banking and Healthcare industries. Mr. Carroll earned his Bachelor's Degree in Accounting from the University of West Florida. Heath Gardner, Software Development Director Phone: (850) 858-3314 heath.gardner@jetpay.com Mr. Gardner joined JetPay in May 2012 as the lead Software Developer for JetPay's secure web based payment application. His primary responsibilities include software maintenance and development of new enhancements for the JetPay eCollections Portal User Interface and software configuration management. Prior to joining JetPay, Mr. Gardner worked for over 15 years in software engineering and project management roles providing him with broad experience and expertise in the software development lifecycle. Mr. Gardner earned a Master of Science in Management from Troy State University in addition to earning his Bachelor of Science in Computer Science from the University of West Florida. Paul Shave, Information Technology Director Phone: (850) 858-3310 paul.shave@jetpay.com Mr. Shave joined JetPay in May 2010. He is responsible for Network Integration, Security, and Service Delivery for the organization. He has worked in the Enterprise Network and Telecommunications field for over 20 years. During this time he has worked with a wide variety of technologies and implemented mission critical solutions and designs for many organizations worldwide. Prior to JetPay he was a Senior Network engineer for a regional technology integration firm performing network design and consulting in the areas of operational guidance, wide area/local area networking, Vol?, and network security. Previously, Mr. Shave served as a Network Administrator with the United States Air Force, specializing as troubleshooting and implementation for logistics systems in the European and Southwest Asia theaters. Shirley Everage, Technical Account Manager (850) 858-3300 Shirley.martinez@jetpay.com Shirley Everage joined JetPay in January 2013 as a Customer Service Representative. In 2015 Mrs. Everage transitioned into a technical account management role with JetPay. Mrs. Everage has been instrumental in the migration of JetPay Payment Services, FL's client base from our Legacy platform to our new Magic platform. Prior to joining JetPay, Mrs. Everage sewed as a Sales Associate at Collective Solutions. Mrs. Everage earned her Bachelor's Degree in Marketing from Texas State University. Selected Vendor will be responsible for, but not limited to, the following requirements: 1. Cashiering Front -End Provide all front-end systems for Selected Vendor to process County payments, regardless of payment channel. JetPay's web -based payment processing platform (MAGIC) was recently developed and offers the latest features and functionality while following best practices in the payment processing industry, and is ideal for accepting online/e-Commerce payments, point-of-sale EMV transactions, mobile app, IVR and virtual terminal payments for mail in/phone in payments. JetPay's payment processing system processes all payment types; Visa, MasterCard, Discover, Amex, all branded debit cards and e -Checks, via all collection modes including web, IVR, point-of-sale, mobile, and pre -authorized payments. JetPay's payment pages and user interface are designed to be as simple and intuitive as possible for your customers and staff. Magic is entirely web -based and is accessible using the current version of all of the leading web browsers (Edge, Internet Explorer, Chrome, Safari and Firefox). Magic is a .NET MVC application with SQL Server databases and Razor and JQuery on the user interface. In addition, Magic has both a REST & SOAP API to support integrations to third party software systems. 9 JetPay's system is highly configurable and would enable the County to edit/create a point-of-sale payment type to fit its specific needs. For example, the County would be able to customize whether it wants this specific payment type to require a metadata lookup based upon account or user data provided by the County, and whether this lookup can be partial or is required to be full. For example, this specific payment type could enable County staff to search for a payer's account by many different identifiers such as name, address, or account number, and then have shopping cart information pre-filled based on accurate payer billing information. The search can be either partial or required to be full search, and search results can be configured to include identifiers that the County may choose to be displayed based upon the information passed to our system. Payment validation would enable the County to have a payment type that uses a metadata lookup in which a customer service representative enters the specific payment identifier(s) of the customer which then brings up that customers account information and account balance that is pre-filled in the shopping cart. The customer service representative can then have the customer insert/swipe their card to complete the payment with no need for the customer service representative to manually enter customer account data or a payment amount. This is all done through an integration to your account management system either through real-time web service calls or through a file import/export process via SFTP. By integrating our payment platform with the County's account management system, we can enable payment validation and post-back of data into your account management system with no double entry of data by your staff. For point-of-sale transactions, JetPay's platform supports Chip-and-Pin transactions using the PAX 5300 and PAX 5500 EMV devices in semi-integrated mode, the PAX 5500 EMV device in a standalone mode, and the PAX S90 for cellular/wireless transactions. JetPay's PAX 5300, S500, and S90 have been certified by each of the payment networks in processing EMV dipped transactions. The PAX 5300, S500 and S90 accept near- field communication transactions, and our system uses end-to-end encryption and tokenization in the card reader,ze ich is ent. Point-of-sale aymen ts erformedealt the Point of Int non-EMV tion bysthe EMV reader th ought � ENIV or theuse of tencryption o he SRED chiprather than through a software solution. JetPay's recommended connection of our EMV solution is via ethernet to reduce the footprint on clients' networks and workstations. As a result of ethernet connection of the EMV readers, there is no software, including drivers, that are installed on client workstations. Although our preferred connection is via Ethernet, JetPay's PAX 5500 is capable of accepting analog or orifi transactions, and the PAX S90 can accept cellular transactions. JetPay also supports Verifone VX520 EMV terminals in stand-alone mode with an analog connection. JetPay can provide check scanners as well that scan paper checks at the point-of-sale and convert them to e-Checks which are processed at the point-of-sale. Below are screenshots of the payment screens & experience using the PAX 5300 in semi -integrated mode: ►Cnriniurtan:.r. !!$Aa7p;ng Catt ;..t How are you making this paymentt itazr,ti'. WAO caleci-.>>;+xle PJS annecr: _. _ �. '. xc t iraua<::xt Ih-:un Pitt 300:17 Add Payment What 1—ld You Ike to paYT Pay=ent Col:eoly r:,a Lie i16:.y Pajr¢re Pleare ehteY the Ie11-InJ Mfatmstleh to leentlfy the pgtok. : A"..,! la; tar• 412T.M .................._......._.................._...... ArtWrt wpPj irit ancnnary. Pey—t Amount AI�I�FI:i Cot 1 w .1 aietty vAn;ae : ��.. a bashleayd Payment Aeinatl pepetts titans;e - - A ire; w,e to tan-ar.0y in tau moa^. y Make A Payment - CSI Live rvaPangca-t �'+ � patmeni In?umaion UWKY WQ7 Cf:hiaibl SS.W Payment Oeuns Udky 0473703 de'j'ay Yost- SS.00 '. x ramvt uz sadlrsn ' 0 Pleast folio+v the onaaetn insttuctionc on the PAR S300 th complete the ttenfA.cf wl. ......_�...............-_........... --- ....._.... � Make A Payment - C51 Live -- Thank You for Your Payment pi"a:p uvr thiseonbrma0rvl AaMber kx your Pi`Mui ("Cords. REl1AP1C£S'rAR Customer Name 1VINGATFIJERANEA Effective Data 1117770i75:19PlACentralStandardTinto. Payment Confirmation Number 41001923 Amount Item 35.90 Witty $5.00 Subtotal: Total Amount Due: Visa 471575 +«... 2140 exp res 09/2018 535.00) SS5.00) Total Amount Paid: $0.00 Remaining Amount Due: _ Payment Details Uliilly 0127170 - ietPay rest -35,00 0 E nDii To ',' $ ('tint ReCeipt 2. Real-time Payment Processing County operations depend on real-time recording of payments against the receivable. JetPay only utilizes real-time authorization and reporting for all credit card, debit card and a -check transactions. JetPay Payment Services, FL, LLC, is a leading provider of credit card, debit card and a -check payment processing services to state and local government entities throughout the U.S. Our parent, JetPay Corporation (Nasdaq: JTPY), is one of the very few card processors that is a principal and is real-time connected to the Visa, MasterCard, Discover and American Express payment networks (end-to-end connected on authorization of payments as well as on the clearing and settlement of funds). As a result, JetPay is able to offer low all -in pricing (includes Interchange, Dues, Assessments, gateway and all other costs associated with accepting and processing electronic payments) and unmatched transaction/settlement execution for your customers' credit card and debit card payments. 3. Interfaces The Selected Vendor must create the interface between the Selected Vendor's own front-end payment processing software and the County's line of business systems establishing the ability for the Selected Vendor to: • query and search real-time for County debt owed by customer • provide payment transaction information real-time to the County • retrieve County revenue reporting for reconciliation purposes Selected Vendors must provide payment information through the with each of the County's line of business applications (see above and appendix xxx for a listing) using manufacturers approved interfaces. The Selected Vendor will also be required to provide an interface file for batch processing with the agency's SAP financial system (see section 5. Below).. Selected Vendors must be able to provide the necessary information using a secure authentication method and provide data formatted as required by the line of business applications vendors. Selected Vendor must work with the County's Information Technology Division and the line of business application vendors to achieve the required secured connection and communication. The Selected Vendor must also create interfaces to the County's existing (contracted—out) payment processing Selected Vendor systems to: • process payment card payments • process ACH payments • process check images JetPay will develop integrations to the County's line of business systems using the API of the County/third- party software system or JetPay will provide its API (REST or SOAP) to the County/third-party software system to develop the interface to JetPay. JetPay uses Swagger.io framework for its REST API, which provides documentation, definitions, code samples, and an efficient interface to more easily and efficiently integrate to the Magic platform. If the County has a software system that we have not previously integrated with, we will establish a mutually acceptable integration, whether it be through real-time web service calls or an automated file import/export, at no cost to the County. JetPay will ensure that data is formatted in a mutually agreed upon format required by each line of business application vendor, and ensure a secured connection and communication for all integrations. Additionally, JetPay will create interfaces to the County's existing (contracted -out) payment processing system to process payment card payments, ACH payments, and process check images. JetPay's system is highly configurable and would enable the County to edit its various payment types to fit its specific needs. For example, the County would be able to customize whether it wants a specific payment type to require a metadata lookup based upon account or user data provided by the County, and whether this lookup can be partial or is required to be full. For example, this specific payment type could enable customers to search for their account by many different identifiers such as name, address, or account number, and then have shopping cart information pre -filled based on accurate payer billing information. The search can be either partial or required to be full search, and search results can be configured to include identifiers that the County may choose to be displayed based upon the information passed to our system. This metadata lookup can be based on one payment identifier or multiple payment identifiers. This is all done through an integration to your account management system(s) either through real-time web service calls or through a file import/export process via SFTP. By integrating our payment platform with the County's account management system(s), we can enable payment validation and post -back of data into your account management system with no double entry of data by your staff. JetPay's payment platform enables real-time validation and real-time posting of payments with no double entry through integrating our payment platform with your various software systems. JetPay's system can do this through either the use of real-time web service calls to the County's account management system under our preferred integration alternatives (fully hosted or payment re -direct), or through an automated file import/export process for validation and posting back into the County's third -party software system. JetPay only recommends system integrations where all of your customers' payment card data and banking information is solely on our network and payment processing platform. This materially limits the scope of your required compliance with the Payment Card Industry Data Security Standard. Under a fully hosted integration, all activity associated with accepting/submitting a payment is on JetPay's web pages/user interface and servers. The customer starts on the County's website and clicks on a button, i.e. Pay Bill, where the customer is re -directed to JetPay's fully hosted user interface and servers to make a payment. All payment information is solely on our screens which limits the PCI scope and risk of the client. JetPay will develop an interface to your or a third -party vendor's software. This enables validation through either the use of real-time web service calls to your software or through the use of files with such validation information which are provided by the client to our system using our secure FTP file processing. Likewise, JetPay's system will post back all transaction data back into the County's systems in an automated process which will either be performed in real-time or through a batch file update process. Under a payment re -direct integration, the County or a third -party software vendor develops the interface to JetPay's processing platform. The customer remains on the County's user interface until payment information is entered, at which point, they are re -directed to JetPay's user interface and servers to complete the transaction. This integration also limits the County's PCI risk by maintaining all customer payment data and banking information on JetPay's user interface and servers. The payment is processed in real-time on JetPay's user interface and then upon successful completion of the payment transaction, the customer is re- directed back to the County's website. Under the Fully Hosted integration, JetPay is in complete control of the development schedule, and can ensure that the boarding process will be conducted within our established timeframe. Under the Payment Re - Direct integration, JetPay will collaborate with the County or their third -party software partner on developing the interface using JetPay's API. JetPay will provide documentation, code samples, and be responsive to all questions when the County or a third -party software vendor writes an interface to our system. 4. Hosting The Selected Vendor will be responsible for hosting and maintaining the services and providing IT support for county staff. Please note, Collier County will not consider any solicitation the does not include hosting services. JetPay's web -based payment processing platform (MAGIC) was recently developed and offers the latest features and functionality while following best practices in the payment processing industry. JetPay's preferred integrations are fully hosted or payment re -direct, in which all payment card data and banking information resides solely on our network and screens. Our fully hosted solution can be white labeled and branded to fit all of the desired needs of the County. JetPay will provide ongoing hosting services for the application and the County's Magic instance throughout the life of the contract if awarded. Transaction data systemis stored in JetPay's eleted before his t me frame,nd as such, unless otherwise directed, transaction data ws document retention ill be a olicy.a available for as ata is neverlong as the merchant remains a client of JetPay. All Collier County data will be stored within the 48 contiguous states or Washington, D.C. The JetPay primary data center is a hosted facility located in a SSAE-16/ISO 2000 SRI compliant data center in the U.S. Physical Security includes video monitoring, combination keycards card and biometric access controls, redundant dual rail power, fire suppression and cooling systems. Secondary data center is located at lights out Amazon Web Services Data centers in the U.S. Physical security is provided by data center hosting staff. Only designated IT personnel have direct access to systems. Lights out secondary data center administrative functions are only accessible to designated IT staff. Physical racks have video and door alarms set to send alerts immediately upon entry to monitoring personnel. In the event of an alert generated by an unexpected event, physical security staff are notified. In order to ensure uninterrupted processing capabilities, JetPay maintains multiple processing sites. In the event of a failure at the primary processing site, JetPay's secondary processing site is made active using established procedures. JetPay's primary data center is located in Alabama and the secondary is in Virginia. The Florida site can act as a tertiary processing site as needed. Sites are located and maintained in hardened, PCI compliant facilities with multiple redundant power, connectivity, and security systems. Each site contains load -balanced server farms. This architecture allows JetPay to ensure processing capabilities in the event of overall site failure or intra -site hardware failure. We monitor our Solution in real-time at all times of every day. Our quality control and monitoring includes testing system availability as well as transaction processing, and we compare historical performance metrics. We are alerted in real-time through multiple methods including SMS text, voice and email using our tools, physical oversight and network protocol tools. When system problems occur, we will notify our affected clients within 30 minutes of the identification of an outage of any type. 5. Current Financial System Collier County's financials are managed within SAP, which is at current and fully supported release levels, namely SAP ECC 6.0 — Enhancement Pack 7. The SAP application uses the following modules: FI, CO, FM, AP, MM, SD (Misc. Billing), BCS, HR, BN, and PY. In addition to these core SAP modules, the invoice payment and approval process is managed and optimized using an SAP integrated solution called Dolphin PTS -AP. JetPay's payment platform enables automated posting of payments with no double entry into your SAP financial system and its various modules. JetPay will establish an automated file import/export process via SFTP, in the desired structured file format of the County to post -back transactions into the County's SAP financial system and its various modules. Once payments are processed, JetPay will update the County's SAP system using an automated process with an export file to an SFTP server. JetPay only recommends system integrations where all of your customers' payment card data and banking information is solely on our network and payment processing platform. This materially limits the scope of your required compliance with the Payment Card Industry Data Security Standard. 6. Payment Deposits The Selected Vendor is required to initially and directly deposit, immediately or next banking day depending on payment type as directed by the County, all payments received on behalf of the County into a County owned bank account. All payments are to be deposited in whole, without reduction of any kind by the Selected Vendor. Selected Vendor will use County obtained Merchant accounts for any payment processing, as required. Selected Vendor must reimburse the County for any lost interest when payments to the County are not deposited as required to the designated depository. The lost interest will be calculated based on the average federal funds rate for the period during which the deposits were not made as required. Funding of transaction activity is performed using ACH which is a product of the banking industry. JetPay prepares the ACH files for all funding activity and presents such ACH files to its ODFI (Originating Depository Financial Institution) partners. ACH files will be per the Collier County specifications. JetPay settles credit and debit card payments based upon authorization. Cards (Credit and debit) are settled to your DDA Bank Account as one overall remittance based upon transaction date, not across several dates that is typical with a merchant account. This authorization settlement method greatly simplifies the client's remittance management efforts — you are able to perform daily reconciliations that match to the penny, between your account software system, our platform and your financial institution (deposits). For a given day, card collections reflected in your account software system will equal the same amount reflected in our system's dashboard that also equals the actual card deposit made to your DDA account. The settlement process takes place on every "bank day" and the exact day of funding is determined up front, mutually, between the client and JetPay. A typical funding schedule is as follows: Payment Card Settlement Process Monday Tuesday Wednesday Thursday Friday %a Monday Transactions Batched ACH to Client DDA Monday: Web Visa, MasterCard and Discover card payments from 12:01 AM through 12:00 PM are submitted by customers Tuesday: Monday's transactions are batched, and an ACH is sent to client's DDA Wednesday: Funds are available in client's DDA Manual/standalone terminals can be set up for automatic settlement in which the transactions are batched and imported into our system at the end of the day, and subsequently included in the daily settlement batch for payment card transactions for that day. In addition, at the County's request, for point-of-sale transactions that are accepted through JetPay's Magic gateway/application on banking days prior to 5:30pm Eastern, JetPay can settle these transactions with an 0 ACH on the same day. This typically results in funds availability on these transactions to the County on the following banking morning. 7. Reconciliation Selected Vendor is required to reconcile each day's payment collections to County system reports of revenue recorded and to daily deposits into County bank accounts. All discrepancies must be investigated and resolved, and findings provided to the County for related adjustments. A particular report set of the JetPay reporting suite that is useful when conducting daily reconciliations, Funding Reports, provides clients with complete details on remittance batches and the respective remittance batch deposits. This report would allow the County to drill down and view the individual transactions contained in each individual remittance, match totals to ensure that it matches the specified date's all transaction or payment type summary totals and match the totals from the County's financial institution (deposits). These reports would allow the County to view the transactions contained in each individual remittance. Our reporting suite greatly simplifies remittance management efforts — the client is able to perform daily reconciliations which match to the penny, between their account software system, our platform and their financial institution (deposits). Payment Method Summary Report for 24 hours Report Parameters i i i 1 ca t L Payment Type Summary 112 7201 7 2:14:31 AM 5.2 11101712.0000 AM, 1115=11 It.5900 M1 Al oNg rotAtim Unils I Al CMWetion 11100IM 1. AIWny cadns Payroants Pt"M Type ' . Count AMOUnt Count AMOUnt Tu Oil T $19,401.80 0 50.00 Totals: 1 f19,<81.88 6 Albany Totals: T $19,481.88 0 $0.00 S UI 1 • Date January 15th, 2017 • Total amount - $19,481.88 Totals count Amount 7 $19,d81.88 Y 618.481.88 7 619,491,88 a PW7a Y d 1 Toro) nacordc 12 • Date of Batch January 15th, 2017 • Total amount - $14.920.26 + $4,561.62 = $19,481.88 • Bank Statement: n 1117M ACHCCPAYJTPYACHTR%N8 242071751814184 JTPY ALBANY TAX ($14,9241.26) 01119/17 ACHCCI'AYJTPYACHT1U%NS 2.12071731814185J'1'PYAIdBAM1YT,X M-561,62) 8. Revenue Shortages c he e Selected Vendehalfor tis required which are to re not accounted forimbse the County , are lost, em vendor h payments direcor all ed, or otherwiseof provided to the oll County as required. JetPay will reimburse the County for all vendor caused Revenue Shortages which are not accounted for, are lost, misdirected, or otherwise not provided to the County as required. 9. Returned Payments For all payments originally processed by the Selected Vendor, the Selected Vendor is required to: monitor, manage and respond to any payment challenges Enter information, as defined by the County, into County systems for all returned payments, regardless of payment type. JetPay fully manages all chargebacks as the occur and alerts the County and consumer via email when chargebacks are received. The customer will be notified of both customer -initiated and non -customer - initiated charge -backs to their card. The management of chargeback related issues by JetPay abstracts the client away from the complications of chargeback dispute management. As a best practice, JetPay disputes all chargebacks on behalf of our clients. Chargeback disputes are fully managed and tracked by JetPay as a function of our service agreement terms. JetPay acts as the merchant on behalf of the County to coordinate with financial institutions and associated entities to resolve disputed payments In cases where the customer cancels/chargebacks the transaction, then: (i) the eCounty and the customer receive an email from JetPay alerting the parties to such cancel/chargeback, 11)the customer is refunded immediately for the total amount of the transaction including the transaction fee, if one was charged to the customer, (iii) JetPay refunds the customer's card for the total amount of their transaction, (iv) unless directed otherwise, JetPay will fight all chargebacks, (v) if the County wins the chargeback, there is no further action to the County (your account was never debited for the amount), and JetPay receives the payment amount from the card issuer, and (vi) if the customer wins the chargeback, JetPay will inform the Settlement (Deposit) Report Funding Report 1 Wf2ot? 2.47.41 AM 1f 9,42J17 12oo 00 N1.. N22`20, r f 4,$9.00 pM 10 o Wry zaoan ilnts 1 Al Pa'Pnnnt 7rpos 1, Albany Witt of Batch F"r4 Oats CpeP N" orp UfA P*YW*n Type TAH rj',,,,S.P0120 G)#}I.fpd AarauM'. 519:95 14 1 011/02017 n1120'201r Ocwlk MOrga�Attl V-ts raa W! tis E',T 17'Or19..491.0.fp0 526.760.60 2 01f1812t1i7 01110611k '�� wU"tint" 16. Er 4Ifl12tI n0}ligfl j5A41.n0 J 01117/2011 OIr�O" If C4*A coo M Tkpa'+4tabo+ U,*$ T#� EI 11Q1T8..1 1 j2 ,2jt:0T 4 0111111017 0111001Y •C++6 0Ory>MtognL*'1'a TU ail To, 8A .?«? ET YY9.11P-1116 ip� �28,067,7A 8 011101017 OI/1171017 OCK" M(kWau46cn VIO To tM LT_tl021it 0$14ion 3J:130.n2 0 01l1d2017 0111W2017 C1WCWO MOtgWU*1ut txw liSlitl_ti19.1nst 14,024.20 7 iitbp2pl 0111712017 OvrW20r7 VC w* -0,9 VU 1010''[, itadtCard iuCxOai*ira�ti•a T" 04 ET_Szsi1ifl OSob ser.ea 4 11151201 1aa8a ELS.iGLiY..41t1l1:lad {4,224,zt 0 011112017 0111P'3017 CrW Card M UrAs 1it0lad $15,048,50 10 01)10!017 01/1712017 "Clod. Alo1w"a1m, Orft T+k nii 1WI04 ET 170117 ELtI01ti 1ti9ioo $12.r,1 ro 11 1111:4'1017 01r1712n17* AI (ky4nrzab6^Ik'yti E1_i101t0_t4t 'moi! $P,073,67 42. 04112417.. Oif1lY1017 s_rn lino Tai Bs GxatCavi 410`0"111' -... /0hanyTOW: j1a0-� PW7a Y d 1 Toro) nacordc 12 • Date of Batch January 15th, 2017 • Total amount - $14.920.26 + $4,561.62 = $19,481.88 • Bank Statement: n 1117M ACHCCPAYJTPYACHTR%N8 242071751814184 JTPY ALBANY TAX ($14,9241.26) 01119/17 ACHCCI'AYJTPYACHT1U%NS 2.12071731814185J'1'PYAIdBAM1YT,X M-561,62) 8. Revenue Shortages c he e Selected Vendehalfor tis required which are to re not accounted forimbse the County , are lost, em vendor h payments direcor all ed, or otherwiseof provided to the oll County as required. JetPay will reimburse the County for all vendor caused Revenue Shortages which are not accounted for, are lost, misdirected, or otherwise not provided to the County as required. 9. Returned Payments For all payments originally processed by the Selected Vendor, the Selected Vendor is required to: monitor, manage and respond to any payment challenges Enter information, as defined by the County, into County systems for all returned payments, regardless of payment type. JetPay fully manages all chargebacks as the occur and alerts the County and consumer via email when chargebacks are received. The customer will be notified of both customer -initiated and non -customer - initiated charge -backs to their card. The management of chargeback related issues by JetPay abstracts the client away from the complications of chargeback dispute management. As a best practice, JetPay disputes all chargebacks on behalf of our clients. Chargeback disputes are fully managed and tracked by JetPay as a function of our service agreement terms. JetPay acts as the merchant on behalf of the County to coordinate with financial institutions and associated entities to resolve disputed payments In cases where the customer cancels/chargebacks the transaction, then: (i) the eCounty and the customer receive an email from JetPay alerting the parties to such cancel/chargeback, 11)the customer is refunded immediately for the total amount of the transaction including the transaction fee, if one was charged to the customer, (iii) JetPay refunds the customer's card for the total amount of their transaction, (iv) unless directed otherwise, JetPay will fight all chargebacks, (v) if the County wins the chargeback, there is no further action to the County (your account was never debited for the amount), and JetPay receives the payment amount from the card issuer, and (vi) if the customer wins the chargeback, JetPay will inform the County when the final decision on the chargeback is determined and JetPay will send an ACH debit to the County for the amount of the chargeback. From a funding perspective, JetPay funds on a gross basis—credits and chargebacks are handled in a separate ACH debit transaction in order to make reconciliation and reporting simple and easy for clients. JetPay provides a chargeback report which displays all chargebacks within JetPay's system in real-time, and daily chargeback activity is available within JetPay's reporting suite. Chargebacks can be viewed by multiple different factors such as separated by department / organization unit. Through our Administration Console, all reports can be viewed in real time to give you immediate access to information when needed in the case of a chargeback or a necessary void of the transaction. Designated personnel have the ability to view as well as to void the full amount of a transaction prior to the payment being submitted for settlement. Full or partial credits are available after the date of the transaction. For a -check returns, 10. Workflow Mapping tain application and business workflows for current and revised workflow Selected Vendor must provide and main processes during the term of the Agreement. In the event of new technologies that become available and which may enhance or may otherwise be provided as an additional service under the terms of the Agreement, the Selected Vendor may provide such business transaction opportunities to the County. The County reserves the right to incorporate such changes if deemed to be in the best interest of the County. JetPay will provide and maintain application and business workflows for current and revised workflow processes during the term of the agreement. JetPay's current payment processing platform (MAGIC) was recently developed and offers the latest features and functionality while following best practices in the payment processing industry. JetPay uses an agile approach to software development. Sof ware is updated on an as needed basis with no impact to our clients. JetPay's Magic platform is a public facing web -based product, and as such system enhancements or updates will automatically be pushed live as they occur. How a Credit/Debit Card is Processed (our preferred integration alternatives): 3 Magic Sami•infnofaterUhnafnd Legend >� feabOme *. .•` latsncy ` 10 normal 14.11_ pery' z ', captute VY feN•fime VISA WC yp6 Mngk ftpdatatl in roal•Nmo ,� Pit captofod for customer communication $BI�HIT18f7t i client Sallloment Baa* 1. Customer goes to the County's website to submit a payment and is then re -directed to JetPay's fully hosted screens or the customer remains on the County's screens until payment information is entered, at which point, the customer's payment is re -directed to JetPay's screens and servers to complete the payment transaction. Customer account information is validated and the item(s) is placed into a shopping cart and additional items can be added to the transaction. 2. Payment card and PII data is entered by Customer then encrypted 3. JetPay's system requests authorization from the payment networks (Visa/MasterCard/Discover/ Amex) 4. Card Issuing Bank responds through payment network with either authorization/decline 5. If authorized, customer is provided receipt with confirmation number; if declined, customer is notified in real-time of the reason for the decline 6. JetPay's system updates the County's account system with transaction payment details utilizing either real-time web service calls or through a file import process which can be automated and provide updates at any frequency level required by our client 7. Funds are deposited into County's account In addition to its payment processing services, JetPay's system offers a -bill presentment, embedded customer communication tools, a white labeled mobile app, and check processing at the point-of-sale to further optimize the execution and efficiency of your billings and collections. All of these items our built into our core product, and as such there is no additional charge outside of our standard transaction fees for these additional service offerings. JetPay's e -Communication platform enables the County to send customizable messages via email or text (SMS) to all of their customers, a subset of their customer base, or an individual customer. Messages can be anything from reminders to pay their bill to electronic bills and any other topic that affects your customers. All communication and additional information provided to the customer can be managed and sent in JetPay's e -Communication platform by the County. Below is an example demonstrating how SMS text messages are received by the customer on their mobile device/phone: Hello, Jeff Stokes. You are delinquent on your bill from American Water as of 08/15/2017. To avoid having your water shut off follow the link to view and pay your bill. AmericanDemo r": bitly Din Dau: F= 1/2917 AaounCNUM f: AMERICAN WATER n„ o,a: $74.23 A~wn Wmef ' �t 123 Wator st ywr Pty. W 12345 Bervla Addross Mako Checks Pay*W9 To: Chorga Total Activity $8.09 50.89 ln, mne Dafanca $74.21 574.23 AtNowtt Attvxy O&Ql 1oi7.07*oln fi7 574.23 1N'fMU 8.110— WWII" .110—W age% ...aCauVnt days gait tya bill dsta 4a sub$b... to consina4lon and any UaoalaWd eoa Any btlanan JU .. _...._... •... _.... .... _...... ....�W mbor S=i 5ouM jA1R000t DUB 574:231 a Yw bWCtil� tlA a Wpno. Yut sa i W+�'+rtP ys� ears Ws F W.?'W [tf aucW Ta�+� tanoanttyl tafay }a t;aTayMSaf'm Car GVN+it IbMti'I43�:b lN1V, flaidal--f+N1%LmIJA4-BPfJ Ttd L�b'vnvF "w<FaPttMNstMYa iNliJk nM rtni'11yRiLWG6 Pel aF.itY�at'n�s7!�%f+a>p anf xi196.S=a wwd'�+ar •�^ W++* tv o..+fanw xN� s,e „mob. a fa.+,s+f: a.ta' ce,w r „tf,btiUa A yYKrt YMsf r71lYaN'k YO4 on.w fm,i Fr..lf72).�JaW Ya»1ya, grMi va. f}15 W ou'u,•6 Yry ha/•!u to h.tmvy v4;wa4r+ . YWirM tt>•T+.aY O KIS=>'MS •; •,." 4 eA2 PM O * 23X1_• Make A Payment -American Water Water and Sewer $74.23 Transaction Fee: Visa $1.00 411111 ***• • 1111 expires 0112018 Total Amount Due: $75.23 Visa 411111 ***** 1111 ($75.23) expires 0112018 )i r, Taal Payment Methods: ($75.231 OMauap•s •• 9 6;42 PM 0 A fte in elle amount of $10 "as been added as a conveoltece fee for the fol .vot'g traiesactioo. Jett Stokes 123 This AVenue Suite A Gulf Neem, Ft 32561 tail GSG-3!33 H 1 agree to the r-aymwa Tema Of �.- and aulb"We @?3 payment. 44 Dack to Paymtr:t Method ••. �. grntP a'A7 Pk lr 1i 227c L1 B T agree to the FaY'.-w Terms OT service and authorize this payment. 44rack to Payment Method Water and Sewer 574,23 subtotal 574.23 Projected Fee $1.00 % cancel Transaction v 4;65 Pu a 1' ]::>.r_.� OtN`!x*pr't. •:,,,-.a A-C2PM D r.+nwpot •.,�>e 6A1 Pu •; 23%e:.::F Ot*eu+p*n •`>•.: ,-..: Make A Payment- Payment Expiration Year Information - American Water (_1eCheck ................. ...... ..._................................ _.....___.. Security Code I I 123 n Card Zip Code 12345 Amount Due Please select your Payment Method s '" Water and 5w:er $74.23 Payment .........___ -_.... 13 Credit Card Subtotal $74,23 ® M -= = g 74 23 '. Projected Fee 51.04 Card Number Projected Fee $0'50 4111 iY171111ti11 � '. I [., j eCheck payment Details Name on Card _.,-,. left Stokts Expiration Month .. x Cancel Transaction of .t Expiration Year O KIS=>'MS •; •,." 4 eA2 PM O * 23X1_• Make A Payment -American Water Water and Sewer $74.23 Transaction Fee: Visa $1.00 411111 ***• • 1111 expires 0112018 Total Amount Due: $75.23 Visa 411111 ***** 1111 ($75.23) expires 0112018 )i r, Taal Payment Methods: ($75.231 OMauap•s •• 9 6;42 PM 0 A fte in elle amount of $10 "as been added as a conveoltece fee for the fol .vot'g traiesactioo. Jett Stokes 123 This AVenue Suite A Gulf Neem, Ft 32561 tail GSG-3!33 H 1 agree to the r-aymwa Tema Of �.- and aulb"We @?3 payment. 44 Dack to Paymtr:t Method ••. �. grntP a'A7 Pk lr 1i 227c L1 B T agree to the FaY'.-w Terms OT service and authorize this payment. 44rack to Payment Method Water and Sewer 574,23 subtotal 574.23 Projected Fee $1.00 % cancel Transaction .. Swlra f e'e3PM a 2i:i C:i Make A Payment - American Water Thank You for Your Payment Please save this wnbrniatiun number for your pen*nal records. AMERICAN NVAiTER Customer Name )rif 50 , Effective Date 1,11212017 8'42 PM Central Standard Time Payment Confirmation Number 700W01N' Water and 5eerer $7423 Subtotal: $74'23 5.imV *'J3 PM V * 22%I , Effective Date x11212017 8:42 PM Central 5mndard Time Payment Confirmation Number 2u0(10(06 Water and Sevier $74.2.1 Subtotal: $74.23 Total Amount Due: 37523 Transaction Fee: Visa 41111 t ($1100) c.a ar 1 I f i *spires 011201 B ),IBa 411111 `*'.. 111 I expires ($75,23) 011201a Total Amount Paid: ($75.231 kemainlog Amount Due: $0.00 Payment Details ....,¢yeti tll PM •422%6:.:1 Total Amount Due: $75.23 Transaction Fee: Visa 411111 tsl.00) ♦*... fill expires of f201 a visa 411111 ***- Iif i *%plies ($75.231 01/2018 Total Amount Paid: (175.23) Aemalning Amount Pu*: $0.00 Payment Details Water and $*Pier CCi0004.0st i79-$74.23 95 Email To Q 5N15 To �A Print Receipt JetPay has a mobile app that can be white -labeled for Collier County that will be customizable and configurable. This mobile app is white -labeled for our client and is available on then -current versions of iOS and Androidoperating gi3mobile app can be customized sfy the county's s y, and can be uedthow usage hstory,make aon*tme paymentand create customer profiles to save accounts s and payment methods for future use. E i Touch IDfor "NBU" Sign on vdth Touch ICY- or onto, password i. Crutrc•I rv!rvl vaa' ra, vl r.eanvl.+l % in rnfr'. •.1,�. 4� 't lu pieasa create it user name and Passviord tci?tEii a P s;'a;;'ri O 14oro: UW Tama and 0a"""f saraux tm (ire sort. Use( 3Ni.tie Iltht4 Lia. a• 1 a Wast 11 0-00.1s. PaS3'el rJ . ' St CUnt :11 Ia51 7 (haraters, una r0 f n)d ele UyphfCaS*:Itasaclrf r 0--M a *dptsu Enter yowaciMunt number for lookup verification tjcw Voir t<t.(i8i1 ru,mberis Ixa:ed f! the !00 right pNNon or t4wv4diroo 9 1141 AM ty P� PIA0 New Braunfels Utilities L'. , Forgot User ID Or Pb"S'Nold? grglb 1 < Back Account Registration 3 of 3 *** " "-tr— , ...... pV, —0 M 'MISU Enter your email and mobilo number O wl". wo X4 w"p- ulia 16 00,00 f 0. vilker Utility Amount Due $125.00 '..0t iviTIP2017 vetuon v, 11:11 AM I JEW Account Account Detail Pay Now Schedule Payment 'q View Payment History See ycitr usage I,!s1o;Y Law Usage ve,u.n 11;11 AM IM < Account Detail Payments v,later Wilily 1,103debM)94fd19OdO13- Amotjnt Duo $125-00 select Payment PrOMP L_) Visa —1111102120 Add WIN RaYMOnt Method A t. -t 11:11 AM < Account Detail Account usage History Usage History ass VeriTan 11:12 AIA Receipt Confirmation Payment Succcess total Remated $126M Canfimation NUmber 20002093 Customer Payment by visa --1111 02120 Payment Remitted Date 07103/2017 Water utility 655555 Your rera:ln tua baen ania,`ed to Caridteypni lirid•'�sal[urp :iai Support iiaiP & SUPPort Office Locations FG Nety sraunfeis Customer FAQ,, Contact Information Report outage 4 Contact Us �O C: FG Nety sraunfeis Customer Privacy I Terms settings h services Custorncr Profit(,' Settings/ (�zyment profile Settings as gt a> t}j � Notifications tion a(Junf'•ISI ' Give Us Your feedback awrean a,as: I nsak"a'. L4J(Ki, o5epu'.a -+rttr i.Ry - llrt L'ulla Yottia11.1.OtJDD.3754t !(y:.a.%Nax Era,rtdi UGetp rornpanr iJea•JuI C(a 4AFsl ._. i _ _. ti.- r-'- SeNM! C: IYadtat ^. 11:13 AM support Frequently Asked QuestiOr Yo4. %111u4e ca'':10-c( cur Lusto.w SO,y.` RG(i(Ci%LY„ati'.•C at 13?,• 62c' ^vSGG r�r (6301 orib-2u7A (pian Ar'tonio tneGol. The 0011 .tion procsse. rtlay b;• cornlw-i rr:er the p`amx or en c:.hun can to .epi; Ia you h> fid mU and rcw fl Ly fox e'r rral. Otd'ax r 0'17-2115. VOttat is needed whon applying for service? in ads?:lira In th:, c�tmpte3r!1 TnF�!��:=tier, ytt:, ,.•.i aL:t> reed Io rovide nt; "'Al Ynu: 5 :r. fiet:r�ity aner and a Copy of r,^.ur drivot's liconsu or a Tex35 I^. Oo I have to pay A deposit? YR<, a 11P111r5f. i! .S (2.-�:i1fP.n to iritiatR fiANl.9. t�Btl reKuiras a C:ia rtordn u,t�navd ci.0f'.g v;P: ch is do;errninu t;i Glu nvara.v 01011 hstvey for the !:ration tt"i i; h9':nt1 applied for. i ho,la plymg f„I'.1 howl, irons the t;etx: at •efh tie 4rua1 on 1!,o sq -'r, 3compo Ono-ha'.I of tht d6pw!t is du "hcri rir:a',In t aOpNstian fur :n' rr arrl thn {rR!ance of tYx dzVis.t :":.i ire Ir,fed oy FJEiI on lha t,i0l Ir tiitll:'I L.ItfYj. Can 1 pay my utility bill using a credit card? Y�•s. -tr l;l.•.•.li'arci �;4n:lt•.ty e:ay Cal! . W f•?l 11. Training The Selected Vendor must train and manage quality controls of its personnel to adapt the business processes associated with such training instructions and guidelines, and monitor performance on an ongoing basis. Selected Vendor staff must establish the expertise to search for all debt related to a particular transaction and provide the needed customer set -vice needed to properly complete the transaction. JetPay continuously monitors performance of its contracts on an ongoing basis and makes an effort to have frequent relationship update presentations and calls with clients. To this effect, JetPay strives to notify clients of new features and functionality that have been provided to the Magic Platform upon the release of new updates. JetPay's policy with each new contract is to establish a dedicated relationship manager who is the primary point of contact for that client. If awarded, Rick Griffiths, Director of Account Management, will continue to act as Relationship Manager for this contract. Mr. Griffiths' overall responsibility includes relationship development for JetPay but will be Collier County's primary contact. Mr. Griffiths will be available 24/7. There is no additional charge for this service. Mr. Griffiths can be contact at: Rick Griffiths, Director of Account Management JetPay Payment Services, FL, LLC. 316 South Baylen Street, Suite 590 Pensacola, Florida 32502 (850) 858-3309 Telephone (850) 444-9331 Fax Ricic.gt'iffiths(tq)jetpay.com Customer Service is a focal point of JetPay's payment processing solution. JetPay's policy with each new contract is to establish a relationship manager who is the primary point of contact for the client. The relationship manager is available 24/7 to handle any escalated tier 2 issues or customer needs that may arise. JetPay's Help Desk serves as the focal point for customer support. All Tier 1 calls are directed to the Help Desk. JetPay provides a staffed call center which is accessible at all times (24 hours a day, 7 days a week, 365 days a year). JetPay's Help Desk closes 97% of service tickets within one day. Additionally, the Help Desk will develop familiarity with the County's account and the specifications used throughout the duration of the account. In addition to the dedicated client support team, Collier County will always have access to the JetPay Executive, Christopher Battel, Chief Operating Officer, for all government clients. JetPay provides live online training sessions as well as when appropriate, on-site training of the JetPay payment processing platform and reporting suite. The initial training is divided into: (a) overall CCNC- administrative system management, (b) the payment screens, (c) the dashboard/reporting suite, and (d) all point-of-sale equipment. System administrators are provided training on all areas of the JetPay platform, and end-user/Customer Service Representatives are typically trained on just the payment screens. Additionally, JetPay provides electronically generated training materials in PDF format as well as hardcopies. Ad-hoc and on-going training is available on -demand via the JetPay relationship manager. Furthermore, in addition to training in the live environment and prior to going live, JetPay will train the client's staff in the test environment. 12. PCI and Data Security Compliance In as much as the County is required to have its outside Selected Vendors comply with the latest PCI requirements as determined by certified PCI Compliance authorities, so too must the Selected Vendor be required to submit to those standards as may be applicable and to provide industry accepted documentation of their compliance. Below is JetPay's proof of PCI DSS Level I Compliance, and JetPay will provide at least an annual confirmation of this certification during the term of this contract: Payment Card Industry (PCI) Data Security Standard - . -. . .. .. . .... . . - , Attestation .. '. .. . of Compliance for — Service Providers Onsite Assessments Version 3,2 April 2016 SeCLORY Standards Council T�Security '0 Standards Council Section 1: Assessment Information instructions for Submission This Attestation of Compliance must be completed as a declaration standard of the results of the service Provider's assessment with the Payment Card Industry Data SOC urity 5iatndard 12e4uirements and Security Assessment Procedures (PCI DSS). Complete all sections: The service provider is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the requesting payment brand for reporting and submission procedures. Part 1, Service Provider and Qualified Security Assessor Information Part la, Service Provider Organization information Company Name: JetPay Payment Services 00A (doing Jet Payment Services, Florida LLC business as): Florida da LLC Paul Shave IT prrcctcr Contact Name: _ 10 E-mail:Paul.Shave letpay.com Telephone: (850) 444-9330 x 3 316 S Sa en St., Suite city; Pensacola Business Address: #590 Say Zi 3 32502 _- FL Country USA p State/Province: URL: http:11coilectorsoiutions.com Part 1b. Qualified Security Assessor Company Information (if applicable) Company Name: Kirkpatrick Price, Inc. Title: Information SecurityLead Lead QSA Contact Name: Scott Worrell Practitioner -- -- -- - _ .------. -j - - - — Email: U kirkpatnckprice.co Telephone 800.977.3154 s.worre M __.. Business Address: 16057 W Tampa Palms City: Tampa Blvd --.._. Country: USA Zip: 133647 StaietProvince: FL y" '- URL: www.kirkpatrickpdce.com April 2016 PCI DSS vS.2 Artastor -f Cor Cc,, -g nee for Onsile Assossmonts - Sorvieo providors, Rev, 1,0 Pago 'f 02008-2016 NCI Socurity Standards Council. LLC, AliRrghis Rosorvod. April 2016 PCl OS5 v3.2 AtroatoGon of Conrptianrte for Onsite Assessments — Sarv<ce Providers, Rev, 1.0 Page 2 ,g> 2006-2016 PCl Security Standards Coanp7. l.t.C. AU Rights Rusafvad. Part 2. Executive Summary --- --------- Part 2a. Scope Verification Part SorvicaS that were INCLUDED in the scope of the PCI DSS Assessment (check all that appty): V Name or ser rvice(s) a3ie��ed'. 9r c card, procossm-- Systems Legacy and 01a _ Type of service(s) assessed; Hosting Provider: Managed Services (specify): Payment Processing: g ❑ Applications! software pOS t card resent ❑ Systems security services ®infemet ❑ Hardware ❑ IT support ! e.cemmerce !: � MOTO l Cali Center ❑ infrastructure Network ❑Physical security ! ❑ATM 0 Physical spate (CO -location) O Terminal Management System Other processing (specify): [� Storage [)Other services (specify): ❑ Web I ❑ Security services 4 ❑ 9-0 Secure Hosting Provider ❑ Shared Hosting Provider ❑ Other Hosting (specify): I --,-- ❑Account Management Payment GaEewaylSsritcit ❑ Fraud and Chargeback i ❑ Y ❑ Back -Office Services ❑Issuer Processing Prepaid Services ❑ Billing tvinnagement ❑ ProgramsC)Records Management Loyaltying Payments ❑ Clearing and Settlement Merchant Services ❑ Tax/Government O ---. - ❑ Network Provider ❑ Others (specify): These categortos aro pmvldod for osststonaa only and oro not Intended to limit orprodotamrrno Note: an oniity s sorvlcv description. If you tool thoso categories don't apply to your service, complete to servico, consult with tiro apprcabla `Others.' if you7e unsure whether a category could apply your payment brand, _,.... .....-. April 2016 PCl OS5 v3.2 AtroatoGon of Conrptianrte for Onsite Assessments — Sarv<ce Providers, Rev, 1.0 Page 2 ,g> 2006-2016 PCl Security Standards Coanp7. l.t.C. AU Rights Rusafvad. Part 2a. Scope Verification (continued) Services that are provided by the service provider but waro NOT INCLUDFO In the Sanpn of the PCI DSS Assessment (check all that apply}: - Name of services) not assessed: None ___._.._._.__... t scssod. Type of servico(s) no as Hosting Pro vidor: ... ------- Managed Services (specify): Q Applications ! software j Q Systems security services ❑ Hardware Q IT support Q Infrastructure t Network Q Physical security [3 Physical space (co-localion) I Q Terminal Management System Q Storage Q Other services (specify): Q Web Q Security services j ❑ 3•D Secure Hosting Provider Q Shared Hosting Provider ❑ Other Hosting (specify): Account Management ❑ Back -Office Services Q Billing Management -. O Clearing and Settlement ❑ Network Provider Q Fraud and chargehack Q Issuer Processing Q Loyalty Programs ❑ Merchant Services Payment Processing, Q POS ! card present Q Internet / e-commerce 0 MOTO f call center Q ATM Q Other processing (specify): ❑ payment Gateway/Switch ❑ Prepaid Services _... - .... Q Records Management Q TaxtGovernment Payments ❑ Others isPeGfY}_ _.--------- __.._..._. _ _ Provide a brief explanation why any checked services were not included in the assessment: Apid 2016 PC1 DSS v3,2 Attestatiar of CornpliAnce for onsite, Assessments — S0A 9 Nrovittais, Rev, 0:0 page 3 @ 2006.20t6 P01 Security Standards Coencit, !_CC. An Rights Reserved. C90 Part 2b. Description of Payment Card Business Describe how and in what capacity your business I JelPay Payment Services, Florida LLC accepts card - stores, processes, andfor transmits cardholder data. not -present credit card data through their web application and clients have the ability to facilitate transactions on behalf of their end-users over the telephone. End-users can create an account, make a payment, and in limited cases register a credit card date for reoccurring payments via JetPay/s web - based Legacy or Magic systems. The Credit card data is then encrypted using aijndael 255•bit or AES 258 bit encryption and stored in a Microsoft SOL database. Payments can also be made via phone calls where payment information is manually entered Into the legacy or Magic by clients on behalf of the end-user. Cardholder data types for both acceptance channels include PANS, CV42s (in limited instances), cardholder name, and card expiration date. Some PANS, cardholder names, and card expiration date data is retained to allow recurring transactions. CW2 data Is never stored after the transaction has boon completed. Transactional data is currently retained indefinitely. However, expired, state and unused PAN data Is purged after 5 years of Inactivity. Describe how and in what capacity your business is Jetpay Payment Services, Florida LLC is responsible otherwise involved In or has the ability to impact the for the physical security, configuration and security of cardholder data. managomont of the systems and applications utilized to collect and submit credit card transactions. Part 2c. Locations List types of facilities (for example, retail outlets, corporate offices, data centers, call centers, etc.) and a summary of locations included in the PCI DSS review Typo of faciiity: Number of facilities Location(s) of facility (city, country): of this type _ -- - Exsnrplet Retail ou716ts $ Boston MA USA Corporate Office 1 Pensacola FL U hamirmi AL USA TeKink Colocation/Datacenter B_._°g..........._ _ PCI DSS v3.2 Attestation of Compliance for onsifo Assessmonts - Sorvtcu FrovJtfors. Rev. 1.0 April 20f6 (t)2006 -20f6 FCl Security Standards Council, I.I.C. Ali Rights Reserved. Pogo 4 iKW+I) Part 2d. Payment Applications Coos Iho organization Liss ono or more Payment Applications? ❑ Yes] No Provide the followitxl information rogarding the Payment Applications your organization uses: "' Is application PADS$ listing Expiry Payment Application Version Application pp Name Number Vander PA•DSS listed? date (if oppitcablo) ❑ Yes ❑ No Q Yes ❑ No ❑ Yes 0 No j _. Q Yes ©Na p Yes O No D Yes ❑ No ❑ Yes ❑ No © Yes ❑ No Part 2e• Description of Environment Inbound: Provide a high-layal description of the environmanl End-users and clients utilize HTTPSrtLS Web - covered by this assessment. based applications, LegacY and Magic, to Forexamplo: transmit CHI) to JetPay Poyment services, • Connections into and out o/the carr11101derdala Florida LLC systems. environment (CDE). CnNcai sysiain components within the COF., such as POS Outbound, devices, databases, web Salvors, etc„ and any other Ouigcing CND are transmitted via HTTPS/Tls n0c0ssnry payment c0mp0rients, as applfcahfo' configured URLs which are entirely provided and fmanaged by JetPay and Autho(ize.Net to process the transactions. The IhiM•p0r1Y transaction providers' secured URLs aro invoked prior to transmission of CMD. I JetPay Payment Services, Florida LLC's ' processing systems (aside within the corporate taciiity's dalacenter and TeWnk's ColocationrDatacenter and consists of Web Servers, Application Servers, Database Servers, Domain Controltar, VPN end managemenUdefection systems. Note: JetPay Payment Services, Florida LLC and JetPay are assessed as two separate ! entities. Does your business use network segmentation to aiiect the scope of your PCI DSS C) Yes ® No environment? (Refer to "Network Segmentation" section of PCi DSS for guidance on networtc § PCI DSS 0.2 Aftestatfa10f Con+pilance for Onsite Assassm0nts — 5orvice Prov Bars, Rev. 1.Page 50 April 2015 0 2006.2016 PCI Security Standards Council, LLC. All Rights Reserved. G !tf'.IAy part 2f, Third -Party Service Providers Doos your company have a relalionship with a Qualified integrator & Reseller (qIR) for ❑Yes No the purpose of the services being validated? if Yes: Name of QIR Company: i QIR Individual Name: Description of services provided by qIR: Do1. es yo1. ur company have a rslat ionshIp with one or more third•paity service providers ((of d Yes 0 No example, Ounlitied Integrator Resellers (QIR), gateways, payment processors, payment service providers (PSP), web•hostiog companies, airline booking agents, loyally program agents, etc.) for the purpose of the services being validated? ------ _-_---- If Yos Name of eery ico provider: DasaAption of services provided Jetpay Transaction Prceassing AuthorizeMet Transaction Processing Note: Requirement 12,8 aPAUas to aq anfifios iR this list PCI DSS v3.2 Atresietion of Comptiaecs for Onsite Assessments — Service Providers, Rev, 1.0 Ap page 6 2016 0 2006-2016 PCI Secudty Standards Council, LLC, All Rights Reserved. OA7 Part 4g. Summary of Requirements Tested For each PCI DSS Requirement, select one of the following: . Full —The requirement and all sub -requirements of that requirement wore assessed, and no sub• requirements were marked as "Not Tested" or "Not Applicable' in the ROC. . Partial — One or more sub•requirarnonts of that requirement were marked as "Not Tasted" or `Not Applicable' in the ROC, . None — All sub -requirements of that requirement ware marked as `Not Tested' and/or `Not Applicable" in the ROC. For all requirements identified as either `Partial' or •None," Provide details in the "Justification for Approach" column, inchrdingi e Oetals of specific suh•requirements that were marked as either "Not Tested" and/or "Not AppGcabie'• in the ROC Reason why sub-requirement{s} were not tested or not applicable Notm Ona table fo be completed (or each service covered by this AOC, Additional copies of tills section are Available on tiro PCI SSC Wobsito. Name of Service Assessed: Legacy and Niggle card -not -present processing Systems Details of Requirements Assessed• • - Justification for Approach i PCI DSS (Rettulred for till `Pallia!' und'NoW responses: Idonfittywhich Rcqulrornont Full Partial Nona sub requuomonta waro not tealod nrid the mason i Requirement t ` ❑ ❑ ❑ 1.2.2.o,b • Routers are not utilized within the COE. Components of 1,2.3.b - Wireless environments aro not connocted the COE. Wireless access points are utilized at the corporate office suite but are segmented via a dedicated VLAN and du not transndt I CHO. { 1,3.7.b - Private 1P addresses are not disclosed externally, _ Requirement 2; not ❑ ® ❑ 21.1.a,b,c,d.e • Wireless environments are aro connected the COE, Wiroless access Points utilized at the corporate office suite but are serdmented via A dodloatsd VLAN and do not transmit CHO. i 2.0 - JetPay Payment Services, Florida LLC is not a Shared Hosting Provider. Requirement 3: El 133.2.a,b • JotPay Payment Services, Florida LLC is not 1 an issuers and does not support Issuing servlcos• 3.4.c - Removable media Is not utilized to store CHO. 3.4.e • Hashed and truncated versions of the same 3 ; PAN are not present in the COE. 3.4.1.a,b,c - Oisk encryption technology is not utilized I ' within the COE. 3,5.1 • Control Is not a requirement until January 31, 2018, April 2016 PC1 t35S v3.2 Allestalron of CornPttanca for onsite Assessments — 5ervtso provtdars, Rev. 1,0 Pago 7 0 2006.2018 PC1 Security Standards Cotrncy, LLC. All Rights Reserved. a ��A+ 6vNCar+cn Requirement 4: ❑ ® ❑ Requirement 6:_ _ ❑ Requirement 6: ❑ ® ❑ Requirement 7: Requirement 8: – ® _D.0 �❑ 4_. ❑ ❑ Requirement 9. F ❑ – ® ❑ 3.B.a-Cryplographle keys are not shared YOU customers for transmission or storage of CHID. 3.6.e.9,b -Clear-text cryptographic key -management operations are not utilized. 4.1.1 -Wireless environments are not connected the CDE. Wlreleas access points are utilized at the corporate office suite but are segmented via a dedicated VLAN and do not transmit CND, 4.2.a - CHID Is not send over end-user technologies - 6.1.2 - All servore and workstations utilize anOvinrs. 6.4.6 • Control is not required unill January 31, 2018, 8.6.1 - Jetpay payment Services, Florida LLC does not have remote access to customer premises. Components of 9.1 - Computer rooms are not uUlized as part of, to Interface with, or support of the CDE. Components 9.1.3 - Wireless environments are not connected the CDE. Wireless access points are utilized at the corporal# office suits but are segmented via a dedicated VLAN and do not transmit CHD. 9.9 - No devices that capture payment card data are utilized, 9,9A^b,e - No devices that capture payment card data aro utilized. 9.9,2a,b - No devices that capture payment card data are utilized. 9,9,3a,b - No devices that capture payment card data are utilized. Components of 10.4.1.a,b .Only one designated time server la utilized. Components of 10.4.3 - Time updates are not encrypted. 10.b.a,b - Control Is not currently in place and Is not a requirement until January 31, 2016. 10,9.1.a,b • Control to not a requirement until January 31, 201 a. Requirement 11: ❑ ® ❑ i Components of 11.2,1.c - Third -parties perform i vulnerability scene. Components of 11.2.2,b • Fmorrral vulnerability irescans were not required to be performed. Components of 11.2.3.a • No significant external Infrastructure changes were made over the previous 12 months. —_-- Aprif 2018 PCI ASS v3.2 Affesfalion of Compliance for Onsite Assessments – Servico Providers, Rev. 1.0 Page 6 ® 2008-2016 PCI Security Standards Council, I.I.C. Aff Rlghis Reserved. 0 r7i=IC z __ .._._.. _._........_. required to be performed. 11.2.3.c . Third•partioe perform vulnerability scone. IComponents of 11.3.1.b -Third-Partles Parfortn penetration testing. Components of 11.3.2,b-Thlyd•partles perform penetration testing. Components of 11.3,4,a,b,c-3e9mentation Is not utilized. 11.3A.1.a,b - Control is not a requirement until January 31, 2018, Requirement 12:� ❑ ® ❑ Components of 12.1 -Vendors and business partners have no need to access the COE, 12.4.1 . Control Is not a requirement until January 31. 2018. 12,it,a,b • Control is not a requirement until January 31,2018, 12.11.La • Control is not a requirement until January 31, 2018. i V i JatPay Payment Services, Florida LLC Is not a Shared Appendix Al: ❑ ❑ ® Hosting Provider, �_— Appendix A2: ❑ ® ( ❑ AM . POS Pol terminals am not utilized to connect to the CDE. PCI DSS 0.2 Attestation of Compllonce for Onsile Assessments — Service Providers, Rev. f.0 April 2016 © 2006.2016 PCI Sacurily Standards Council, LLC. All Rights Resorvad. Page 9 Elv:j tiw"a�aCauP Section 2: Report on Compliance This Attestation of Compliance reflects the results of an onsite assessment, which Is documented in an accompanying Report on Compliance (ROC). The assessment documented In this attestation and In the ROO was completed on: 4/92017 Have compensoUng controls been used to meet any requirement in the ROC? ❑ Yes +® ®No Were any requirements In the ROC Identified as being not applicable (N/A)? Yes ❑ No Were any requirements not tested? ® Yes Q No Were any requirements in the ROC unable to be met due to a legal constraint? Q Yes ®No _ PC/ DSS v3.2 Attestation o1 Compliance thr Onsite Assessments —Service Providers, Rev. 1.0 April 2016 ® 2006.2016 PCI Security Standards CouncN, LLC. All Rights Reserved. Page 10 06J ------ ---- 4{xxLnt. fatty 1 ...�. Section 3: Validation_ and Attestation Details Part 3. PGI DSS Validation This AOC is based on results noted in the ROC dated 41912017. ries ntified in applicable'Iassegt(s) hults e following coented In mpliance 0 e seats for the ethe ntitygIden Identified in Part 2 of tis document arts 3b -3d, as (check one): [� Compliant: All sections of the PCI OSS ROC are complete, ail questions answered aifirmaiiveVy, resulting in an overall COMPLIANT rating, thereby JelPay Payment Services. Florida LLC has demonstrated full compliance with the PCI OSS, ❑ NomCompliantt Not ail sections of the PCI DSanswered S ROC are complete, or not all questions are an overall tihas hotderated full resultingin Comp NON-COMPLIANT withhe PC) i rating, thereby (Service Provider company Name) Target Date for Compliance: An entity submitting this form with a status of NoroCompliant may be required to complete the Action Plan in Part 4 of this document. CboCk with lho payment brand(s) before completing Part 4. (� more requirements are marked 'Not in Place' due to a Compliant but with Legal exception; One or legal restriction that prevents the requirement train being met. This option requires additional review from acquirer or payment brand. If chocked, complete !be following., ..... -..i I. _1 -- 1 Affected Requirement Details of how legal consiralnt proveitts requirement being ms Part 3a, Acknowledgement of Status Signatory(s) confirms: (Check all that aPP/Y) The ROC was completed according to the PCI OSS Roqu(renronts and Security Assessrnonf Procedures, Version 3.2, and was completed according to the instructions theroin, ® OC and in this attestation fairly represents the results of All information within the above referenced R my assessment In all material respects. - •..� _ 0 1 have confirmed with my payment applicaliwr vendor that my payment system does not slot* sensitive authentication data after authorization - - ®' 1 have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times. _._....... ® If my environment changes, t recognize I must reassess my environment and implementany additional PCI DSS requirements that apply. ___.._.... . PCI OSS v3.2 Alloslation of Compliance lorOnstfo 'm 301 -Service Providers. Ray. t>0 Apra 2016 @ 2006.2016 PCI Socutily Standards CepnGil, LLC, AN Rigid$ Reserved. Paco it part 3a. Acknowiodgemant of Status (continued) -- [Q :. No evidence of full track data', GAV2. CVC2, CIO, or CVV2 data?, or PIN dale' storage after transaction authorization was found on ANY system reviewed during this assessment. ASV scans are being completed by the Pei SSC Approved Scanning Vendor Clone Systems, Ina under catimato number 4262.01-09. Part 3b, Service Provider Attestation - Date- ..,Sign. ate- Srgnaturo TWO: -_.. of rovider xacutive Dt6cer T ) 7� " C,,, .._ _. ' )x .+�✓ Service Provido(ExeCOVOOfficerNama: ~Part 30, Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a OSA was involved or assisted Willi this Full PCI DSS Assessment assessment, describe the role performed, - — - y , _ Dali1: x4r,201 Srgnature of Duty Authorized OfAcor of QSA Company T QSA Coiljjrany, Kekpatkk Price, Inc. truly Authorized Dirket N(rne: Joseph Kirkpatrick part 3d, Internal Security Assossor (ISA) involvement It applicable) if an ISA(s) was involved or assisted with Ibis assessment, Identify the ISA personnel and describe the role performed: Data encoded in Uro 1110911011C Wild or equivalent data on a chip used for authorization dwing a catd•Wasen[ Iransaclien. ErrtNes may not retain full track data alter Iransacllon autiwr,zallon. The only elements of track data ilial may be feta'ated are primary account number (PAN), expiration dote, and cardholder name. + The Three• or four -digit value printed by the `ignature panel or on the race of a payment card used to verity card-not-proserd transaclions. I Personal idenlificallon monbet eriteled by c4001101der during a card •present Uansaoiion, Omer encrypted PIN blocik p+esen vdUrin tlw Uarliaction message. Apni 2016 PCl DSS v3.2 Attastaf,on of Coapt anca for Rrrsita AsseSsrnanis — Sarvikb P�ovidurs, Rev 1,0 Page 12 f) 2006.2016 PCI Socurify Standards Council, LLC. All Riglrls Reserved. �93: v'sA D15Ct3VER � MasterCard April 2016 PCI DSS v3.2 Attestation of Compllarrca for Ons" Asswssnrants —Service Arovldars, Rov. 1.0 Pago 13 0 2006.2016 PCI Socuriry Standards Council, LLC. All Rights Reserved - 0 ........... ,.-... .,-. Part 4. Action Pian for Non-Compliant Roqulrements Select filo appropriate response for °Compliant to PCI DSS Requirements" for each requlrement, if you the date your Company expects to be answer "No" to any of the requirements, you may be required to provide and a brief description of the actions being taken to meet the requirement. compliant with the requirement Chock with file applicable payment brand(s) before comploUny'part 4` Compliant to PCI Romodiation Data and Requirements Actions PCI DSSDSS Description of Requirement (Select 0118) (It'NO" selected for any Requirement - Requirement) YES NO I i install and maintain a firewall t configuration to protect cardholder data Do not use vendor-supplied defaults for z system passwords and other security ❑ 3 parameters 3 I Protect stared cardholder data ❑ ❑ encrypt transmission of cardholder data El A across open, public networks Protect all Systems against malware ❑ ❑ 5 and regularly update anti-virus software or programa Develop and maintain secure systems 6 and applications Restrict access to cardholder data by business need to know Identity and authenticate access to ❑ n 6 system components . Restrict physical access to cardholder ❑ ❑ data Track and monitor Oil access to network El ❑ to resources and cardholder date Regularly test security systems and 0 t t processes !. .... ......._.__.... Maintain a policy that addresses 12 information security for all personnel Addillonal PCI DSS Requirements for ❑ ❑ Appendix At shared Hosting Providers Additional PCI DSS Requirements for Appendix A2 Entities using SSUeariy TLS �93: v'sA D15Ct3VER � MasterCard April 2016 PCI DSS v3.2 Attestation of Compllarrca for Ons" Asswssnrants —Service Arovldars, Rov. 1.0 Pago 13 0 2006.2016 PCI Socuriry Standards Council, LLC. All Rights Reserved - 0 13. HIPAA and HITECH Act Compliance Any information and transactions involving personal information which require compliance with the most current Health Information Portability and Accountability Act requirements must be provided for by the Selected Vendor. For any information and transactions involving personal information which requires compliance with HIPAA and HITECH Act, JetPay will ensure that compliance is provided. 14. Security Protocols The Selected Vendor must provide for electronic and hardcopy security of all Collier County related documents and all other related data while in the Selected Vendor's custody and control. Selected Vendor must provide to the County, upon request, the identification of personnel who will be providing services under the Agreement, and any details which may be required by the County of such personnel for security purposes. Personnel will also be required to be fingerprinted and approved per the agency fingerprinting ordinance. Security is of the highest level of importance, and JetPay is a PCI DSS Level 1 Service Provider (the highest level). JetPay adheres to industry standard levels of security including PCI DSS Level 1, NACHA compliance, SSAE16, external audits by a certified QSA, and credit card association rules and regulations. JetPay does not plan to use any subcontractors or third party processors. JetPay maintain policies and practices that have been tested and proven to successfully protect sensitive Personally Identifiable Information and payment card data. Payment card data is always encrypted while at rest or in -transit, as well as is encrypted end-to-end when dipped or swiped at point-of-sale. To safeguard the security of transactional and all information, our platform only utilizes Transport Layer Security (TLS) protocols at 256 -bit encryption in all online sessions, which is an industry best practice. Further, point-of-sale payments utilize end-to-end encryption which is performed at the Point of Interaction by the EMV reader using the SIZED chip, and not through a software solution. All PII, payment card and banking information is encrypted while in -transit or at rest. JetPay's system tokenizes payment card and banking information when your customers elects to store it for re -use in the future including when setting up on-line accounts and for pre -authorized and recurring payments. For one-time payments, our system does not store the complete Primary Account Number nor a CVV/security code. The system does store the last 4 digits of credit card and debit card transactions to enable search and lookup based upon such criteria; however, whenever payment card, banking information or Personally Identifiable Information is stored, JetPay encrypts such information. Upon request JetPay will provide the County the identification of personnel who will be providing services under the agreement, and any details which may be required by the County for security purposes. As we have done previously with Collier County, personnel will be required to be fingerprinted and approved per the agency fingerprint ordinance. 15. Reporting The Selected Vendor will be required to provide reports to the County which will include, but are not limited to: a. Any instance of lost, stolen, misdirected, not delivered, or breach in security, even if temporary, must immediately be reported to the authorized representative of the Department managing the Agreement. Selected Vendor will be responsible for all costs associated with a breach including, but not limited to, notifications and credit reporting to impacted individuals, legal fees and fines, any other costs associated with a data breach. Any instance of lost, stolen, misdirected, not delivered, or breach in security will be immediately reported to the authorized representative of the Department managing the agreement, and JetPay will be responsible for all costs associated with a breach. There has never been a compromise to any JetPay Payment Services FL system through a security breach. The JetPay primary data center is a hosted facility located in a SSAE-16/ ISO 2000 SRI compliant data center. Physical Security includes video monitoring, combination keycards card and biometric access controls, redundant dual rail power, fire suppression and cooling systems. Secondary data center is located at lights out Amazon Web Services Data centers. Physical security is provided by data END) center hosting staff. Only designated IT personnel have direct access to systems. Lights out secondary data center administrative functions are only accessible to designated IT staff. Physical racks have video and door alarms set to send alerts immediately upon entry to monitoring personnel. In the event of an alert generated by an unexpected event, physical security staff are notified. b. Any instance of a system application or other communication line being unavailable for a customer's use (downtime), must be reported to the authorized representative of the Department managing the Agreement. JetPay is proud of maintaining a continuously available system for customers to make payments, and as such we experienced no unscheduled down-time in 2016 or 2017. JetPay monitors its system in real-time at all times every day. Our quality control and monitoring includes testing system availability as well as transaction processing. We are alerted in real-time through multiple methods including SMS text, voice and email using our tools, physical oversight and network protocol tools. When system problems occur, we will notify our affected clients within 30 minutes of the identification of any type of outage. c. Selected Vendor must provide County with online access to daily and monthly reconciliation reports to allow County personnel to account for and reconcile receipts collected through the Selected Vendor's system. JetPay's reporting suite is accessed through our web -based administration console or Dashboard upon entering our Magic payment processing platform. Real-time reporting capabilities are deeply integrated into the JetPay payment solution. Reports can be generated at any time by the County, and the County can be assured that the reports generated in JetPay's system will be accurate. JetPay's reporting suite has a multitude of reports available via the client specific dashboard. The reports provide clients with a single view of all transactions regardless of the Collection Mode or Payment Method. Web, IVR, and/or POS transactions, for example, are all easily viewable and reconcilable within a single report. JetPay's system has a multitude of reports to filter views based on multiple characteristics of the transactions including Payment Type, Organizational Unit, an/or Collection Mode. Reports can be presented in several different logical views with each report containing logically organized sections. For example, b payent tym etc), threport each section ill be broken into sections representing each payment type (i.e . property tax identified and all information subtotaled. The organized sections include: • Total System • By Collection Mode • By Organizational Unit • By Payment Type • By User For daily and monthly reconciliations, County personnel can select the specific date range of transactions (i.e. all transactions for specific date or payment type summary for specific date) and compare the totals from these reports to what is in the settlement and funding batches for the specified date's transactions. The funding report provides clients with complete details on remittance batches and the respective remittance batch deposits. This report would allow the County to drill down and view the individual transactions contained in each individual remittance, match totals to ensure that it matches the specified date's all transaction or payment type summary totals and match the totals from the County's financial institution (deposits). Additionally, the County can view the All Transactions report, or a Payment Type Summary report grouped by organization unit/department location. The County can choose to settle by organization unit/ department location as well and would be able to reconcile each organization unit deposit to the totals from the grouped by organization unit reports. Additionally, for customer service representatives reconciling only their receipts, JetPay's reporting suite has tiered levels of user access in which the CSR could have user credentials with established permissions to only be able to access specific reports like the My Transactions report, which only shows the CSR the transactions that they processed. Below are screenshots of the Reconciliation reports in JetPay's reporting suite: payment Type Summary 6/2018 1:27:43 AM 2/1/2018 12:00:00 AM - 2/1/201811:69:00 PM All Organization Units I All Payment Types All Collection Modes Credit Card Transactions A7$73 Fee Amount To Remitted Name 33 5,615,89$720.59 $36,336.48' 2018 Real Estate Taxes 19.63 $16.89, $836.52. Commercial Electrical 2 1 $110.50 $2.46 $112.96 Commercial Fire Alarm 1 _ . ., _____.__ $200A0 . $4.25 $204.25 Dumpster -Commercial $0.75 $25.75 Dumpster POD 1 $25 00: _.- . -- 1 $200.00; $4.25 $204.25 Dumpster - Temporary 2. _ .._._ _. $375.00; $8.00 $383.00 Facility Rental 1 $80.00 $1.85 $81.85 Machinery - Temporary 1 . ..... . f. $146.50 $3.18 $149.68 Residential HVAC 43 $37,572.52', $762.22' $38,334.74' Credit Card Total: E -Check Transactions Amount Fee Amount Total Remitted Name $19.00 $65,062.07 2018 Real Estate Taxes 38 $65,ii $85,063.07 $19.00 $65,082.07 E -Check Total- 38 Total: 81 $102,635.59 $781,22 $103,416.81 a Funding Report Selecting the individual batch shows each 2/1612018 1:30:09 AM transaction included in the batch 2/112016 12:00:00 AM • 2/512018 11:59:00 PM 1 All Urganizalion Units I NI Payment Types 1 1.Amount Date of Batch Funding Data Dopasit Typo Organization Unit Payment Type TRH 1 01130/2018 02/0112018 Credit Card QUICK MED CLAIMS All Payment Types ES' _1 02 _ 0 6- a $2,279.20 2 01130!2018 02/011201!1 Credit Card Tax All Payment Types /1_180201 15.fe$32,819.94 d 3 0113012018 02/0112018 Credit Card Rec Pro Permits All Payment Types FT_180201 10151ed $750.00 4 01130f2018 021011201 a i Credit Card Permits, Licenses, and All Payment Types FT 184241 1015.fed $1,466.24 inspections 5 0113112018 ! 0210212018 Credit Card QUICK MED CLAIMS All Payment Types FT_18 20 _ 041041 8,fed $100.00 Tax All Payment Types 1802 _1048.fed $21,715.81 6 01131/2018 02/0212018 Credit Card 01131/2014 02102120la ? Credit Card Rao Pro Permits All Payment Types 1 10 8. ed 5825.00 7 .._ _. 8 0113112018 , 02/0212018 Credit Card Pub Works! Permits All Payment Typos �_ 0 _ 4 ° 0 0113112018 0210212018 Credit Card Permits, Licenses, and All Payment Types : 80 02 1048.fed $576.00 Inspections -- _ ___...... ....__._._._ _ -. Tax All Payment Types 1 575,18392 10 41l3112018 02/0112018 eCheck 11 0 01120 8 0210212018 eCheck Tax All Payment Types 202 1048.fed S66,063.07. $36,5'16.89 12 0210112018 02!06!2018 Credit Card Tax All Payment Types EE -T 180205-..1004 fed 13 02/01/2018 02/0512018 Credit Card Rec Pro Permits Ali Payment TypesFT_180205$375.00 _1004.fed 14 02101/2018 0210572018 Credit Card Public Works/ Permits All Payment Types FT-�Q5—Zfed 5505.OD 15 0210112018 0210512018 Credit Card Permits, Licenses, and All Payment Types ET 184245 1004.fed $1,076.63 Inspections 16 02102!2018 02/0512018 eCheck Tax All Payment Types E_r,..1-LO 9._14_ •fed $132,022.50 17 02/0312018 0210512018 eCheck Tax Ail Payment Types 180205 1004.fed $102,427.18 _.__._. 16 0210412016 02105/2018 eCheck Tax All Payment Types F1_160205_100d fecf $111,202.89 I Total: $584,279.25 - Funding Details Report 2116120181:58:30 AM FT 180205 1004,fed 1!311201812:00:00 AM - 215Y201811:59:00 PM I Tax I All Payment Types TranslRBYersal PRC Name Card Number TRN Amount Fee Amount Total Remitted Date 2/1/201812:39:34 20012130 41 732600 -roc- j FT-180M-1004.fed $262 06 $5.49 5267 55 I 1 AM 2111201812:67:51 &0 4311Wxx PT,_180205_1004,fed 5314. $8.65 $321.39 2 AM -124 -It 8818 371342-xx- FT_180205 1004.fed 53,789.11 575.63 $3,844 74 3 21112018 4:10:10 20012432 AM 1001 530785•xx- FT_18D205_1004.fad _ 5898.48 S18.18 $914.86 4 211@018 6:09:54 20012433 6 - 200124 8795AM_.... 521531-xx- 0892 FT_10D205 1004.fed $i 600.84 . __.__. $32.27 $1,633.11 21112018 7:06:55 20012437 547497•xx FT_180205_1004.fed $200.00 $4.25 $204 25 8 AM 3849 $47497 -rot• FT_180205_1004,fed $200.00 $4.25 $204 25 7 '21112018 7:13:11 200112439 3849 550808•rot- FT_180205_1004.fed $150.00 E3.25 8 21V2018 7:25,23 0012 = AM ...._..- 8724 443040-xx FT 180205_1004,fed E186.74 $3.98 ___ S189 7 9 211120118-1:316,01 20012 41 AM 6731 547182-xx FT_100205 1004.fed E184.40 S3.94 -- --- " i $188.34 10 211120187:37:11 20012442 ? 7063AM 662433•xx FT_180206 1004.fed __.. 51,389,21 528.03 $1,417.24 11 2!1/20188:05:38 ?00-V443 5560 AM 424631-xx _...__ F7 180205_1004.fed $110.50 $2.48 $112.98 12 21112018 0:09:23 20012445 AM 8231 424831-xx- F7_180205 1004.fed $135.13 $2,95 5130.08 13 211f2018 8:17:23 20012"0 0231 _. _ ` - AM FT_1802051004.fed ......... $894,75 S18,15 $912.90 14 ! 21112018 9:02:45 20012450410977-xx- AM 6948 _ ---- ----.. _..- - All Transactions Report 211812018 1:54.46 AM 2J V201812:00:00 AM - 211201811:59:00 PMI Tax 1 All Collectirnl Madea TRANSACTIPNS - GrossTotal Collection Amount- Foe Amount Date, Funded Date Date Time PRG' Name, Gard Made "emitted Effective Entered Type, $262.06' $6.49 $267.55 2/512018 1 2/1/2018 2112018 12:39 AAI 20012430 - . V7'N Web S $6.55. $321.39 215YL010 = Web $314.64 2 21112016 211;2016 12.57 AM 20012431 $3,769.11 $75.63 $3,644.74 21212010 21!2078 21112018 0410 AM '', 29012432 '' tr;{i Web Web $18..18 3914.C1'i 2122018 q 2/1!2016 211!20111 06:09 A.M 20012433 Web$1,6011.64 ..$89640 $3227 $1,633.11 222018 5 211/2018 21!2018 06'16 AM2UUM12434 ,. r S0.50 $1,235.06 2/212018 6 211/2016 211!2018 06:59 AM -, 20012435 Web $1,235.36. Web $185.74 53.96 $18970 2/212018 7 2/1/2018 21112018 07:33 AM 20012441 NR ........$184.40 53.94 $'88.34 212/2018 8 2/112018 211/2018 07:37 A II 20012411.2 ......2x112010.. , Web _.$1,389.21 $28.03 $1,417.24 2/272010 ' g 211!2018 08:05 Ahi.... 20012443 v Web $4,40944 50.50 $4.409.94 217/2018 1U 2110.018 71172016 08:14 AM2UU1'L446 ". $483.95 50.50 $464.35 2!212016 11 2;1/2018 2/1/2016 -. 09:02 AM 2.0012449 1 Web t Web $894.75 $18.15 $912.90 202018 12 21!2018 271!2018 09:02 AM 20072450 t + Web 52,531 14 50.50 $2,531.64 2/2/2010 13 2/1/2018 2/172018 09:03 AM 20012451 C--� -i $7,097.46 $0.50 $1,097.96 2/1/2018 14 2/172016 211/2018 09:55 AM 20012486 Wob ' �' $4,53510 50. 60 54,635.60 21212018 15 2'112018 211!2016 09:59 Ah1 20W2457 ,,..,.; Web i _.. i 1 $4.843.41 '.. 50.50 $4,843.91 212!2016 16 271!2016 2/112016 10:19 AM 20012458 Web E�F_`' $243.01'. -- S0.50 5243.51 2/'1!2018 17 V112018 2)112016 10:25 ANI 2001245 »! Web "� Web 5223.00, 54.71 $227.71 211/2010 18 21112018 7/1/2018 10:31 AM 20012480 t -� $1,102.80 - $22.31 $1,125 11 2/21 2016 ' 19 2!1!2078 21YLU18 10:33 AM 20012461 ' ynq Web l Web 5338.18'. 50.50 $336.e6 2/2/2018 20 2/112018 2111201810:41 AM 20012462 to transactions/totals by organization unit or JetPay's reporting suite would also enable the county group has multiple locations in which payments are accepted, location. For example, if the Utility department the individual location level. reports can be broken out to group transactions at Payment Typo Summary 2/16/2018 2:13:22 AM By Organization Unit 2/15/2018 12:00:00 AM - 2/15/2018 11:59:00 PM I All Organization Units I All Payment Types All Collection Modes 1. Agency 3 - Longwood Credit Card Name Transactions Amount Fee Amount Total Remitted Birth Certificate 1 $21.25 $1.00 $22.25. Business Tax 1 _ $25.00 $1.00' $26.00. Vehicle / Vessel / Driver License 49 $3,721.25 $90.96 $3,812.21. Credit Card Total: 51', $3,767.50 $92.96 $3,860.46, Debit Card Name Transactions Amount Fee Amount '' Total Remitted Hunting I Fishing 2 $68.00 $1.69 $68.00 Property Tax 1 $1,494.15' $1.50 $1,495.65. Vehicle / Vessel / Driver License 43 $5,351.85 $65.82' $5,416.35 Debit Card Total: ` 46 $6,914.00 $69.01; $6,980.00, Agency 3 - Longwood Total: 97' $10,681.50 $161.97' $10,840.46 Agency 5 - Lake Mary Credit Card Name Transactions Amount Fee Amount Total Remitted Business Tax 1 $3.00 $1.00 $4.00 Property Tax 1 $1,240.48' $26.67 $1,267.15 Vehicle / Vessel / Driver License 98 $7,383.36 $175.62 $7,558.98 Credit Card Total: 100 $8,626.84 $203.29, $6,830.13 Debit Card Name Transactions Amount Fee Amount Total Remitted Hunting I Fishing 1 $17.00 $1.50, $18.50 Property Tax 1 $368.52 $1.50' $370.02 Vehicle / Vessel I Driver License 73 $6,533.61 $109.50' $6,643.11 Debit Card Total: 75' $6,919.13 $112.50' $7,031.63 Agency 5 - Lake Mary Total: 175 $15,545.97 $315.79 $15,861.76 Lake Mary Admin. Credit Card Name Transactions Amount Fee Amount Total Remitted CWIS 5 $471.00, $10.14, $481.14'' Credit Card Total, 5' $471,00 $10.14 $481.14 Debit Card d. Selected Vendor must provide a usage report to Department at least on a monthly basis, and more frequently if so requested, indicating the following metrics per transaction made (or attempted to be made) for all payments: o range of dates for the reporting period o dates and time of day when transaction occurred o location where transaction occurred o number of transactions made, by payment type check, ACH or image payment card U.S. currency o identify which transaction resulted in a transaction error o number of errors made o number of reported problems o time of downtime incurred o total amount of payments made JetPay's reporting suite is accessed through our web -based administration console or Dashboard. Real-time reporting capabilities are deeply integrated into the JetPay payment solution. All reports are available in real- time ensuring a timely and accurate dissemination of information. When selecting reports the County has the ability to specify a date range from a drop-down selection. Group By By organizaiion Unit Date From 07J1512 91Q ............ . Fearoary 7018 • � ! � ,.. �..; Date To _-- son mon Tue Wed Tru Fri sat 1 2 3 Start Time A 5 B 7 5 9 10 11 12 13 14 ;.15 10 17 End Time 18 19 20 21 22 23 24 nn organization Unit Collection Mode All Q Run Report JetPay's reporting suite would also enable the County to group transactions/totals by organization unit or location. For example, if the Utility department has multiple locations in which payments are accepted, vidual location level. reports ca;tment as an organzationbe broken out to group tun t, the County ransactions at �could ltack the to cation whBere trans ct ons ocuring cur ntour for a depa reports. Payment Type Summary 2/16/2018 2:13:22 AM By Organization Unit 2/15/2018 12:00:00 AM - 2/15/2018 11:59:00 PM I All Organization Units i All Payment Types All Collection Modes 1, Agency 3 • Longwood Credit Gard Name Transactions Amount Fee Amount Total Remitted 1 $21.25 81.00 $22.25 Birth Certificate 1 $25.00 $1.00 $26.00 Business Tax 49 $3,721.25 $90.96, $3,812.21 Vehicle / Vessel / Driver License Credit Card Total: 51 $3,767.50 $92.96 $3,860.46 Debit Card Transactions Amount Fee Amount Total Name Remitted 2 $68.00 $1.69 $68.00 Hunting / Fishing 1 $1,494.15 $1.50 $1,495.65 Property Tax 43 $5,351.85 $65.82 $5,416.35 Vehicle / Vessel / Driver License Debit Card Total: ' 46 $6,914.00 $69.01 $6,980.00 Agency 3 - Longwood Total: 97 $10,681.50', $161.97. $10,840.46 Agency 5 - Lake Mary Credit Card Transactions Amount Fee Amount Total Name Remitted 1 $3.00 $1.00° $4.00 Business Tax 1 $1,240.48 $26.67 $1,267.15 Property Tax 98 $7,383.36 $175.62 $7,558.98 Vehicle / Vessel / Driver License $8,626.84 $203.29' $6,830.13, Credit Card Total: 100 Debit Card Transactions Amount Fee Amount Total Name Remitted 1 $17.00 $1.50' $18.50 Hunting / Fishing 1 $368.52 $1.50 5370.02 Property Tax 73 $6,533.61' $109.50 $6,643.11 Vehicle / Vessel / Driver License $6,919.13 $112.50 $7,031.63, Debit Card Total: 76 Agency 5 - Lake Mary Total: 175 $15,545.97 $315.79 $15,861.76 Lake Mary Admin. Credit Gard Transactions Amount Fee Amount Total Name Remitted 5= $471.00 $10.14 $481.14, CWIS Credit Card Total, 5 $471,00 $10.14 $481.14' Debit Gard 9 transaction over the specified date range and shows the date and time Our all transactions report shows every down see all of the details on a specific the transaction occurs. This report also provides the ability to drill and transaction. All Transactions Report 21162018 2:19:01 AM By Organization Unit 2115/2018 12:00:00 AM . 2/15/2018 11:59:00 PM I NI Organization Units Ni ce'Jeciion Modes 1. TRAN8ACTIONS - Gross Agency 2 • Casselberry Card < Collection Amount. Fee Amoun! Total. Date Funded Date Date Time PRC Name Type , Mode Remitted Effective Entered POS : $82.20 $1.50. 58330 211512018 1 2/15/2018 211512Q18 06:34 AM :. 20025487 BANK (scanned) �.. POS : S292.35 $150 $293.65 211512018 2 `211512018 2l151201A 08:38 AM 200254A2 F- --K (scanned) POS $36.10 51.00 537.10 2/1512018 3 ` 2115.'2018 411512018 00:39 AM 20025494 ` (scanned) POS $106.75 $1.50. $108.25, 2115!2018 4 2115!2018 2/15/2018 08:41 AM : 20026496 BANK (scanned) POS 510.00. $1.b0 $17.60 2116/2016 6 211512018 '.. 211611018 08:41 AM ':. 20025407 eAnrt (scanned) P05 $54.25 $1,17 S55.42 2115x'2018 6 2!15!2018 211512018 05:41 AM 20025498 (scannad) POS $6A2S. $1.49: 570.74. 2115l201A 7 2115/2018 211512018 08:41 AM 2002.5.99 (scanned) POS 532.25, $1.00 ' 53315 211512016 11 6 2/16/2018 2512018. 08:44 AM 20025509 - : (scanned) POS $96,35 $1.60 S96.85 2116/2018 9 2!1&2018 211512018: 08:47 AM -20026L15 ,. tsnak (scanned) ir,NK: POS $171.35 $1,60 S172.85, 211512018 10:211 612 0 1 0'. 2/162018 08:51 AM 20026619 °: + : (scanned) �'. PUS 5!74,65 $336 5178.81 : 2715/2016 it ` 2!152018 2/152018 08:54 AM 20026522. +! : '. (scanned) , POS $3115 $1 00 $32.25 211572018 12 2!1512018 ':. 27152018 08:56 AM 20025524 (scanned) + POS $10.00 $1,00, $11.00 2/15/2018 13 2/152016 2/152010 08:59 AM : 20025530 (scanned) POS $100.50 St 50 5102.Q0 4/15!2018 14 2115.'2018 2/152018 09:02 AM 20025535 BANK (scanned) POS $59.04 $127 $60.31 ?11512018 16 21152018 2/152018 09:03 AM 20025536 '. (scanned) POS : $55.10 $1.18 $56.28 2115!2018 18 21152018 -. 2/162016 09:06 AM 20025539 •. (scanned) + POS $3125 $1,00. $32.25: 2/1512018 17 21152Q16 2115'2016 09:09 AM 20025546 : v�tsa'a • �. POS S31.25 $1.00'. 53215 , 2115/2018 18 2/15/2018 211,52018 09:09 AM 20025544 _...... (scanned) Od� The Payment Type Summary report when grouped by collection mode & card type shows total transaction counts and amounts by each payment type for each collection mode and payment method (i.e. Personal check, ACH, card type, etc.) 6 Transaction Detail .2!1812016 2:38:46.AM..,........ , .....:. PRC: 20025498 ,.......r: ,. Payment information Collection Mode Amount Pea Amount Total Remitted Date Entered Dale Effective PRC - $54.25 $1.17 : $55.42 -: 2)1512018 8:41 AM 02115!2018 20025498... POS (scanned) Line Items _.... _ _..... _... _. _... ..Amount Payment Type 54.2500 ED Vehicle I Vessel 1 Driver License - - Card Payments _ _... Notes _..... Nam* on Card Total Remitted Remit Status Card Number Expiration Date CT $55.42 Remitted � 531260-xxxx-1689 1012020 State Zip Phone Email Payer Name Address city Transaction Details Value Key PAX Authorization Godo _.... .65.42 PAX Approved Amount 20025498 PAX ECR Reference Number 201802160842160001 PAX Host Reference Number 1 5 -- -- _.. 20180215064111 PAX T ImestamP .54.25 _ .. . PAX Transaction Amount --- 'JJMJIMCBKCJIKNKHNJNOILII - JetPay Token PiwSmYbQcPiQnQhTjRoSISI JetPay Transaction ID _ - 100657460735 PAXTerminalld The Payment Type Summary report when grouped by collection mode & card type shows total transaction counts and amounts by each payment type for each collection mode and payment method (i.e. Personal check, ACH, card type, etc.) 6 Payment Type Summary 2/16/2018 2:44:30 AM 2/15/2018 12:00:00 AM - 2/15/2018 11:59:00 PM I All Organization Units I All Payment Types I All Collection Modes 1. POS (scanned) MasterCard Name Transactions Amount Fee Amount Total Remitted Water and Sewer 4 $399.19 $11.18 5399.19, Payments Water and Sewer 1 $126.80 $2.50 $129.30:. MasterCard Total: 5 $525.99 $13.68 $528.49', Visa Name Transactions Amount Fee Amount Total Remitted Water and Sewer 14 $1,269,77 $35.55 $1,269.77 Payments Water and Sewer 2' $145.17 $5.00 5150.17 Visa Total: 16 $1,414.94 $40.55 $1,419.94' Debit Card Name Transactions Amount Fee Amount Total Remitted Water and Sewer 2 $180.78 55.06, $180.78 Payments Water and Sewer 17 $1,608.66 $42.50 $1,651.16 Debit Card Total: 19 $1,789.44' $47.56', $1,831.94 Personal Name Transactions Amount Fee Amount Total Remitted Water and Sewer 10 $1,092.47 $6.00 $1,092.47 Payments Deposits 3' $293.40 $1.80 $293.40 Payments Water and Sewer 20' $1,811.97 $12.00 $1,811.97 Personal Total: 33 $3,197.84 $19.80 $3,197.84' POS (scanned) Total: 73 $6,928.21 $121.59 $6,978.21 Total: 73 $6,928.21 $121.�I5�9 II 56,978.21.. ' The Non -Approved Transactions report shows all declined transactions over the specified date range. T Non -Approved Transactions Report 7JI612010 2:54:25 AM 2/1P2016 12:00:00 AM - 2/1612018 11:59.00 PM ( AjE Organization Units All Collection Modes (s)Description Total Remitted Dau Date Time PRC Name Card Collection Mods Entered Effective ..Type Payment Type $46.10 y.�., FOS (scanned) 'Declined 1 21112018 2/1/2018 0922 AM 20017931 Vehicle I Vessel I Driver License POS (scanned) .Declined $1,840.85' 2 2/1/2018 '. 211/2018.10:04 AM '. 20018003 Vehicle! Vessel l Driver License - POS (scanned) Declined $1,840.85 3 21112018 211/2018 10:04 AM 20018005 fq ' Vehicle I Vessel I Driver 1.10=60 eANN POS (scanned) Declined $31.25 4 211/2018 2/112018 11:29 AM 20018120 Vehicle / Vessel! Driver License $31.26 6 21112018 21112016. 11.47 AM 20018150 W POS (scanned) Declined Vehicle / Vessel 1 Driver License $31.25 POS(scanned) Declined 6 2/1/2018 2/112018 11:47 AM ',. 20018151 Q. _ - Vehicle / Vessel l Driver License s 5412.06. aANK P05(scanned) Declined 7 2/112018 2/1/2018 12:68 PM 20018248 Vehicle / Vessel i Driver License $54.25 POS (scanned) 'Declined 8 21112018 21112018 01.06 PM 20018262 _ Vehicle I Vessel i Driver License $54.25 9 21112018-. 211 P2018 01.07 PM 20018263 aANK POS (scanned) Declined Vehicle / Vessel / Driver License PO5 (scanned) Declined $72.20 10 21112018. 211/2018 01.13 PM 20018277 Vehicle / Vessel / Driver License $72.20 11 2!112018 2/112018 01:52 PM 20018333 eANK POS (scanned) Declined Vehicle / Vessel I Driver License POS (scanned) Declined $72.20 12 21112018 2/112018 01:52 PM 20018334 a�nK , Vehicle / Vessel 1 Driver License POS (scanned) Declined $376.86 13 2/112018 2/112010 02:13 PM 2001835E eMNK Vehicle / Vessel l Driver License $376.85 14 21112018 ', 21112010 02:14 PM '. 20018360 ar+NK ` POS (scanned) Declined Vehicle / Vessel I Driver License _.... tof15 Each report in JetPay's system shows an overall total with a dollar amount for the total over the specified date range, so if the County were to look at a report such as the Payment Type Summary report or All Transactions report for the specified date and time range the overall totals line item would display the total amount of payments made. e. Selected Vendor must provide a reporting format to compare against the County's revenue collection report, to facilitate an efficient account reconciliation review by the authorized representative of the Department. JetPay's revenue report shows the number of transactions, reversals, dollar volume, fee amounts, and total remitted by card type. It also separates transaction amounts and volumes by credit card and eCheck volume, and provides an overall total. This report can be compared against the County's revenue collection report to facilitate an efficient account reconciliation review. This report can also be broken out or grouped by organization unitflocation. MY JetPay Revenue Report: Revenue Report 2/0/2017 11:21:57 AM 1/112017 12:00:00 AM - 113112017 11:59:59 PM j Ail Organization Units I All Collection Atodes l All Users t Card Type Transactions Reversals Amount Fee Amount Foe Amount (client) Total Remittea 29 0. $BO,d00.70'. (payer) $1,775.20.. $0.00 $90, t75,08 Amex 237 0 $231,04020' $4,68004 S0.00 $2 35,720.24. _..... Visa 114 0 5142,165,11' $2,87218 50.00 $246,057.24 Mastercard 17 0 $17.076.83 $345.79 $100 $47,422.62 Discover 0 5316.043 01 $32 50 50.00 $316,075.51 Business 65 0 $781,133,82 516600 $0.00 y781,301.82' Personal 336 0 $478702.84 $0,873.29 $0.00 $488,378.13 Credit Card Total: 397 $2110.50 $D.00 $1,097,377.33 H -Check Total! 401 0 $1,097,178.83' SD.00 ;1,588,75348 Total: 798 0 $1,575,879.87 $9,873.79 f. Other reports as requested by the County. JetPay can implement customized ad hoc reports if they do not currently exist in our reporting suite upon request after meeting with the County to establish a mutually agreed upon timeline for the generation of said reports. JetPay can build custom reports for the County on a timed basis per the request of the County. 16. Back-up Documentation Selected Vendor must provide a reliable process for maintaining a copy of each completed transaction, in the event of system crash or other business interruption, such that the completed transaction record can be replicated, if necessary. JetPay's disaster recovery plan was last updated on November 17, 2016, and our disaster recovery plan is tested and updated on an annual basis. The JetPay primary data center is a hosted facility located in a SSAE-161ISO 2000 SRI compliant data center. Physical Security includes video monitoring, combination keycards card and biometric access controls, redundant dual rail power, fire suppression and cooling systems. Secondary data center is located at lights out Amazon Web Services Data centers. Physical security is provided by data center hosting staff. Only designated IT personnel have direct access to systems. Lights out secondary data center administrative functions are only accessible to designated IT staff. Physical racks have video and door alarms set to send alerts immediately upon entry to monitoring personnel. In the event of an alert generated by an unexpected event, physical security staff are notified. In order to ensure uninterrupted processing capabilities, JetPay maintains multiple processing sites. In the event of a failure at the primary processing site, JetPay's secondary processing site is made active using established procedures. JetPay's primary data center is located in Alabama and the secondary is in Virginia. The Florida site can act as a tertiary processing site as needed. Sites are located and maintained in hardened, PCI compliant facilities with multiple redundant power, connectivity, and security systems. Each site contains load -balanced server farms. This architecture allows JetPay to ensure processing capabilities in the event of overall site failure or intra -site hardware failure. We monitor our Solution in real-time at all times of every day. Our quality control and monitoring includes testing system availability as well as transaction processing, and we compare historical performance metrics. We are alerted in real-time through multiple methods including SMS text, voice and email using our tools, physical oversight and network protocol tools. When system problems occur we will notify our affected clients within 30 minutes of the identification of an outage of any type. Below is JetPay's Disaster Recovery Plan which outlines the process for maintaining and backing up transaction data in the event of a system crash or other business interruption: JetPay Disaster Recovery Plan Overview JetPay has established a formal policy and supporting procedures concerning Disaster Recovery Event Handling. This policy is to be implemented immediately. It will be evaluated and tested on an annual basis for ensuring its adequacy and relevancy regarding organizational needs and goals. This plan will be tested on an annual basis. Policy JetPay will ensure that the Disaster plan adheres to the following conditions for purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives: • The recovery plan includes, at a minimum, roles, responsibilities and communication strategies in the event of a compromise, including, also at a minimum, notification of the payment brands. • The Incident Response plan includes specific incident response, business recovery and continuity procedures and data backup processes. • The Incident Response plan includes legal requirementsfor reporting any compromises to the cardholder data environment. • The Incident Response plan includes coverage and response mechanisms for all critical system components and all other IT resources deemed critical. • The Incident Response plan also includes reference or inclusion of incident response procedures from the payment brands. • The Disaster Plan is to be tested annually. • Designated personnel are available for 24/7 incident response and monitoring coverage for any evidence of unauthorized activity, detection of unauthorized wireless access points, critical Intrusion Detection Systems (IDS) alerts and/or reports of unauthorized critical system or content file changes. • Staff with responsibilities for security breach responses is periodically trained. • Monitoring and responding to alerts from security systems including detection of unauthorized wireless access points constitute an important component of the Incident Response plan. • Processes are in place to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments as needed. Procedure JetPay has developed and implemented a comprehensive Disaster plan, which encompasses the categories and supporting activities listed below. These policy directives will be fully enforced for ensuring the Incident Response plan initiatives are executed in a formal manner and on a consistent basis for all system components within the cardholder data environment and all other IT resources deemed critical. The five (5) main categories of the Incident Response plan include the following (NIST, n.d.): • Preparing for an incident • Detecting an incident • Responding to and containing an incident • Recovery from an incident • Post -incident activities and awareness Preparing for an Incident All employees should be aware of common threats and computer incidents that may potentially compromise the organization's network infrastructure, cause harm to other related systems or pose a significant financial, operational or business threat to the organization as a whole that can lead to having to bring the backup operations to a fully functional status. The Disaster Response plan should be viewed as a set of procedures for preparing for, detecting, responding to, containing, recovery and any other necessary post -incident activities. There are numerous threats and computer incidents that are potentially detrimental to any organization, such as the following. • Data Center Failure • Communications Failures • Malware (computer viruses, worms, trojan horses, most rootkits, spyware and other malicious and unwanted software) • Social engineering attacks • Denial of Service Attacks • Additional network attacks, including hacking and other common attack vectors • Physical and environmental conditions resulting in threats to the organization's system resources Adequately preparing for an incident requires personnel to be aware of common threats to systems and to implement safeguards and control mechanisms that protect system resources. The Response Team is to have clear roles and responsibilities for properly responding to any incident. Preparation is just as important as the response to the incident. Other aspects of preparing for an incident include the necessary steps, processes and procedures to take once an incident has occurred. This also include ten with such as client eSlawuenforcemen g agene esa local/federalstate agencies, he respective arrand parties, necessary, � of wat ctions are toanyother third parties considered to be within our scope. -aa labli� Declaring a Disaster Declaring a disaster recovery event requires a commitment by all employees to be constantly aware of their surroundings for any type threats. Additionally, detection also requires due diligence and consistency by employees. o . , . 'rn Dee r't tion of Incident Rei onse ea _ _ Role and Contact ResponAbility of the Name Title Information Incident Response Team Paul Alla c -- -.. - IT Director Cell Cell IT Lead. 14Iu� ciytc��i Lead Chris Battel _..r� _ . _ _. _ _�e coo +C+�ll T}ntr]ic Curul .,g;1i t}ucatioc�s RolmtivnslOporatatlal Director Ctsordinuti+�r� Customer Cell 1Cnstoincr Response Coordinator Lynn Yelvertoll Service Director--- Cell Software Lead HeathGardner Soft -Ware Declaring a Disaster Declaring a disaster recovery event requires a commitment by all employees to be constantly aware of their surroundings for any type threats. Additionally, detection also requires due diligence and consistency by employees. Ir i.. i,q i 13 a F Name nr systems Components and other IT Resources Response Mechanisms in Place for All System C`on�pc�ocnts and other IT Resources Deviccs Firc,xatl Applianc, (1) Contact the Incident Response Tearn (IRT). (2) IRT will iannwdiatcly enact response mcehanisms commensurate, With the incident to include law enforcement notification. (3) IRT will develop pion for CO ntauiing, an incident along with recovery procedure. irubtic Web Servers (1) Contact the Incident Itesponsc Team (Ilt:i), (2) IRT will immediately enact response fflcchanisW Commensurate with tl5e incident to include law enforcement notification. (3) IRT will develop plan ror containing an incident along with recovery Database Scncrs (1) Contact iha Incicicut Rospo se Teain (IRT). ( } IRT will immediately enact r�csponse nr-chanisms cornmensurat with the incident to include law enforcement notification. (3) IRT will develop plan for containing an incident along with rccovc Responding to and Containing an Incident Any incident deemed to be a threat to the organization requires a rapid response from authorized personnel, such as the Incident Response Team. This rapid response will follow a standard course of action designed to minimize the impact of the incident to the organization's critical network and system infrastructure. Response Action Plan For DR Failover: 1. Declare Failover (management lead) 2. Start customer contact (Customer Service lead) 3. Establish restoration order(management lead) 4. Restore most recent database backups (IT Lead) 5. Initiate DNS record move to lights out data center primary IP. (IT Lead) 6. Start DB initialization based on order established by management lead. (IT Lead/Software Lead) 7. Coordinate with customers to inform them of service availability. (Customer Service lead) Tabid 12.9_c Response Me-chanisms for All Critical System Componenis and All Other IT ®.nnn,•ev_nsa nnimmnd Critical Monitor and maintain DR system, evaluate primary site status and coordinate fallback when appropriate. The following documented response mechanisms serve as the Standard Operating Procedures (SOP) for responding to any incident within the organization: 1. For any incident that has been detected, the Incident Response Team is to be immediately notified. 2. The Incident Response Team is to formally assume control and to identify the threat and its severity to the organization's information systems. 3. In identifying the threat, the Incident Response Team is to specifically identify which resources, both internal and external, are at risk and which harmful processes are currently running on resources that have been identified as at risk. hether the res 4. The Incident Response Team is to determine wources at risk (hardware, tinuitre, etch require physical or logical removal. Resources posing a significant threat to the continuity of the business are to be immediately removed or isolated, either physically or logically. Resources that may require physical or logical removal or isolation may include, but are not limited to, the following: • All IP addresses in use • Firewalls • Routers and switches • Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS) • Any enterprise -wide applications (CRM systems, etc.) • Remote access • Point-to-point secure data transmission methods used for data traversing back and forth on the network • Wireless networking or networks • Authentication servers (RADIUS) • Web servers • File servers • Email servers • DNS servers • Operating systems • Databases • Applications CAS Name (Naming Convention of System Logging and 'Name or FrNuert:y Or Systems Use of tWrajnistrative Audit Truil Reviewer of Review for components the CIghts for the Mechanisms Y oning and Logging and and other 1T Devict', Device In Place Audit Trails Audit Trails Rmurces ealet*s Tug4 IT Only Cuniaal tud ]T' Dailyi��'4CCS 'i:irarkcall i'lTt:\s,°ally '' Database IT & Software. Dcvielopjncnt Ccntzalizcd IT Daily SQLX S.crvimo Team _ 1�' �• Software)Nll4kll4' Ccntrallzcd 1T Daily WWN Semcls Dcvclopmcnt togg.Wli,y{ Team 1T &Software , �.•entralzcd l, -f Daily 1`TPXDcve1otxncnt Ficrrets € ' Tcam Monitor and maintain DR system, evaluate primary site status and coordinate fallback when appropriate. The following documented response mechanisms serve as the Standard Operating Procedures (SOP) for responding to any incident within the organization: 1. For any incident that has been detected, the Incident Response Team is to be immediately notified. 2. The Incident Response Team is to formally assume control and to identify the threat and its severity to the organization's information systems. 3. In identifying the threat, the Incident Response Team is to specifically identify which resources, both internal and external, are at risk and which harmful processes are currently running on resources that have been identified as at risk. hether the res 4. The Incident Response Team is to determine wources at risk (hardware, tinuitre, etch require physical or logical removal. Resources posing a significant threat to the continuity of the business are to be immediately removed or isolated, either physically or logically. Resources that may require physical or logical removal or isolation may include, but are not limited to, the following: • All IP addresses in use • Firewalls • Routers and switches • Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS) • Any enterprise -wide applications (CRM systems, etc.) • Remote access • Point-to-point secure data transmission methods used for data traversing back and forth on the network • Wireless networking or networks • Authentication servers (RADIUS) • Web servers • File servers • Email servers • DNS servers • Operating systems • Databases • Applications CAS 5. If the incident has affected the cardholder data environment in any way, and has impacted the system components within this environment, it must be immediately reported, its severity and other essential information to the major payment brands. Listed in the following table are the links to the major payment brands, which also supply information on how to handle an incident that has resulted from a breach of the cardholder data environment. It is the policy to formally acknowledge and adhere to these guidelines as set forth by the major payment brands. Payment BrandT__ Info ematiOn an Incident Handling and Reporting ittp t,'`aso visa caiii.tuerchant5t`ri-,k maria em nt+`ci p if coinpLnziscd_ tn.ai VIS.& http:r'. k��a^�'>t��ste-Ccard.e�►�s+'us:`►7�e rel��nt�'�cc�r�ty+"f Fad MasterCard�re'�'cr�trcrn,k�ta l 1 1ttps.+J �'ww.a� eriGanex rc s,coiti3+usiconten 'merchant;'. Micricat1 ExPrM ryoud, prcyention.111111l http:i+i .-,,Yw+discovernetwork.comfrmlid ccur ty;databre Di:�vovcr C' rid ach,htmi 1. If the incident has in any way resulted in a criminal matter that may be readily identified, it must immediately be reported it to law enforcement officials, such as the following: Local law enforcement(Dependent upon which data centers may be involved) o Pensacola Police Department 850-435-1900 The United States Secret Service (for credit card fraud) o Birmingham, AL 205-731-1144 o Tallahassee, FL 850-942-9523 The Federal Bureau of Investigation (FBI) o Pensacola, FL 850-432-3476 o Birmingham, AL 205-326-6166 2. Investigating the incident is also a critical process within the Incident Response plan. Proper investigative techniques are to include, but are not limited to, the following: • Understanding how the incident occurred and what led to the compromise • Reviewing all necessary system documentation such as logs, audit trails, rule sets, configuration and hardening standards and all other supporting documentation • Interviewing personnel as needed • Examining any third -party providers and their respective products and services that are utilized within network architecture • If warranted, a third -party resource for assisting in the investigation of the incident may be utilized (this will be done at the management's discretion) Recovery from an Incident Recovery procedures will include but are not limited to the following: • Restoring systems from clean backups (a trusted source only). • Completely rebuilding systems as needed and warranted. • Replacing systems as needed (this includes all system components within the cardholder data environment and any other IT resources deemed critical. • Reconfiguring network security (stronger, more adaptive configuration and hardening rules) for all system components within the cardholder data environment and any other IT resources deemed critical. The recovery procedures will be commensurate with the incident that has occurred. This will be conducted on a case-by-case basis with all aspects of the recovery process fully documented. Response Action Plan For DR Failback: • Declare Failover during a low usage period(Early Sunday morning) (management lead) • Start customer contact (Customer Service lead) • Establish restoration order(management lead) • Restore most recent database backups (IT Lead) • Initiate DNS record move back to primary IP. (IT Lead) • Start DB initialization based on order established by management lead. (IT Lead/Software Lead) • Coordinate with customers to inform them of service availability. (Customer Service lead) • Monitor and maintain production system. Post -Incident Activities and Awareness A formal and documented Incident Response Report (IRR) is to be compiled and given to management within an acceptable timeframe following the incident. The IRR must contain the following elements (NIST, n.d.): • Detailed description of the incident • Response mechanisms undertaken • Reporting activities to all relevant third parties as needed • Recovery activities undertaken for restoring affected systems • A list of Lessons Learned from the incident and which initiative can be taken to mitigate and hopefully eliminate the likelihood of future incidents Below is JetPay's Continuity of Operations Plan including high-level diagrams of our infrastructure: JetPay Payment Services FL Business Continuity Plan Risk Nlitigation Client payment processing o Notify Clients and tell them we are/will be offline. • Help Desk support o Jerry will provide support remotely. o We will designate a backup resource for assistance. Daily processes o Heath will perform all daily processes remotely (access to wwwl-rl-bam). • Birmingham data center o Paul will monitor. • Communication with clients o Even if we manage to cover all service areas remotely to where service is uninterrupted for our clients, we need to let them know our plans. o If we have areas of interrupted service, then we should address those concerns specifically according to the JetPay Processing -Failure Management document. o Need to update the communication messages accordingly as conditions change. o Send an "after action" email to clients for how we managed during the outage — service remained up, we were down but back up after x hours, etc. and reiterate our commitment to serve our clients. • JetPay payroll o Maureen would handle deposit to Regions if outsourced Payroll company is impacted. • Securing JetPay Office o Protecting equipment o Protecting electronic files Make sure files are on network, not hard drive o Protecting hard copy files and documents o Have had internal water sprinklers go off, need to prepare accordingly • Communication with JetPay team o Who is evacuating and where are they going? o Staff updates and staying in touch Send text message AM and PM to Carol o Notification of office evacuation/closure ■ Take devices with you (dongles, laptops, etc.) o Helping staff recover if damage is sustained ■ Family ok? Home ok? o Staff expectation to return to work 17. Convenience Fee Any Convenience Fee charged to the Customer, if applicable, by the Selected Vendor must be agreed upon by the County and will be pursuant to the Agreement between the County and Selected Vendor. The Convenience Fee may be a set fee or a percentage of the payment amount. JetPay's business model is such that we strive to generate l00% of our revenues from transactional fees. By presenting one simple pricing structure, much of the ambiguity typically presented by card processors has been removed, malting it easier for the County to anticipate the true cost which they or their consumers must incur. Additionally, this simple fee structure can be utilized across the County's various departments and their respective various transaction amounts. Any convenience fee charged to the Customer will be agreed upon with the County and fully established and disclosed in the "Cost of Services to the County" section of this proposal. Further, our platform could enable cost reductions and increased customer satisfaction through the use of our e -communication tools which enable the County to engage with its customers using SMS text, email or outbound IVR on any topic including electronic bills, payment reminders, etc. 18. Customer Service Selected Vendor will be required to provide customer service support to customers in relation to payments processed by Selected Vendor. Customer Service is a focal point of JetPay's payment processing solution. JetPay's policy with each new contract is to establish a relationship manager who is the primary point of contact for the client. The relationship manager is available 24/7 to handle any escalated tier 2 issues or customer needs that may arise. JetPay's Help Desk serves as the focal point for customer support. JetPay's Help Desk is United States based software support, and All Tier 1 calls are directed to the Help Desk. JetPay provides a staffed call center which is accessible at all times (24 hours a day, 7 days a week, 365 days a year), with a return call made within twenty (20) minutes to resolve customer service issues. JetPay's Help Desk closes 97% of service tickets within one day. Additionally, the Help Desk will develop familiarity with the Metro Government's account and the specifications used throughout the duration of the account. JetPay has established Customer Support tiers and corresponding response times based upon such tiers. Customer Service is a focal point of JetPay's payment processing solution. Tier I Tier I (or Level 1, abbreviated as T1 or L1) is the initial support level responsible for basic Customer and Client issues. At this level, we gather the Customer/Client information and determine the issue by analyzing the symptoms and figuring out the underlying problem. This level gathers as much information as possible from the end user. The information typically includes: error message, web browser and version being used, screen shots, what other software system is being used with this payment issue, any data used by the end user or any sequence of steps used by the end user, etc. This information needs to be recorded into the issue tracking or issue logging system. Once identification of the underlying problem is established, the specialist can begin sorting through the possible solutions available. Technical support specialists in this group typically handle straightforward and simple. Examples of Tier 1: I. Confirmation of Payment: a. Ask for the last four digits of debit or credit card, or last four digits of checking account b. Ask for the date of payment. 2. Receipt Request: a. Ask for the last four digits of debit or credit card, or last four digits of checking account b. Ask for effective date of payment. c. Confirm or obtain email address. 3. Charge Inquiry -Caller questioning a charge on cardholder statement: a. Ask for the description listed on the customer's credit card statement or bank statement. b. Ask for the last four digits of the debit or credit card, or last four digits of checking account c. Ask for date of payment 4. Void Payment Requests in Magic portal —Same day or post-dated payments: Some clients may choose to issue their own credits and voids. Other clients may choose to defer requests to the Help Desk as needed. Each client is able to determine business rules. a. Client calls: i. Ask for Confirmation/PRC number ii. Verify the customer name, the amount of payment and make sure the date reflects the current date or is post-dated. iii. Issue void from management console iv. Email the credit receipt to participant if requested. b. Customer Requesting Void (subject to Client's business rules): i. Ask for Confirmation number ii. Verify the customer name, the amount of payment and make sure the date reflects the current date or is post-dated. iii. Issue void from management console iv. Confirm and/or obtain email address and email credit receipt to customer. Tier 11 Tier I1 (or Level 2, abbreviated as T2 or L2) is a more in-depth technical support level than Tier 1. It is important to review the information or incident, ticket, etc., to see what has already been accomplished by the Tier I technician. If a problem is new and/or personnel from this group cannot determine a solution, they are responsible for raising the issue to the technical support or software development group. This may require additional information including: the program name that failed, any database related details (table name, view name, package name, etc.) or API names. Examples of Tier II 1. Settlement deposit error 2. PCI matters 3. URL, server, SQL or other replicated errors. 4. Windows, browser, or other operating system errors. 5. Software or setting issues which cannot be resolved by Tier I. 6. Financial errors including fees, invoices, or other types of calculated financial errors. 7. Replicated errors in reporting, report filtering, or report formatting which cannot be resolved by Tier I. 8. Failure of import or export, validation file routines. 9. Any other file exchange or API lookup issue or malfunction. to. User or payment maintenance that is outside the expertise of Tier 1. 11. Any issue which falls outside of the training or expertise level of a normal Tier I function. Tier III Account Manager or Project Mana-.er Escalation Examples of Tier III Escalation: I. System outage or unable to process payments, render payment screens or run reports. 2. Failure of reporting or financial deposits. Any issue which becomes delayed or unresponsive by Tier I or Tier II. 19. Refunds Selected Vendor will not process any refunds, or return payments to customers after settlement, without expressed written authority from the County. JetPay's Magic platform provides each client with access to reports for exception items such as credits/voids and chargebacks as well as the ability for County administrators to process voids or credits without any JetPay staff involvement. JetPay always complies with our client's business rules, and as such will not process any refunds or return payments to customers after settlement without the expressed written authority from the County. Through our Administration console, designated personnel have the ability to view as well as void the full amount of a transaction prior to the payment being submitted for settlement. Full or partial credits are available after the date of the transaction. When processing a void or credit, JetPay's system will automatically determine whether the transaction should be processed as a same-day void or full/partial credit depending on the date of the transaction. This can be seen in JetPay's outlined Customer Service Tiers in the response to #18: 1. Void Payment Requests in Magic portal— Same day or post-dated payments: Some clients may choose to issue their own credits and voids. Other clients may choose to defer requests to the Help Desk as needed. Each client is able to determine business rules. a. Client calls: IN i. Ask for Confirmation/PRC number ii. Verify the customer name, the amount of payment and make sure the date reflects the current date or is post-dated. iii. Issue void from management console iv. Email the credit receipt to participant if requested. b. Customer Requesting Void (subject to Client's business rules): i. Ask for Confrmation number ii. Verify the customer name, the amount of payment and make sure the date reflects the current date or is post-dated. iii. Issue void from management console iv. Conflrm and/or obtain email address and email credit receipt to customer. The process of crediting/voiding a payment can be seen below: Step 1: Credit Payment by PRC - PRC Number 20000008 Step 2: Credit Payment: 20000008 - Credit Payment Fee Amount Avallible for Credit Type Amount To Credit Amount Name Type Amount d Credited Credit $3.55 $169.0~ $0.40 Chargeback The FfiC numbarspwficd iv'is readied is m 471575 5169.04 internal Credit crena emit. +**a* Standard Credit 0944 Totals: 5169.04 $9.55 5169.04 $0.00 Notes Payment History Payment Method Amount Fee Amount Total User Name Effective 471575 ***** 0944 $169.04 $3.55 $172.59 Rick Griffiths 12/3012016 5:50:54 PM 471575 +*+*+ 0944 ($169.04) ($3.55) ($172.59) Rick Griffiths 12/30/2016 5:52:04 PM s> View Credit Receipt 20. Scheduled Recurring Payments The Selected Vendor may provide scheduled payment processing services allowing County customers to provide needed payment information and have a series of scheduled recurring payments automatically submitted to the County for posting to receivables of various debt types. JetPay's system enables customers to setup an on-line account for pre -authorized and recurring payments. JetPay's system tokenizes payment card and banking information when your customer elects to store it for re -use in the future including when setting up on-line accounts and for recurring payments. When a customer creates a user account they are able to create both saved payment methods and set up a recurring payment or autopsy payment plan. JetPay also supports Payment Plans that can be set up solely by the County staff or also by customers online based upon the specific rules of the County department that is accepting the payment. We believe supporting the creation and processing of payment plans could be beneficial to the County. 21. Single User Sign -On channel may provide the option for to create a secure account The Selected Vendor's Internet payment from various County receivable systems. Customers creating such an with the ability to voluntarily link debt account would be able to sign -on to this account as needed to view and pay debt associated with the account. JetPay's Magic platform enables customers to log in and create an account to save different payment methods and accounts with one single sign -on. Payment data and PII is always encrypted while at rest or in -transit, as well as is encrypted end-to-end when dipped or swiped at point-of-sale. We tokenize data when customers elect to establish an account and save their payment card and banking data for use in the future. After creating an account, customers can link different payment accounts/debt from various County receivable systems that they regularly make payments for. They can also create and manage recurring payment plans and autopsy recurring payments for payment types the County chooses to employ this feature. Additionally, customers would have the ability to save various payment methods for reuse in the future. Below are screenshots of the user dashboard that shows customers their payment history, saved payment methods, etc.: Illinois: Healthcare Family Services t =j: ''PAY EtOne-The Payment 6 Login rfzt.; a at:ctunc y.Ynx�.t..11'�:1�4 r.e,lur, jardana Jill "Ik Vl , UUlryn bO:i ' I"I' Yy I mll4c Ictlle):aa to IIIc P„r nurcwu wrl ............ mr..R a �.rymcnt. or Create an Accoint H .SPAY A this sac is urrcmy �n icst mo4c. Register - Illinois: Healthcare Family services 0 �JoM tmld+ . ,p"^, Dashboard Payment t, PAY k Lr:,rrannyu�:ea mMe. X My Magic - Illinois: Healthcare Family Services t PenamiJrimnution o.tnv Jahn 4nkfi Idned Cr. 1 trtwnh>go lime Lone Central Sandard time _...... }tdstf ork GChanSe Passwctd GrV—Payment Piers -, QA toPay Payments J Ptaviusa Payments PAC Total Remitted Eland'. Date Prymunt atomad DescNpUan 700df11A] SMi$65110 70ar]01] tChcrk Che[ektp, ""•'" 1111 —1Saved Payment Method FrOies Payment Wthod Desteipdbn nchrrk jCneAlnR"'•"•till Ta Sty Payment Accounts Payff*,; Atl(WrA AlOOCS ♦•Ac `. Pay.'i.<'[A:cJOnt tiosP'�al Assessrrant Aapunt Number k"I. itm.nrv?. y^:ervt !: Ktatd Profile In, Amount out iti.t.s JU,Sbi .IA! Pay NMP .1 A Saved Addresses Name Street City State zip rode +Add Address john, It, I.e.dr test Iltn,:s I2sai (a SPECIALIZED EXPERTISE OF TEAM MEMBERS: The JetPay project management team has decades of combined experience in electronic payment processing, distributed system implementations, and technical data conversions. The team has extensive experience working in collaboration with our clients in a large variety of project implementations, maintenance, and support. JetPay's policy with each new contract is to establish a dedicated relationship manager who is the primary point of contact for that client. If awarded, Rick Griffiths, Director of Account Management, will continue to act as Relationship Manager for this contract. Mr. Griffiths' overall responsibility includes relationship development for JetPay but will be Collier County's primary contact. Mr. Griffiths will be available 24/7. There is no additional charge for this service. Mr. Griffiths can be contact at: Rick Griffiths, Director of Account Management JetPay Payment Services, FL, LLC. 316 South Baylen Street, Suite 590 Pensacola, Florida 32502 (850) 858-3309 Telephone (850) 444-9331 Fax Rick.grifflths@Jetpa,,y.com In addition to Mr. Griffiths, Joe Lennon (Director of Sales and Business Development) and Shirley Everage (Technical Account Manager) will work hand in hand with the County throughout the implementation. If awarded, JetPay plans to convert the County from our Legacy platform to our Magic platform in an effort to offer the latest and greatest innovations in the payment processing industry to Collier County. JetPay's web -based payment processing platform (MAGIC) was recently developed and offers the latest features and functionality while following best practices in the payment processing industry, and is ideal for accepting online/e-Commerce payments, point-of-sale EMV transactions, mobile app, IVR and virtual terminal payments for mail in/phone in payments. With the Magic platform JetPay is able to offer the County the latest features and functionality in the payments industry and offer a level of configuration and customization that can specifically meet each of the County's departments specific needs. County administrators would have the ability to customize and configure the County's instance of the Magic platform in real-time through the Manage tab of the JetPay Magic Administrative dashboard. Administrators would have the ability to change and configure things such as: changing office users' and client customers' account information & doing password resets, configuring organization units, payment categories, payment types, devices, branding, logos, managing customer payment plans, etc. Mr. Griffiths, Mr. Lennon, and Mrs. Everage have worked together since the launch of the Magic in 2015 to organize the migration of JetPay Payment Services FL's existing client base from our Legacy platform to the Magic platform is as seamless a process as possible. Heath Gardner (Head of Software Development) and Paul Shave (Information Technology and PCI Director) lead all software development and IT efforts in relation to the scope of services of this contract such as any work with integrations, client profiles and databases, etc. Lynn Yelverton (Customer Service Manager) will manage all tier I customer service requests for the County. Chris Battel (Chief Operating Officer) will serve as the Executive Officer to the County on the behalf of JetPay. The key personnel servicing Collier County will include, but are not limited to: Christopher Battel, Chief Operating Officer and Executive Officer Rick Griffiths, Director of Account Management and Project Manager Joe Lennon, Director of Sales and Business Development & Senior Relationship Manager Lynn Yelverton, Customer Service Manager Rick Carroll, Chief Financial Officer Heath Gardner, Software and Development Director Paul Shave, Information Technology and PCI Director Shirley Everage, Technical Account Manager E - Joseph Lennon, Director of Sales and Business Development & Senior Relationship Manager Phone: (850) 858-3319 joe.lennon@jetpay.com Joe Lennon joined JetPay in the first quarter of 2015. Mr. Lennon has spent 30 years delivering customized customer experiences and solutions to prominent national, regional and boutique businesses in the hospitality and health care industries. He has comprehensive leadership experience and knowledge in entrepreneurial, analytical and sales oriented environments. He is responsible for the leadership and implementation of Customer Relations, Sales and the Business Development strategy of JetPay Payment Services, FL, with a focus on customer satisfactions and business growth. Mr. Lennon will serve as a Relationship Manager for this contract and will serve as a point of contact to the County from an account management perspective, along with Rick Griffiths. JOSEPH W. LENNON 56 Highpoint Drive Gulf Breeze, Florida 32561 ^��COLLECTORSOLDTIONS.COM (850)-572-7664 QUALIFICATIONS SUMMARY Top -performing Client Development Executive and multi -unit Operations Leader with consistent track record of surpassing retention targets, financial expectations and quality indicators. Proven ability to recruit, train, and develop top performing teams that met or exceeded clients and companies expectations. Demonstrated success leading complex retention processes resulting in protecting revenues and retaining customers. ■ Competitive Analysis ■ Consultative / Solutio Selling ■ Customer and Client Satisfaction ■ Business Process Improvement Strategic Planning • Project Management • Revenue & Expense Forecasting ■ Staff Recruitment & Training ■ Quality Improvement • Presentation & Negotiation Skills PROFESSIONAL EXPERIENCE CollectorSolutions, Inc, Pensacola Florida 2015 _ Present DIRECTOR, SALES AND BUSINESS DEVELOPMENT Leads both business development as well as customer relations of an electronic payment processing and communications firm headquartered in Pensacola, Florida. As Director of Sales and Business Development, has taken the lead in developing strategies and delivering diverse solutions for clients to collect monies from teir (hwww.collec orsolutionstcom) processes over $4 Billion with a staff of onn 2014 CollectorSolutions, Inc. only 23I 2013 -Present Service Team Of Professionals, Inc. OWNER / FRANCHISEE As a franchisee, purchased exclusive rights to tri -county market from a national restoration company. Responsible for all phases of the business from developing the marketing plan, establishing sales routes, operations and financials. 300% increase in year over year sales Expanded services from emergency remediation response to full service restoration Built a strong network of marketing support through serving on local boards to include Chambers of Commerce, Santa Rosa C.E.R.T. (Civilian Emergency Response Team), President of Optimist, Gulf Breeze Leadership Of Santa Rose Graduate, Class of 28 Selected Business Of The Month - December 2014 Selected "Emerging Leader Of The Year" for 2014 56 highpoint Drive Gulf Breeze Florida 32561 Cell (850)-554-4367 - Email: Joe Lennon n Bellsouih.net 2007 to 2012 Sodexo, Inc. Southern United States, SENIOR CLIENT DEVELOPMENT EXECUTIVE Responsible for leading retention processes to protect $536,223,356 of revenue and $61,866,210 of gross profit while Accomplished lPlatinum Leviing processes es Performance inthin FiscalYears 2008,1tal business in the Southern United States. 2010. and 2012, • 98.2% Client Retention rate in FY 2012 • Successfully led complex and competitive retention processes resulting In Blue Chip and overall client retention goals of 96.63% over 6 years. • Employed an enterprise approach to organizing, motivating, and directing diverse teams to accomplish desired retention outcomes and growth opportunities with existing business. • Developed strategies for long-term contract renewal in assigned Blue Chip accounts. 1999 -2007 Sodexo, Inc. South East United States DISTRICT MANAGER Responsible for 68 Sodexo managers and $39,080,993 in managed volume in 17 Strategic Business Units across 3 states. Strategic business units include a mixture of Food and Environmental Services. Outcomes over the last 6 years include exceeding budget expectations while growing profitability over each previous year. Client satisfaction consistently exceeded goals and previous year scores. Client dissatisfaction was less than 1%. • 100% Client Retention over six fiscal years. • Recognized for Excellent 98% Client Satisfaction. Highest in Health Care Division for fiscal 2002. • Recognized for Outstanding Financial Growth for fiscal 2004. • Recognized for Outstanding Account Growth for fiscal 2006. Realized 20.3 %yearly average profit growth over comparable business for last 8 fiscal years. • • Established pattern of managing troubled contracts and retaining business while increasing profitability and client satisfaction. • Oversaw development and promotion of 7 General Managers. • Recognized for Leadership role In Hurricane and Disaster Relief. 1994-1999 Sodexo Marriott, Philadelphia Pennsylvania GENERAL MANAGER OF SUPPORT SERVICES Responsible for multiple support departments and outsourced services for inner-city teaching hospital as onsite representative of Marriott Health Care (Sodexo Marriott Services). Managed a budget of $21,000,000 and reported to CEO. In this capacity, provided leadership for 3 campuses, thirteen (13) departments of 300 employees in 1,600.000 sq. ft, facility space. Consistently achieved or exceeded ail goals in patient, family and physician satisfaction and cost reduction as listed below. EDUCATION & TRAINING B.S., Management, Focus on Hospitality, Hotel and Restaurant Mercyhurst University, Erie Pennsylvania Professional Development On-going workshops/seminars: Winning Sales Proposals / Shipley Associates, Conceptual Selling / Miller Heiman, Winning Sales Presentations / Mandel Communications, Sales Negotiations / Bay Group International, Relationship Edge / Delta Point. Inc., Trusted Advisor/ Global Partners, influence Edge / el Consulting, Killer Presentations and Master Presenter / Associations Chambers of Commerce, Navarre and Gulf Breeze Optimist International, Knights of Columbus, Civilian Emergency Response Team 56 highpoint Drive Gull Breeze Florida 32561 Cell (850)-554.4367 - Email: Joe L@Mon0Be1I&ogth.net COd v Christopher Battel, Chief Operating Officer Phone: (850) 858-3321 chri s.battel@j etpay.com Chris Battel joined JetPay in September of 2013 after a 25 year career in investment banking. Mr. Battel is a Chartered Financial Analyst, with 25 years of investment banking experience at prominent national, regional and boutique investment banks serving clients in technology, business services, financial services and health care industries. He has comprehensive leadership experience and knowledge in entrepreneurial, analytical and sales oriented environments. He is responsible for directing the leadership, strategy and operations of JetPay Payment Services, FL, with a focus on business growth and performance. Prior to joining JetPay, Mr. Battel held executive leadership positions at corporations andi llinstitutions, and coordinated more than 100 transaction processes involving mergers, acquisitions, public offerings, , private placements of debt and equity securities. Mr. Battel received his Bachelor of Science in Finance from the University of Virginia, Masters of Business Administration from Georgia State University, and holds the globally recognized Chartered Financial Analyst credential for finance and investment professionals. (0) 850-858-3321 CHRISTOPHER A B AoTTEL, CFA (C) 850-607-3659 GULF BREEZE, FLORIDA 32561 ('hricB(a2Collectot`Sohttions.cotn PROFILE * Investment banker with 25 years of prominoatt national, regional and boutique investment banks advising corporate to clients in teclillology, business services, linatoial services and health care industries • Led service businesses and employees in entrepreneurial, analytical and sales oriented environments • Rat 1(X)+ transaction processes involving mergers, acquisitions, sates, leveraged buyouts, reeapitulizations, public oil'erings and private placements of debt and equity securities * Txpert on securities insurance and repurchases, business and securities valuation, due diligence, representation" & warratticw, minority and Controlling ownership trsuisactioas r • Chartered Financial Analystgloballyrecognizul credential'; for finance and investment professionals • Co -Founder of heahh care data and analytical company for hospital and emergency medicine patients EXPERIENCE CHIEF OPERATIONS OFFICER 2013_Pi,arertt Gdleclor.SOlalions, 1111VI, pensacwla, Florida Leads (lie day to day operations of both bmincss dcvcl0l)l i as well as a, Fw7uc development COO, has rat en the lea payment processing and conununications firm hcadquadere! in Pensacola, Florida. As COO, has taken dtc lead in developing and delivering diverse solutions for clients to collect monies - their c cora) processes over slly (credit card, debit card, c -check). In 2014 Colleetorsolutions, Inc, on with a staff of only 23. PRESIDENT AND MANAGING DIRECTOR 1994-1007 and 1008-1013 Lvgcrry Seem sties Cvip. Pensacola, F7aiqda and Atlanta, Gcwrgia CcMfiunder and head of inde7rendcnl invesbmmt bank providing institutional capital raising services and merger & acquisition financial advisory services to entrepreneurial companies that are in the middle market (valuations up to $250 million). Legacy Sectuities (1Ytv�v�aS9k1 4(t spta is a pronoment boutique investment bank with an excellent transaction execution reputation in the South across a variety of industries including technology, healthcare consumer services, business and financial services. CO-FOUNDER AND CHIEF EXECUTIVE OFFICER 1011-1013 Nletis Health LLC, Ga1j'Brraze, Flarlda Co-founder and CTO of Mctis Health (www m_6stihr•com) which empowers patients with all of their personal nodical information (gather and continuously update diagnoses, procedures, Prescriptions, lob results) and engages patients in managing their health. Metis engages patients and hospitals and emergency medicine to be more involved in managing their health which results in tower costs and better health outcomes. MANAGING DIRECTOR 1007-2008 Headwater Ala LLC, Atlanta, Georgia Iia the Allanta office and the Business services industry practice for Headwaters MD, www.hcaJwntcrsmb.earn a national investnamt bank. Ce CHRiSTOP14ER F. BATTEL, C.FA VICE PRESIDENT, INVESTMENT BANKING 1990-1994 Morgan Keegan & Company, Inc.; Atlanta, Georgia Co -led hotel REIT practiceleadbanker for Equity Inns mid Winston Ilotel, relationships, Investment banker responsible for business development and transacting public and private equity and debt otlerings, mergers & acquisitions, financial advisory engagements and merchant banking investments. FINANCIAL ANALYST, INVESTMENT BANKING 19xx-1990 Prudential-Bache Capital Funding; Atlanta, Georgie Financial Analyst responsible for peribnning financial analyses in public and private equity and debt offerings, mergers & acquisitions, leveraged buyouts and recapitalizations. ASSISTANT SECRETARY 1986-1988 Inning Tnist Congrany; New York New York Bank officer responsible for financial analysis of potential merguts & acquisitions for uoPorate de velopruent department of this prominent international commercial bank. Completed credit and arrpontte finance training program finishing first among 25 graduate and undergraduate peers. —STAFF CONSULTANT 1985-1986 Peterson & Co.; San F}Yinciseo, Calornia Provided litigation support and financial analyses used as expert court testimony of financial damages in construction claims, enterprise valuations and bankruptcy lilingv. EDUCATION CHARTERED FINANCIAL ANALYST GEORGIA STATE UNIVERSITY Atlanta, (.icorgin — Masters of Business Administration, 1990 UNIVERSITY OF VIRGINIA Charlottesville, Virginia — Bachelor of Science in Finance (Graduate with Distinction), 1985 ASSOCIATIONS Center for Innovation and Entrepreneurship, Policy Board Member and Instructor Atlanta Society of Financial Analysts Chartered Financial Analyst Institute Legacy Capital Partners, Manager (a private investment partnership) Rotary, Five .Flags of.Nensacoln 0 V� Rick Griffiths, Director of Account Management and Project Manager Phone: (850) 858-3309 Rick.griffiths@jetpay.com Rick Griffiths joined JetPay in January 2014 and services as Director of Account Management. Prior to joining JetPay Mr. Griffiths served as a Corporate Account Manager for WebMD, and was a founding partner of Health Data Services. Mr. Griffiths has over 16 years of experience in account management. In addition to his role as the Director of Account Management, Mr. Griffiths has served as a key project manager for JetPay, and will continue to serve as the relationship manager to Collier County. He was instrumental in the migration of JetPay Payment Services, FL clients to our recently developed Magic platform, and has worked on large and complex clients' on - boarding such as the State of Illinois ePay program and their various participants throughout the state including state agencies, counties, cities, universities, etc. Rick Griffiths 2494 Portland St Sarasota, FL. 34231 X3..9-1.?.3..�1L4u11. ng Career Profile Over 20 years hands-on experience developing and managing full life cycle applications in a highly complex environment, full life cycle product and project management with experience with multidimensional/relational OLAP (MOLAP, ROLAP), relational and dimensional modeling for decision support environments, understanding various development phases and issues related to data warehouse implementations, fundamental concepts and architectural principles of data warehousing, business driven requirements design process, website design and configuration. Deep knowledge and experience in every area of data analytics, data architecture, data management, data governance and Business Intelligence software and procedures. Seasoned professional, with outstanding project planning, execution, monitoring and resource balancing skills with ability to support multiple simultaneous projects in a matrix organizational structure. Excel at communicating with stakeholders to provide accurate reporting and information regarding the ongoing projects and initiatives. Unique ability to translate corporate needs and business objectives into scalable, long-term technology solutions. Excellent track record of leveraging operational excellence and broad business expertise to translate company vision into revenue growth and operational successes. Experience Metis Health Data - 2010 to Present CO -Founder / Chief Operating Officer Metis provides custom PHI data release solutions for any entity that holds a properly authorized HIPAA release. • Designed multiple systems, transforming manual paper processes to electronic processes; designed and implemented initial integrated data warehouse, combining Healthcare claim data with Pharmacy claim data; designed electronic enrollment system, transforming process from manual paper process to electronic process. • Developed product and project lifecycle programs for integrated system delivery. Established policies and procedures establishing data governance initiatives, data quality, data modeling, standards, practices and principles and data architecture. Established data product life cycle requirements and developed new product functionality while balancing budget restraints and client requirements. Responsible for design, development, deployment, maintenance, enhancement, business socialization of Data Management, architecture, all aspects of enterprise business intelligence & data warehouse, enterprise data integration strategy. CORE Health Data Services - 2009 to 2010 Founder / Chief Executive Officer CORE provides PHI data solutions to (PMS) vendors, electronic medical records (EMR) vendors and hospital information systems (HIS) vendors that require PHI data for multiple programs. C9Q • Developed CORE Exchange Services and companion analytical software allowing exchange of actionable PHI data between data requestors and data suppliers. • Developed data usage and governance policies according to HIPAA, HITECH, Red Flag, State and local laws. • Managed data architects, programmers and database administrators; created MBOs and performance metrics for technical staff. • Managed and tracked the progress of all aspects of target accounts, including long term data strategy, data usage restrictions, account management and revenue opportunities. Resolved project delivery problems by analyzing issues, discerning the most appropriate courses of action, providing tactical direction and, when necessary, reallocating resources. Provided operations analysis and consulted to government clients on business process improvement. WebMD / ENVOY — 1993 to 2009 Director Corporate Accounts, WebMD 2002-2009 Responsible for Strategic Account Development, by maintaining partnerships and relationships with assigned corporate accounts key decision makers. • Developed data exchange partnership programs with Payers, MCOs and ACOS. Managed corporate accounts that produced over $26 million in annual revenue. • Demonstrated strong critical analysis, strategic development, budget management and problem solving skills. Created budgets and forecasting models and associated management plans to achieve goals. o Extensive experience developing business partner strategies and directing complex business functions. Developed marketing plans for assigned accounts and channel partners. Demonstrated ability to interact at senior executive levels, and build and expand on new relationships. Acquisition/ Integration Team, WebMD 2000-2002 • Lead product system integration analyst for integration team. • Performed due -diligence on possible acquisition companies and created detailed system and product summaries on potential companies. • Review technical and acquisition alternatives and assist in conducting benefit -cost analysis. • Prepare specifications, statements of work, and technical material for incorporation in the delivery document. Verify that user -written statements of work and functional specifications are technically feasible and not unduly restrictive. Account Manager, ENVOY 1993-2000 Project managed Y2K migration and mitigation plans for assigned accounts. • Responsible for designing and programming first electronic billing system. Developed first electronic enrollment program for ENVOY. Created data models and ETL polices for sales and account management support. Managed business intelligence, data quality, data analysis and data conversion processes across multiple divisions. Harrington, Righter & Parsons LLC. (HRP/COX) — 1992 to 1993 Media Buyer , and print media for all accounts within an assigned Negotiated and purchased television, radio group of markets. Estimated, updated and adjusted all broadcast ratings per demographic, per quarter. Negotiated rates, special placement and added value by medium for all markets. Executes all media plans in the assigned group of markets within established budgets; buys media space and air time. • Meets with media representatives and accesses media database to research available options for media placement. Maintained all media buys and is responsible for the post -buy results of all buys. Monitored buys in progress by spot checking placement and negotiating credit or billing adjustments when necessary. Education 1992 - B.A. Mass Communications, University of South Florida Technical / Practical Summary Project Management: Agile and Six Sigma processes. Databases: Oracle, Sybase, SQL Server, IBM UDB/DB2 and MS Access. Data Modeling: Erwin, Power Designer, Embarcadero ER/Studio, MicroStrategy. Database Reporting and Analytics: Oracle Business Intelligence Enterprise Edition, (OBIEE), Oracle BI Applications, Business Objects, Web Intelligence, Cognos and Micro Strategy. Extraction, Transformation and Load: Informatica, SQL Server Information Services, Data Integrator. Other Software: IBM Web Sphere, Oracle Web Logic, SAP Net Weaver, Microsoft Office Tools, Microsoft Project, Microsoft Visual Studio, Lotus Notes, Adobe PDF tools. Operating Systems: Windows 95/98/2000/NT/XP/Vista, Windows NT Server, UNIX, and IBM AIX. Languages: Visual Basic, C, COBOL, Progress, HTML, XML, ]avaScript. Protocols: TCP/IP, WAP, ATM, Frame Relay. Training: Siebel CRM, Siebel Analytics/OBIEE, MS Dynamics, ePiphany CRM, Project Management, SAP Overview, Cognos, Business Objects, Data Integrator, Micro Strategy, Informatica, Erwin, Hyperion HFM, Hyperion Planning C90 Lynn Yelverton, Director of Customer Service Phone; (850) 858-3303 lynn.yelverton@jetpay.com Lynn Yelverton joined JetPay in June 2011 and is Director of Customer Service, Mrs. Yelverton manages JetPay Payment Set -vices, FL's Customer Service efforts and the JetPay Help Desk. Mrs. Yelverton is partially responsible for client training in conjunction with the client's relationship manager, and the JetPay help desk is responsible for all Tier 1 set -vice calls. has 12 ip roles in the customer Yelverton ee • 1yea s. M s. Yelverton earned her bachelorars of experience in customer service, t's l 1 degreenOfficeh rvi eindustry for vSystems and MBA from Troy University. CCA( Lynn Yelverton 2407 Portobella Place Cantonment, Florida 32533 i iome Phone: 850.937.8771 WORK EXPERIENCE: 2011 -Present CollectorSolutions, Inc. w Director of Customer Service • Provide excellent customer service to our clients and their customers. • Provide appropriate training, direction and motivation to team members to enable success. + Collaborate with the Director of Operations to define Customer Service policy and procedures. + Ensure that client/customer support activity is logged into Connectwise. • Conduct client quarterly follow up calls. • Provide support to Sales. • Provide support to Merchant Services. 2007-2011 Medical Center CIinic M office Administrator • Provide business function support for an office of 20 business managers and 75 physicians. • Manage customer interface and problem resolutions with professionalism and decisiveness, • Communicate with and manage communications for administrative Staff and multiple departments, • Serve as the "face" of our organization for our customers and guests in both personal and electronic interface. • Perform finance functions such as Physician audits and invoice routing, recording, and processing. • Perform administrative functions such as writing, reports, preparing correspondence, and managing work order systems in a highly confidential environment. 1999-2007 Progressive Management of America, Inc, — Property Manager • Conduct regular onsite management reviews. • Ensure compliance to property personnel policies and procedures. • Supervise and motivate on-site staff, • implement rental increases and enforce collection procedures. • Ensure property compliance with Fair Housing laws and Occupancy Guidelines. • Monitor resident selection criteria. • Submit accurate "Weekly RentallLeasine' information to Corporate Office. • Prepare marketing plans and resident profiles as requested. • Provide on-site management to other apaarnent communities when necessary. • Develop and maintain quality hiring and evaluation procedures consistent with Owner requirements. • Ensure the collection of rents are accurately recorded and reported. 1998-1999 Progressive Management of America, lnc.-- Leasing Agent • Responsible for leasing packets, processing applications, certifications and (re) certifications according to federal and Owner regulations. • Maintain resident files. • Show the model and available ready vacancies. • Greet new residents and assist with tite move -in process. • Assist in preparing market surveys. • Other duties outlined by the Property Manager. tggg Touch 1 Communications. -Segmentation Analyst Analyze customer and prospect base to identify significant information as it pertains to marketing efforts. • Identify specialty list resources and make usage reconunendations to project and channel managers. EDUCATION: 1994; MHA Business Administration, Troy University 1943: BS Office Systems,'Iroy University 1990: AS Office Management Technology, Pensacola Junior College E0 . Rick Carroll, Chief Financial Officer Phone: (850) 858-3315 rick.carrol l @j etpay.com Rick Carroll, a Florida licensed CPA, joined JetPay in June 2012 and currently serves as Chief Financial Officer. He is responsible for development and implementation of the corporate strategic plan with emphasis on increasing market share, data management, and cost control. Prior to joining JetPay, Mr. Carroll had his own practice for over 10 years. Before that, Mr. Carroll held financial positions in the Banking and Healthcare industries. Mr. Carroll earned his Bachelor's Degree in Accounting from the University of West Florida. X90 R.ICI Rl) A. C.'ARROIaI� 0212) NOR`1'H.It)Tfl AVENUE-, PICNf:3rfAC:OLA, FL 322501 WORK EXPERIENCF. CollectorSolutions, Inc. June 2012 — present CollectorSoutions, Inc, is a third party payment processing company, an e-business, CollectorSolutions processes payments for a variety of industries, but focuses on tax collectors, other state agencies, and utility compaluies. In 2011, CollectorSolutions processed over 3 million transactions with a dollar amount in excess of2.5 billion dollars. Chief Financial Officer • 'Develop and implement strategic plan with emphasis on increasing market share, data management, and cost control. • preparation of all federal, state and local tax returns. • Partner with other upper management on the development of annual budget. • Coordinate with external CPA firm on the completion of annual financial audit and SSAE 16 reporting. • Manage finance department. Richard A. Carroll, Certified Public Accountant, LLC, Pensacola, Florida January 2002 — May 2012 In January 2002 established a certified public accounting firm serving a variety of clients including individuals, sole proprietors, LLCs, S -Corporations, C -Corporations, and Non -Profits. • Tax preparation for individual and business clients. • Complete payroll services covering a variety of industries, such as construction, restaurants, and non -profits. • Bookkeeping and compilation services. • cost allocation, break-even analysis, and preparation of various Consulting projects, including budgeting, forms and applications. • Educate business owners and train client staff on all accounting and tax issues. • Manage internal staff. Capital One Financial Corporation, Richmond, Virginia Capital One is a publicly traded Fortune Five Hundred company with over $200 billion in revenue. Capital Out is comprised of over 50 companies and has a presence in several countries including the United States, Canada, United Kingdom, France, South Africa, China, and India. Accounting Specialist — Corporate Accounting January 2001— January 2002 • Worked as an accounting specialist for the international pillar of the corporate accounting office. The international pillar was responsible for consolidating the results of all corporate divisions, international and domestic, and presenting the results to upper management. • Personally responsible for summarizing the results of Canada and China divisions of the corporation. Worked closely with members of each of these divisions throughout the mouth as well as during month end on all major financial accounting issues. • Served as main point of contact for all international corporate accounting issues for all foreign divisions. • Consolidated Balance Sheet and income Statements for all corporate divisions. • Calculated effects of cuff MY translations on financial results. • Calculated and recorded results of derivative transactions. • improved existing Excel spreadsheets through the use of macros and pivot tables. As a result, improved accuracy and time efficiency during month end processes. • Training liaison during conversion to ptsopleSoft accounting software. office 850.437.0870 378 West Chole Slr••t email rick'rcarroucpa.can Pensawle, FL32802 • Involved in interview process for all new hires within corporate accounting. Baptist Healthcare Corporation, Pensacola, Florida Baptist Healthcare is a regional 1,100 bed integrated delivery system cuntprised of five community hospitals, a continuing care retirement center, the state's largest mental health facility, home health services, long term care facilities and a physician practice company. Reimbursement Analyst December 1998 — Jantuuy 2001 Promoted to Reimbursement Analyst in December 1998. Reimbursement department is responsible for all incoming revenue paid by Medicare, Medicaid, and other contractual payers. • Analyzed monthly revenue in order to calculate contractual allowances for live health care facilities and report results to senior management. • Gathered and analyzed appropriate data and determined allowable expenses based on governmental guidelines for annual cost reports. • Prepared annual Medicare and Medicaid cost reports for four facilities and submitted to appropriate agencies (Health Care Financing Administtntion and Agency for Health Care Administration). • During annual audits, provided analysis and reports to government agencies. • Researched and investigated proposed audit adjustments and provided documentation to support the organization's position in disputed issues. • Interpreted and communicated current state and federal regulations to senior management and other staff members. • Directly responsible or key participant in developing revenue budgets for eight facilities with revenues in excess of $600 million. Chief Accountant December 1995 — December 1998 Monthly Close: • Analyzed all expense accounts comparing actual to budgeted amounts, explaining and/or correcting where necessary. • Recorded adjusting and accrual entries, including detailed analysis of accounts receivable and bad debt reserves. • Performed employee benefit analysis and allocated expenses to all facilities for over 4,000 emp oyees. • Prepared monthly report for Board of Directors, which included narrative, financial statements and graphical depiction of supporting information. • nderstanding the financial results of their departments. Assisted department managers with u Audit: • Coordinated with external audit firm, Ernst R Young, daring entire audit cycle. • Performed detailed account analysis to explain variances which exceeded supe. • Prepared various schedules and worksheets, such as bad debt analysis and long term debt roll -forward, as well as prepared graphs and footnotes for audited financial statements. Compiled information for the corporate tax return. Budget: Assisted department managers in developing S 190 million expense budget for over 350 departments. • Solely responsible for budgeting 10 overhead departments, including items such as benefits, depreciation, and interest expense. The Oyster Bar, Pensacola, Florida Controller July 1994 - December 1995 Collection Services, Inc., Pensacola, FI, 32501 Staff Accountant October 1991 — December 1994 Citizens & Builders Federal Savings, Pensacola, FL 32501 Staff Accountant May 1990 — October 1991 EI DUCATION, Cerlifted Public Accountant, Florida, 1995 Bachelor's Degree in Accounting, University of West Florida, Pensacola, Florida 1989 ADDTTTONAT, INFORMATION Computer Experience: Excel, QuickBooks, Peachtree, ATX tax, Word, Harvard Graphics, Internet, and industry specific accounting software programs. References: Available upon request 0 Heath Gardner, Software Development Director Phone: (850) 858-3314 heath.gardner@j etpay.com Mr. Gardner joined JetPay in May 2012 as the lead Software Developer for JetPay's secure web based payment application. His primary responsibilities include software maintenance and development of new enhancements for the JetPay eCollections Portal User Interface and software configuration management. Prior to joining JetPay, Mr. Gardner worked for over 15 years in software engineering and project management roles providing him with broad experience and expertise in the software development lifecycle. Mr. Gardner earned a Master of Science in Management from Troy State University in addition to earning his Bachelor of Science in Computer Science from the University of West Florida. 0 HEATH GARDNER 6637 Indian Street • Navarre, FL 32566 • Phone: 850-384-9522 •ath,&p.gaLOpgu�omail cpm Director of Software Development Technology professional with experience managing enterprise Information systems. Expert in gathering, analyzing and defining business and functional requirements; designing/re-engineering processes, workflows, and technology solutions. Proven ability to lead implementations and deliver next -generation technical solutions improving workplace productivity. Expertise Highlights • Software Architect • Database Design and SQL Queries • Project Management • Web Services • Agile Scrum Methodologies • ASP.net, VB.net and C#,net Development Professional Experience COLLECTORSOLUTIONS INCORPORATED (CSI) — PENSACOLA, FL 2012 to Present Director of Software Development Director of Software Development for CSI's secure web based payment application. CSI is an ePayment company specializing in the processing, management and reconciliation of eCheck and Credit Card transactions utilizing the power flexibility, and scope of the Internet. Key ResponslbiJfties; • Chief Software Architect for legacy and new software development projects • Oversee software developers and software development processes • Lead software team In agile scrum methodologies • Implement software development security best practices following OWASP Top Ten guidelines • Manage and oversee complete rewrite of payment platform by an outsourced software development team • Implemented the use of Atlassian product suite of lira, Stash, Bamboo, Confluence and Hipchat • Interact with payment acquirers/processors, vendor partners and clients on technical matters • Assist sales team with requests for proposals and demos to potential new clients TYBRIN CORPORATION — EGLIN AFB, FL 2000 to 2012 Software Enaineer - Level 5 Lead developer for Center Scheduling Enterprise (CSE) for Eglin, AFB. CSE is a resource scheduling and deconfliction web based application used at Eglin AFB, Edwards AFB, Nellis AFB, and other Air Force Primary Training Ranges (PTRs). Also a developer on an implementation of CSE for Space Command at Schriever AFB. Key ResponsJb!/rtiess; • Use software fifecycle principles for requirements, design, implementation, integration, testing, deployment, and maintenance of CSE. • Develop database tables, relationships and stored procedures using SQL Server 2008 Enterprise Tools. • Develop business logic layers and data access layers with VB.net in Visual Studio 2010. • Develop master pages, web pages, web controls, and web services using ASP.net, JavaScript, and Ajax in Visual Studio 2010. • Develop reports using Crystal Reports 11 and Microsoft SQL Server Reporting Services. Heath Gardner Resume Page 1 0 • Develop mapping display capabilities with Scalable Vector Graphics (SVG) and geospatlal de -confliction with Geomedia Objects. • Utilize Team Foundation Server (TFS) for software configuration control management practices to ensure integrity of software builds for CSE. • Analyze and resolve technical problems that arise in a CSE production environment. • Provide end-user training of CSE application to customers as a CSE Instructor for Eglin s Test Engineer (TE) Boot Camp. • Instruct, train and review the work of lower level personnel. Prepare technical presentation and proposals to management in support of information technology programs and projects. • Enforce the Capability Maturity Model (CMM), Capability Maturity Model Integration (CMMI), and ISO 9001 standards for preparation of documentation including user manuals and design and requirements documentation. • Attended VS Live and Dev Connection conferences representing the organization to keep abreast of current and emerging technologies. 1999 to 2000 IMAGE API, INC., TALLAHASSE, FL Prolect Manager Project manager for Image API's professional services group. Experience in project management, process reengineering, systems design and implementation, database design, and program management. Key Responsibalties: • Designed and implemented a wide variety of solutions providing clients with measurable cost, performance, and management benefits. ent • Translated business needs into end-user requirems and provided end-user training of application to customers. • Applied industry knowledge of project planning and overall software development life methods. • Performed application design, development, testing, implementation, training, and user manual development. LIFEWAY CHRISTIAN RESOURCES — NASHVILLE, TN 1998 to 1999 Associate System Enaineer Served as an associate system engineer for LifeWay's information Technology Department. LifeWay Christian Resources is one of the largest leading resource suppliers for Christian churches and bookstores in the United States. Key Responsibilitles: • Microsoft Access and Access Basic development. • Developed and implemented automated software build procedures. • Automated journal entries to interface with the companies accounting system. • Performed database repairs, bug fixes, and Y2K compliance. • Analyzed and resolved technical problems involving database management concepts, methods, and principles. NETPDTC (NAVAL EDUCATION AND TECHNOLOGY PROFESSIONAL DEVELOPMENT 1996 to 1998 AND TECHNOLOGY CENTER) — PENSACOLA, FL Coirnputer.SpeCialll Served as a Computer Specialist CO-OP for 2 alternating semesters and 2 part-time semesters. Page 2 Heath Gardner Resume 0 Key Responsibi/iues: • Developed and established methods for computation, analysis, display and storage of information. • Developed database applications using Oracle Designer 2000 CASE Tool. • Developed windows application using Visual Basic 5.0 accessing an Oracle database. US NAVAL RESERVES — PENSACOLA, FL 1991 to 1997 Hospital Corpsman Hospital Corpsman (HM) perform duties as assistants in the prevention and treatment of disease and injury and assist health care professionals in providing medical care to Navy people and their families. Key Responsibilities; • Performed general military and hospital corpsman duties. • Assistant Leading Petty Officer Clinical Division NH Unit 108. • Performed maintenance on D133 personnel application. Education TROY STATE UNIVERSITY — FORT WALTON BEACH, FL Masters of Science in Management, 2004 Emphasis in leadership and organizational effectiveness UNIVERSITY OF WEST FLORIDA — PENSACOLA, FL Bachelor of Science in Computer Science 1 Computer Information Systems, 1997 Technology Summary Training: Microsoft Ignite, OWASP Application Security Training, Enterprise Development, Dev Intersection, Dev Connections, Training, ISO brie Basics Mang, � bodedrin Training Introduction ybdn OSSP V2.4 Cartography App organizations set of standard processes training Awards: Tybrin Corporation's first President's Award for Excellence, Team Eglin Award, SES Outstanding Team Award Applications: Visual Studio, Team Foundation Server, GIT, Jira, Stash, Bamboo, Confluence, Hipchat, Microsoft SQL Enterprise Manager, Microsoft SQL Query Analyzer, Crystal Reports, Microsoft SQL Server Reporting Services, Microsoft Visio, Microsoft Project, Microsoft Office Systems: Windows Server 2003, Winnows Servows XP, er 2008, Windows ws Server Windows 7, Windows 8, Languages: SQL, C#.net, VB.net, ASP.net, JavaScript, VBScript, AJAX, Visual Basic for Applications (VBA), Pascal, COBOL, C, C++ References Available upon request Page 3 Heath Gardner Resume Paul Shave, Information Technology Director Phone: (850) 858-3310 paul.shave@j etpay.com Mr. Shave joined JetPay in May 2010. He is responsible for Network Integration, Security, and Service Delivery for the organization. He has worked in the Enterprise Network and Telecommunications field for over 20 years. During this time he has worked with a wide variety of technologies and implemented mission critical solutions and designs for many organizations worldwide. Prior to JetPay he was a Senior Network engineer for a regional technology integration firm performing network design and consulting in the areas of operational guidance, wide area/local area networking, VOIP, and network security. Previously, Mr. Shave served as a Network Administrator with the United States Air Force, specializing as troubleshooting and implementation for logistics systems in the European and Southwest Asia theaters. Obj Paul Shave pauis@collectorsolutions.com Summary of Technical Skills Dedicated Information Technology Professional with extensive real world experience. Adept with network security operations, policy development, and project management in fast paced environments. Proven track record of achievements and the development of innovative solutions to end user needs. IPS/IDS Vulnerability Management/Assessment Host Based Security Systems Patch Management/Deployment Systems Training Development Wireless Intrusion Detection Methods Classified Material Management Project Management Host Based Security Systems Policy Creation & Compliance Management Experience 2090 - Present Information Technology Director, CoitectorSolutions, Inc. Responsible for all aspects of IT management for an online payment processing ecosystem hosted in a high availability environment. Responsibilities Annual budget planningimanagement Policy Development/implementation -Payment Card Industry Data Security Standard (PCI) -IT Security Policy End user training Microsoft Windows Server Microsoft SQL Server 2000/2005/2008 Server Virtualization Backup/Disaster Recovery Planning Mobile Device Management Systems Wireless IP Phone Management Data Center Planning Vendor Management Storage Area Networking Remote Management Technologies Customer Relationship management systems Network Security Management -Firewall/Intrusion Detection Management Technologies 2000 —2010 Senior Network Engineer, WAVEnet technologies, inc. Responsible for a team of 20 network engineers supporting a wide range of customers from small business up to Fortune 500 organizations and technologies in an engineering, sales, and management roles. Shirley Everage, Technical Account Manager (850) 858-3300 Shirley.mattinez@jetpay.com Shirley Everage joined JetPay in January 2013 as a Customer Service Representative. In 2015 Mrs. Everage transitioned into a technical account management role with JetPay. Mrs. Everage has been instrumental in the migration of JetPay Payment Services, FL's client base from our Legacy platform to our new Magic platform. Prior to joining JetPay, Mrs. Everage sewed as a Sales Associate at Collective Solutions. Mrs. Everage earned her Bachelor's Degree in Marketing from Texas State University. SHIRLEY J EVERAGE CELL: 512.927.7097 • E-MAIL SHIRLEYMARTINEZCS@GMAIL.COM Jos OBJECTIVE: Seeking a job where I can utilize my experience and my knowledge to add value to an organization. I -I; -Y -'Q IyIPIGA - • 15+ years in customer service and customer support • Verbal and written communication • Fluent in Spanish and English • Excellent skills in Microsoft Office Suite WQII FP�II1�1C— JetPay Payment Services FL (January 2013 — Present) Sales /Account Manager (January 2015 — Present) • Identity new business opportunities • Planned marketing campaigns to develop long-term relationships with potential clients • Assisted in the development of the pricing structure for new clients as well as other contract terms and conditions. • Account Management Customer Service Representative (January 2013 — 2015) • Expressing clearly and concisely over the phone, via email and in person • Maintaining a high level of organization throughout the day • Performing a variety of tasks daily - using various computer programs and functions Collective Solutions June 2011— June 2012 Sales Associate • Assist in the development of a strong pipeline of new clients and projects in accounts through direct or indirect client contact and prospecting • and presented Reviewed market research, interpreted data, findings to marketing management. • Assist in solicitation and follow-up of customers' needs I;IDA- . AT -I - Texas State University, San Marcos, TX, June 2010, Bachelor's Degree in Marketing, **Reference available upon request** LOCAL VENDOR PREFERENCE: Detail by Entity Name Florida Department of Stale i111l�'; Department of State / Di•rision of Cor oratiors / Search Records / Detail 8 Document Number / Detail by Entity Name Foreign Limited Liability Company JETPAY PAYMENT SERVICES, FL, LLC Filing Information Document Number M16000004288 FEI/EIN Number 81-2280449 Date Filed 05/27/2016 State DE Status ACTIVE Last Event LC NAME CHANGE Event Date Filed 10/21/2016 Event Effective Date NONE Principal Address 7450 Tilghman Street Allentown, PA 18106 Changed: 03/27/2018 Mailinq Address 3939 West Drive Center Valley, PA 18034 Changed: 03/27/2017 Registered Agent Name & Address C T CORPORATION SYSTEM 1200 SOUTH PINE ISLAND ROAD PLANTATION, FL 33324 Authorized Person(s) Detail Name & Address Title MBR DAVIDSON, PETER 7450 Tilghman Street Allentown, PA 18106 Title MBR KRZEMIEN, GREGORY M Page 1 of 2 DIV1510r/ OF CORPORATIONS http://search.sunbiz.org/Inquiry/CorporationSearch/SearChResultDetaiI?inquirytype=Entity... 5/16/2018 Detail by Entity Name 7450 Tilghman Street Allentown, PA 18106 Annual Reports Report Year Filed Date 2017 03/27/2017 2018 03/27/2018 Page 2 of 2 Document images 03/27/2018 -- ANNUAL REPORT View image in PDFformat 03/27/2017 -- ANNUAL REPORT View image in PDF format 10/21/2016 -- LC Name Change View image in PDF formal 10/21/2017 -- I C Name Changs View image in PDF formal _DB/02f20t8 --Merger View image in PDF format 05127/2016 -- Fcrei n Limited View image in PDF format FlOd, Lei --rt ur St Ptc, o�ViY4/10(«'!pC!:I k:nri5 C http://search.sunbiz.org/Inquiry/Coi-porationSearch/Seai-chResultDetail?inquirytype=Entity... 5/16/2018 AdnmustmVve Senn ms Depaftvnl Prc�tulenfes�t vV(vl & 0i"s xr Form 2: Vendor Check List IMPORTANT: THIS SHEET MUST BE SIGNED. Please read carefully, sign in the spaces indicated and return with your Proposal. Vendor should check off each of the following items as the necessary action is completed: The Solicitation Submittal has been signed. All applicable forms have been signed and included, along with licenses to complete the requirements of the project. Any addenda have been signed and included. ALL SU&MITTALS MUST HAVE THE SOLICITATION NUNr113ER AND TITLE, Name of Finn: _ .1 C,� Gtr 6Lo il�tL,�L!„_ � '► 'l"L� C +� /63 X lGtc ��J=r`iT 7G�I% Address: City, State, lip: ___� _•la=��. /—=—�?' �r� Telephone: Email: Representative Signature: Representative Name: Z�1 J `C' CAO Goer county AdminmA mtrm Serves Department rwcuwwnt ser ticrb Atmos'*+ Form 3; Conflict of Interest Afliduvit The Vendor certifies that, to the best of its knowledge and belief, the past and current work on any Collier County project affiliated with this solicitation does not pose an organizational conflict as described by one of the three categories below: Wased ground rules --The firm has not set the "ground rules" for affiliated past or current Collier County project identified above (e.g., writing it procurement's statement of work, specifications, or perfornhtg systents engineering and technical direction for the procurement) which appears to skew the competition in favor or lily firm. Impaired objectivity —The firm has not performed work on an affiliated past or current Collier County project identified above to evaluate proposals! past performance ofitselfor a competitor, which calls into question the contractor's ability to render impartial advice to the government. Unequal access to information --The fine has not had access to nonpublic information as part of its performance ora Collier County project identified above which may have provided the contractor (or an affiliate) with an unfair competitive advantage in current or fixture solicitations and contracts. In addition to this signed affidavit, the contractor I vendor must provide the following: 1. All documents produced as a result of the work compicied in the past or currently being worked on for the above mentioned project. and, 2. Indicate if the information produced was obtained as it matter of ublic record (in the "sunshine") or through non-public (not in the `'sunshine") conversation (s), meeting(s), document(s) and/or other means. Failure to disclose all material or having an organizational conflict in one or more of the du•cc categories above be identified, may result in the disqualification for future solicitations affiliated with the above referenced project(s). By the signature below, the firm (employees, officers and/or agents) certifies, and hereby discloses, that, to the best of their knowledge and belief, all relevant facts concerning past, present, or Currently planned interest or activity (financial, contractual, organisational, or otherwise) which relates to the project identified above has been fully disclosed and does not pose an organizational conflict. n Finn: Signature and Date Print Name: Title of Signatory: S . 1-G- , 11, X90 Colev County AdnvnmtmtN,e Serves Deparbnent PtcvUmfIWt ' SVNICO E)"m al Form 4: Vendor Declaration Statement BOARD OF COUNTY COMMISSIONERS Collier County Government Complex Naples, Florida 34112 Dear Commissioners: The undersigned, as Vendor declares that this response is made without connection or arrangement with any other person and this proposal is in every respect fair and made in good faith, without colhision or frattd. The Vendor agrees, if this solicitation submittal is accepted, to execute a Collier County document for the purpose of establishing a formal contractual relationship between the tint and Collier County, for the performance of all requirements to which the solicitation pertains. The Vendor states that the submitted is based upon the documents listed by the above referenced Solicitation. Further, the vendor agrees that if awurded a contract for these goods and/or services, the vendor will not be eligible to compete, submit it proposal, be awarded, or perform as a sub -vendor for any future associated %with work that is a result of this awarded contract, l� Wl' 'ESS WHEREOF, WE have reunt subscribed our names on this clay of... � , �0/f itt the County of ( � � F in the State of flovi � � ~ Firm's Legal Name: J el- m l 4A� ti Address: City, State, Zip Code: Florida Certificate of _ i ky f� 0 0 60 (f Authority Docutttcnt Number / A -7q Federal Tax identification Number *CCR 'f or CAGE Code *Only if Grant Funded g Telephone: v 3 Signature by: %-44 0 5 1 VLLr- (Typed and written)IL /,, / Title: ( r �1 i �/ ALmAti Send payments to: (required if different from above) Contact name: Title: Address: City, State, ZIP Telephone: Email: Office servicing Collier County to place orders (required if different from above) Contact name: Title: Address: City, State, ZIP Telephone: Email: /J Additional Contact Information Ilnformation ` nafne used 'as payee LLG 3 U Asad, 33/� -ibeff Levoo &J R -5 Z 50 a-- y J-0e - (I J41 1 dam 082 t �Lrr oit"ty Adrtti"SUat" serw-es Depatywt Procuaement Sjr�xo D'o!'r f) Form S: Immigration Affidavit Certification This Affidavit is required and should be signed, notarized by an authorized principal of tite firm and submitted with formal solicitation submittals. Further, Vendors are required to enroll in the E -Verify program, and provide acceptable evidence of their enrollment, at the time of cite submission of the Vendor's proposal. Acceptable evidence consists of a copy of the properly completed F.. -Verify Company Profile page or a copy of the fully executed E -Verify Memorandum of Understanding for the company. Failure to include this Affidavit and acceptable evidence of enrollment in tate C -Verify program may deem the Vendor's proposal as non-responsive. Collier County will not intentionally awardCounty contracts to any Vendor who knowingly employs unauthorized alien workers, constituting a violation or the cmploytttent provision contained in 8 U.S.C. Section 1324 a(e) Section 274A(c) of the 11n11ligratiort and Nationality Act ('INA"). Collier County may consider the employment by any Vendor of unauthorized aliens a violation of Section 274A (e) of the INA. Stich Violation by the recipient of the Employment Provisions contained in Section 274A (c) of the INA shall be grounds for unilateral termination of the contract by Collier County. Vendor attests that they are fully compliant with all applicable immigration laws (specifically to the 1986 Immigration Act and subsequent Amendment(s)) and agrees to comply with the provisions of the Memorandum of Understanding with E -Verify and to provide proof of enrollment in The Employment Eligibility Verification System (E -Verify), operated by the Department of Homeland Security in partnership with tithe Social Security Administration at the time of submission ofthe Vendors proposal. Company Natnc�1S 7 Imo's Print Name Signature State of t" County of Omar Aguila Commisslouff FF163033 Expires: SEP 24, 2018 EONDEDTHRU IST FLORIDA NOTARY, LLC Title l �t� t .4, f9 616,r' r j`p_4 t% � �► ��+� Date "rhe sigttee of thcsc Aff idavit guarantees, as evidenced by the sworn affidavit required herein. the truth and accuracy of this affidavit to interrogatories hereinafter made. (0-41), ntiugA7!iato '� �EQEBi�l�ual�alrrtmu�-,�� = t;i i i�.:: •' ':� y BIOS 1Mr 4az zs,�m .a•. � URHTUBGHnn ::ifs ,• i71 .ygATO%AUlR011 TZ! 4rnnlal"'� V'e Y Company ID Number: 1154679 THE E -VERIFY MEMORANDUM OF UNDERSTANDING FOR EMPLOYERS ARTICLE I PURPOSE AND AUTHORITY The parties to this agreement are the Department of Homeland Security (DHS) and the JetPay Payment Services, FL, LLC (Employer). The purpose of this agreement is to set forth terms and conditions which the Employer will follow while participating in E -Verify. E -Verify is a program that electronically confirms an employee's eligibility to work in the United States after completion of Form 1-9, Employment Eligibility Verification (Form 1-9). This Memorandum of Understanding (MOU) explains certain features of the E -Verify program and describes specific responsibilities of the Employer, the Social Security Administration (SSA), and DHS. Authority for the E -Verify program is found in Title IV, Subtitle A, of the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 (IIRIRA), Pub. L. 104-208, 110 Stat. 3009, as amended (8 U.S.C. § 1324a note). The Federal Acquisition Regulation (FAR) Subpart 22.18, "Employment Eligibility Verification" and Executive Order 12989, as amended, provide authority for Federal contractors and subcontractors (Federal contractor) to use E -Verify to verify the employment eligibility of certain employees working on Federal contracts. ARTICLE II RESPONSIBILITIES A. RESPONSIBILITIES OF THE EMPLOYER 1. The Employer agrees to display the following notices supplied by DHS in a prominent place that is clearly visible to prospective employees and all employees who are to be verified through the system: a. Notice of E -Verify Participation b. Notice of Right to Work 2, The Employer agrees to provide to the SSA and DHS the names, titles, addresses, and telephone numbers of the Employer representatives to be contacted about E -Verify. The Employer also agrees to keep such information current by providing updated information to SSA and DHS whenever the representatives' contact information changes. 3. The Employer agrees to grant E -Verify access only to current employees who need E -Verify access. Employers must promptly terminate an employee's E -Verify access if the employer is separated from the company or no longer needs access to E -Verify. Page 1 of 17 E -Verify MOU for Employers I Revision Date 06/01/13 04. V F.-Verify,__ Company ID Number: 1154679 4. The Employer agrees to become familiar with and comply with the most recent version of the E -Verify User Manual. 5. The Employer agrees that any Employer Representative who will create E -Verify cases will complete the E -Verify Tutorial before that individual creates any cases. a. The Employer agrees that all Employer representatives will take the refresher tutorials when prompted by E -Verify in order to continue using E -Verify. Failure to complete a refresher tutoria will prevent the Employer Representative from continued use of E -Verify. 6. The Employer agrees to comply with current Form 1-9 procedures, with two exceptions: a. If an employee presents a "List B" identity document, the Employer agrees to only accept "List B" documents that contain a photo. (List B documents identified in 8 C.F.R. § 274a.2(b)(1)(B)) can be presented during the Form 1-9 process to establish identity.) If an employee objects to the photo requirement for religious reasons, the Employer should contact E -Verify at 888-464-4218. b. If an employee presents a DHS Form 1-551 (Permanent Resident Card), Form 1-766 (Employment Authorization Document), or U.S. Passport or Passport Card to complete Form 1-9, the Employer agrees to make a photocopy of the document and to retain the photocopy with the employee's Form 1-9. The Employer will use the photocopy to verify the photo and to assist DHS with its review of photo mismatches that employees contest. DHS may in the future designate other documents that activate the photo screening tool, Note: Subject only to the exceptions noted previously in this paragraph, employees still retain the right to present any List A, or List B and List C, document(s) to complete the Form 1-9. 7. The Employer agrees to record the case verification number on the employee's Form 1-9 or to print the screen containing the case verification number and attach it to the employee's Form 1-9. 8. The Employer agrees that, although it participates in E -Verify, the Employer has a responsibility to complete, retain, and make available for inspection Forms 1-9 that relate to its employees, or from other requirements of applicable regulations or laws, including the obligation to comply with the antidiscrimination requirements of section 274B of the INA with respect to Form 1-9 procedures. a. The following modified requirements are the only exceptions to an Employer's obligation to not employ unauthorized workers and comply with the anti -discrimination provision of the INA: (1) List B identity documents must have photos, as described in paragraph 6 above; (2) When an Employer confirms the identity and employment eligibility of newly hired employee using E -Verify procedures, the Employer establishes a rebuttable presumption that it has not violated section 274A(a)(1)(A) of the Immigration and Nationality Act (INA) with respect to the hiring of that employee; (3) If the Employer receives a final nonconfirmation for an employee, but continues to employ that person, the Employer must notify DHS and the Employer is subject to a civil money penalty between $550 and $1,100 for each failure to notify DHS of continued employment following a final nonconfirmation; (4) If the Employer continues to employ an employee after receiving a final nonconfirmation, then the Employer is subject to a rebuttable presumption that it has knowingly Page 2 of 17 E -Verify MOU for Employers I Revision Date 06/01/13 V� Y ^V 'Itw v� Company ID Number: 1154679 employed an unauthorized alien in violation of section 274A(a)(1)(A); and (5) no E -Verify participant is civilly or criminally liable under any law for any action taken in good faith based on information provided through the E -Verify. b. DHS reserves the right to conduct Form 1-9 compliance inspections, as well as any other enforcement or compliance activity authorized by law, including site visits, to ensure proper use of E -Verify. 9. The Employer is strictly prohibited from creating an E -Verify case before the employee has been hired, meaning that a firm offer of employment was extended and accepted and Form 1-9 was completed. The Employer agrees to create an E -Verify case for new employees within three Employer business days after each employee has been hired (after both Sections 1 and 2 of Form 1-9 have been completed), and to complete as many steps of the E -Verify process as are necessary according to the E -Verify User Manual. If E -Verify is temporarily unavailable, the three-day time period will be extended until it is again operational in order to accommodate the Employer's attempting, in good faith, to make inquiries during the period of unavailability. 10. The Employer agrees not to use E -Verify for pre-employment screening of job applicants, in support of any unlawful employment practice, or for any other use that this MOU or the E -Verify User Manual does not authorize. 11. The Employer must use E -Verify for all new employees. The Employer will not verify selectively and will not verify employees hired before the effective date of this MOU. Employers who are Federal contractors may qualify for exceptions to this requirement as described in Article 11.13 of this MOU. 12. The Employer agrees to follow appropriate procedures (see Article III below) regarding tentative nonconfirmations. The Employer must promptly notify employees in private of the finding and provide them with the notice and letter containing information specific to the employee's E -Verify case. The Employer agrees to provide both the English and the translated notice and letter for employees with limited English proficiency to employees. The Employer agrees to provide written referral instructions to employees and instruct affected employees to bring the English copy of the letter to the SSA. The Employer must allow employees to contest the finding, and not take adverse action against employees if they choose to contest the finding, while their case is still pending. Further, when employees contest a tentative nonconfirmation based upon a photo mismatch, the Employer must take additional steps (see Article III.B. below) to contact DHS with information necessary to resolve the challenge. 13. The Employer agrees not to take any adverse action against an employee based upon the employee's perceived employment eligibility status while SSA or DHS is processing the verification request unless the Employer obtains knowledge (as defined in 8 C.F.R. § 274a.1(1)) that the employee is not work authorized. The Employer understands that an initial inability of the SSA or DHS automated verification system to verify work authorization, a tentative nonconfirmation, a case in continuance (indicating the need for additional time for the government to resolve a case), or the finding of a photo mismatch, does not establish, and should not be interpreted as, evidence that the employee is not work authorized. In any of such cases, the employee must be provided a full and fair opportunity to contest the finding, and if he or she does so, the employee may not be terminated or suffer any adverse employment consequences based upon the employee's perceived employment eligibility status Page 3 of 17 E -Verify mou for Employers I Revision Date 06/01/13 0 Ve y Company ID Number: 1154679 (including denying, reducing, or extending work hours, delaying or preventing training, requiring an employee to work in poorer conditions, withholding pay, refusing to assign the employee to a Federal contract or other assignment, or otherwise assuming that he or she is unauthorized to work) until and unless secondary verification by SSA or DHS has been completed and a final nonconfirmation has been issued. If the employee does not choose to contest a tentative nonconfirmation or a photo mismatch or if a secondary verification is completed and a final nonconfirmation is issued, then the Employer can find the employee is not work authorized and terminate the employee's employment. Employers or employees with questions about a final nonconfirmation may call E -Verify at 1-888-464- 4218 (customer service) or 1-888-897-7781 (worker hotline). 14. The Employer agrees to comply with Title VII of the Civil Rights Act of 1964 and section 274B of the INA as applicable by not discriminating unlawfully against any individual in hiring, firing, employment eligibility verification, or recruitment or referral practices because of his or her national origin or citizenship status, or by committing discriminatory documentary practices. The Employer understands that such illegal practices can include selective verification or use of E -Verify except as provided in part D below, or discharging or refusing to hire employees because they appear or sound "foreign" or have received tentative nonconfirmations. The Employer further understands that any violation of the immigration -related unfair employment practices provisions in section 274B of the INA could subject the Employer to civil penalties, back pay awards, and other sanctions, and violations of Title VII could subject the Employer to back pay awards, compensatory and punitive damages. Violations of either section 274B of the INA or Title VII may also lead to the termination of its participation in E -Verify. If the Employer has any questions relating to the anti -discrimination provision, it should contact OSC at 1-800-255-8155 or 1-800-237-2515 (TDD). 15. The Employer agrees that it will use the information it receives from E -Verify only to confirm the employment eligibility of employees as authorized by this MOU. The Employer agrees that it will safeguard this information, and means of access to it (such as PINS and passwords), to ensure that it is not used for any other purpose and as necessary to protect its confidentiality, including ensuring that it is not disseminated to any person other than employees of the Employer who are authorized to perform the Employer's responsibilities under this MOU, except for such dissemination as may be authorized in advanoe by SSA or DHS for legitimate purposes. 16. The Employer agrees to notify DHS immediately in the event of a breach of personal information. Breaches are defined as loss of control or unauthorized access to E -Verify personal data. All suspected or confirmed breaches should be reported by calling 1-888-464-4218 or via email at E-Verify(aD_dhs.gov. Please use "Privacy Incident— Password" in the subject line of your email when sending a breach report to E -Verify. 17. The Employer acknowledges that the information it receives from SSA is governed by the Privacy Act (5 U.S.C. § 552a(i)(1) and (3)) and the Social Security Act (42 U.S.C. 1306(a)). Any person who obtains this information under false pretenses or uses it for any purpose other than as provided for in this MOU may be subject to criminal penalties. 18. The Employer agrees to cooperate with DHS and SSA in their compliance monitoring and evaluation of E -Verify, which includes permitting DHS, SSA, their contractors and other agents, upon Page 4 of 17 E -Verify MOu for Employers I Revision Date 06/01/13 O G�` E-VeHf., Company ID Number: 1154679 reasonable notice, to review Forms 1-9 and other employment records and to interview it and its employees regarding the Employer's use of E -Verify, and to respond in a prompt and accurate manner to DHS requests for information relating to their participation in E -Verify. 19. The Employer shall not make any false or unauthorized claims or references about its participation in E -Verify on its website, in advertising materials, or other media. The Employer shall not describe its services as federally -approved, federally -certified, or federally -recognized, or use language with a similar intent on its website or other materials provided to the public. Entering into this MOU does not mean that E -Verify endorses or authorizes your E -Verify services and any claim to that effect is false. 20. The Employer shall not state in its website or other public documents that any language used therein has been provided or approved by DHS, USCIS or the Verification Division, without first obtaining the prior written consent of DHS. 21. The Employer agrees that E -Verify trademarks and logos may be used only under license by DHS/USCIS (see M-795 (Web)) and, other than pursuant to the specific terms of such license, may not be used in any manner that might imply that the Employer's services, products, websites, or publications are sponsored by, endorsed by, licensed by, or affiliated with DHS, USCIS, or E -Verify. 22. The Employer understands that if it uses E -Verify procedures for any purpose other than as authorized by this MOU, the Employer may be subject to appropriate legal action and termination of its participation in E -Verify according to this MOU. B. RESPONSIBILITIES OF FEDERAL CONTRACTORS 1. If the Employer is a Federal contractor with the FAR E -Verify clause subject to the employment verification terms in Subpart 22.18 of the FAR, it will become familiar with and comply with the most current version of the E -Verify User Manual for Federal Contractors as well as the E -Verify Supplemental Guide for Federal Contractors. 2. In addition to the responsibilities of every employer outlined in this MOU, the Employer understands that if it is a Federal contractor subject to the employment verification terms in Subpart 22.18 of the FAR it must verify the employment eligibility of any "employee assigned to the contract" (as defined in FAR 22.1801). Once an employee has been verified through E -Verify by the Employer, the Employer may not create a second case for the employee through E -Verify. a. An Employer that is not enrolled in E -Verify as a Federal contractor at the time of a contract award must enroll as a Federal contractor in the E -Verify program within 30 calendar days of contract award and, within 90 days of enrollment, begin to verify employment eligibility of new hires using E -Verify. The Employer must verify those employees who are working in the United States, whether or not they are assigned to the contract. Once the Employer begins verifying new hires, such verification of new hires must be initiated within three business days after the hire date. Once enrolled in E Verify as a Federal contractor, the Employer must begin verification of employees assigned to the contract within 90 calendar days after the date of enrollment or within 30 days of an employee's assignment to the contract, whichever date is later. Page 5 of 17 E -Verify MOU for Employers I Revision Date 06/01/13 ;wtr r F. -Verify Company ID Number: 1154679 b. Employers enrolled in E -Verify as a Federal contractor for 90 days or more at the time of a contract award must use E -Verify to begin verification of employment eligibility for new hires of the Employer who are working in the United States, whether or not assigned to the contract, within three business days after the date of hire. If the Employer is enrolled in E -Verify as a Federal contractor for 90 calendar days or less at the time of contract award, the Employer must, within 90 days of enrollment, begin to use E -Verify to initiate verification of new hires of the contractor who are working in the United States, whether or not assigned to the contract. Such verification of new hires must be initiated within three business days after the date of hire. An Employer enrolled as a Federal contractor in E -Verify must begin verification of each employee assigned to the contract within 90 calendar days after date of contract award or within 30 days after assignment to the contract, whichever is later. c. Federal contractors that are institutions of higher education (as defined at 20 U.S.C. 1001(a)), state or local governments, governments of Federally recognized Indian tribes, or sureties performing under a takeover agreement entered into with a Federal agency under a performance bond may choose to only verify new and existing employees assigned to the Federal contract. Such Federal contractors may, however, elect to verify all new hires, and/or all existing employees hired after November 6, 1986. Employers in this category must begin verification of employees assigned to the contract within 90 calendar days after the date of enrollment or within 30 days of an employee's assignment to the contract, whichever date is later. d. Upon enrollment, Employers who are Federal contractors may elect to verify employment eligibility of all existing employees working in the United States who were hired after November 6, 1986, instead of verifying only those employees assigned to a covered Federal contract. After enrollment, Employers must elect to verify existing staff following DHS procedures and begin E -Verify verification of all existing employees within 180 days after the election. e. The Employer may use a previously completed Form 1-9 as the basis for creating an E -Verify case for an employee assigned to a contract as long as: i. That Form 1-9 is complete (including the SSN) and complies with Article II.A.6, ii. The employee's work authorization has not expired, and iii. The Employer has reviewed the Form I-9 information either in person or in communications with the employee to ensure that the employee's Section 1, Form 1-9 attestation has not changed (including, but not limited to, a lawful permanent resident alien having become a naturalized U.S. citizen). f. The Employer shall complete anew Form 1-9 consistent with Article II.A.6 or update the previous Form 1-9 to provide the necessary information if: i. The Employer cannot determine that Form 1-9 complies with Article II.A.6, ii. The employee's basis for work authorization as attested in Section 1 has expired or changed, or iii. The Form 1-9 contains no SSN or is otherwise incomplete. Note: If Section 1 of Form 1-9 is otherwise valid and up-to-date and the form otherwise complies with Page 6 of 17 E -Verify MOU for Employers I Revision Date 06/01/13 0 F. -Verify - Company ID Number: 1154679 Article II.C.5, but reflects documentation (such as a U.S. passport or Form 1-551) that expired after completing Form 1-9, the Employer shall not require the production of additional documentation, or use the photo screening tool described in Article II.A.5, subject to any additional or superseding instructions that may be provided on this subject in the E -Verify User Manual. g. The Employer agrees not to require a second verification using E -Verify of any assigned employee who has previously been verified as a newly hired employee under this MOU or to authorize verification of any existing employee by any Employer that is not a Federal contractor based on this Article. 3. The Employer understands that if it is a Federal contractor, its compliance with this MOU is a performance requirement under the terms of the Federal contract or subcontract, and the Employer consents to the release of information relating to compliance with its verification responsibilities under this MOU to contracting officers or other officials authorized to review the Employer's compliance with Federal contracting requirements. C. RESPONSIBILITIES OF SSA 1. SSA agrees to allow DHS to compare data provided by the Employer against SSA's database. SSA sends DHS confirmation that the data sent either matches or does not match the information in SSA's database. 2. SSA agrees to safeguard the information the Employer provides through E -Verify procedures. SSA also agrees to limit access to such information, as is appropriate by law, to individuals responsible for the verification of Social Security numbers or responsible for evaluation of E -Verify or such other persons or entities who may be authorized by SSA as governed by the Privacy Act (5 U.S.C. § 552a), the Social Security Act (42 U.S.C. 1306(a)), and SSA regulations (20 CFR Part 401). 3. SSA agrees to provide case results from its database within three Federal Government work days of the initial inquiry. E -Verify provides the information to the Employer. 4. SSA agrees to update SSA records as necessary if the employee who contests the SSA tentative nonconfirmation visits an SSA field office and provides the required evidence. If the employee visits an SSA field office within the eight Federal Government work days from the date of referral to SSA, SSA agrees to update SSA records, if appropriate, within the eight-day period unless SSA determines that more than eight days may be necessary. In such cases, SSA will provide additional instructions to the employee. If the employee does not visit SSA in the time allowed, E -Verify may provide a final nonconfirmation to the employer. Note: If an Employer experiences technical problems, or has a policy question, the employer should contact E -Verify at 1-888-464-4218. D. RESPONSIBILITIES OF DHS 1. DHS agrees to provide the Employer with selected data from DHS databases to enable the Employer to conduct, to the extent authorized by this MOU: a. Automated verification checks on alien employees by electronic means, and Page 7 of 17 E -Verify MOU for Employers I Revision Date 06/01/13 CAO F.-Verify______,, I's y�r�ll�lllr` Company ID Number: 1154679 b. Photo verification checks (when available) on employees. 2. DHS agrees to assist the Employer with operational problems associated with the Employer's participation in E -Verify. DHS agrees to provide the Employer names, titles, addresses, and telephone numbers of DHS representatives to be contacted during the E -Verify process. 3. DHS agrees to provide to the Employer with access to E -Verify training materials as well as an E -Verify User Manual that contain instructions on E -Verify policies, procedures, and requirements for both SSA and DHS, including restrictions on the use of E -Verify. 4. DHS agrees to train Employers on all important changes made to E -Verify through the use of mandatory refresher tutorials and updates to the E -Verify User Manual. Even without changes to E -Verify, DHS reserves the right to require employers to take mandatory refresher tutorials. 5. DHS agrees to provide to the Employer a notice, which indicates the Employer's participation in E -Verify. DHS also agrees to provide to the Employer anti -discrimination notices issued by the Office of Special Counsel for Immigration -Related Unfair Employment Practices (OSC), Civil Rights Division, U.S. Department of Justice. 6. DHS agrees to issue each of the Employer's E -Verify users a unique user identification number and password that permits them to log in to E -Verify. 7. DHS agrees to safeguard the information the Employer provides, and to limit access to such information to individuals responsible for the verification process, for evaluation of E -Verify, or to such other persons or entities as may be authorized by applicable law. Information will be used only to verify the accuracy of Social Security numbers and employment eligibility, to enforce the INA and Federal criminal laws, and to administer Federal contracting requirements. 8. DHS agrees to provide a means of automated verification that provides (in conjunction with SSA verification procedures) confirmation or tentative nonconfirmation of employees' employment eligibility within three Federal Government worts days of the initial inquiry. 9. DHS agrees to provide a means of secondary verification (including updating DHS records) for employees who contest DHS tentative nonconfirmations and photo mismatch tentative nonconfirmations. This provides final confirmation or nonconfirmation of the employees' employment eligibility within 10 Federal Government work days of the date of referral to DHS, unless DHS determines that more than 10 days may be necessary. In such cases, DHS will provide additional verification instructions. ARTICLE III REFERRAL OF INDIVIDUALS TO SSA AND DHS A. REFERRAL TO SSA 1. If the Employer receives a tentative nonconfirmation issued by SSA, the Employer must print the notice as directed by E -Verify. The Employer must promptly notify employees in private of the finding and provide them with the notice and letter containing information specific to the employee's E -Verify Page 8 of 17 E -Verify mou for Employers I Revision Date 06/01/13 Company ID Number: 1154679 case. The Employer also agrees to provide both the English and the translated notice and letter for employees with limited English proficiency to employees. The Employer agrees to provide written referral instructions to employees and instruct affected employees to bring the English copy of the letter to the SSA. The Employer must allow employees to contest the finding, and not take adverse action against employees if they choose to contest the finding, while their case is still pending. 2. The Employer agrees to obtain the employee's response about whether he or she will contest the tentative nonconfirmation as soon as possible after the Employer receives the tentative nonconfirmation. Only the employee may determine whether he or she will contest the tentative nonconfirmation. 3. After a tentative nonconfirmation, the Employer will refer employees to SSA field offices only as directed by E -Verify. The Employer must record the case verification number, review the employee information submitted to E -Verify to identify any errors, and find out whether the employee contests the tentative nonconfirmation. The Employer will transmit the Social Security number, or any other corrected employee information that SSA requests, to SSA for verification again if this review indicates a need to do so. 4. The Employer will instruct the employee to visit an SSA office within eight Federal Government work days. SSA will electronically transmit the result of the referral to the Employer within 10 Federal Government work days of the referral unless it determines that more than 10 days is necessary. 5. While waiting for case results, the Employer agrees to check the E -Verify system regularly for case updates. 6. The Employer agrees not to ask the employee to obtain a printout from the Social Security Administration number database (the Numident) or other written verification of the SSN from the SSA. B. REFERRAL TO DHS 1. If the Employer receives a tentative nonconfirmation issued by DHS, the Employer must promptly notify employees in private of the finding and provide them with the notice and letter containing information specific to the employee's E -Verify case. The Employer also agrees to provide both the English and the translated notice and letter for employees with limited English proficiency to employees. The Employer must allow employees to contest the finding, and not take adverse action against employees if they choose to contest the finding, while their case is still pending. 2. The Employer agrees to obtain the employee's response about whether he or she will contest the tentative nonconfirmation as soon as possible after the Employer receives the tentative nonconfirmation. Only the employee may determine whether he or she will contest the tentative nonconfirmation. 3. The Employer agrees to refer individuals to DHS only when the employee chooses to contest a tentative nonconfirmation. 4. If the employee contests a tentative nonconfirmation issued by DHS, the Employer will instruct the Page 9 of 17 E -Verify MOU for Employers I Revision Date 06/01/13 To !� r=-Vere 19 yoff Company ID Number: 1154679 employee to contact DHS through its toll-free hotline (as found on the referral letter) within eight Federal Government workdays. 5. If the Employer finds a photo mismatch, the Employer must provide the photo mismatch tentative nonconfirmation notice and follow the instructions outlined in paragraph 1 of this section for tentative nonconfirmations, generally. 6. The Employer agrees that if an employee contests a tentative nonconfirmation based upon a photo mismatch, the Employer will send a copy of the employee's Form 1-551, Form 1-766, U.S. Passport, or passport card to DHS for review by: a. Scanning and uploading the document, or b. Sending a photocopy of the document by express mail (furnished and paid for by the employer). 7. The Employer understands that if it cannot determine whether there is a photo match/mismatch, the Employer must forward the employee's documentation to DHS as described in the preceding paragraph. The Employer agrees to resolve the case as specified by the DHS representative who will determine the photo match or mismatch. 8. DHS will electronically transmit the result of the referral to the Employer within 10 Federal Government work days of the referral unless it determines that more than 10 days is necessary. 9. While waiting for case results, the Employer agrees to check the E -Verify system regularly for case updates. ARTICLE IV SERVICE PROVISIONS A. NO SERVICE FEES 1. SSA and DHS will not charge the Employer for verification services performed under this MOU. The Employer is responsible for providing equipment needed to make inquiries. To access E -Verify, an Employer will need a personal computer with Internet access. ARTICLE V MODIFICATION AND TERMINATION A. MODIFICATION 1. This MOU is effective upon the signature of all parties and shall continue in effect for as long as the SSA and DHS operates the E -Verify program unless modified in writing by the mutual consent of all parties. 2. Any and all E -Verify system enhancements by DHS or SSA, including but not limited to E -Verify checking against additional data sources and instituting new verification policies or procedures, will be covered under this MOU and will not cause the need for a supplemental MOU that outlines these changes. Page 10 of 17 E -Verify MOU for Employers I Revision Date 06/01/13 Company ID Number: 1154679 B. TERMINATION 1. The Employer may terminate this MOU and its participation in E -Verify at any time upon 30 days prior written notice to the other parties. 2. Notwithstanding Article V, part A of this MOU, DHS may terminate this MOU, and thereby the Employer's participation in E -Verify, with or without notice at any time if deemed necessary because of the requirements of law or policy, or upon a determination by SSA or DHS that there has been a breach of system integrity or security by the Employer, or a failure on the part of the Employer to comply with established E -Verify procedures and/or legal requirements. The Employer understands that if it is a Federal contractor, termination of this MOU by any party for any reason may negatively affect the performance of its contractual responsibilities. Similarly, the Employer understands that if it is in a state where E -Verify is mandatory, termination of this by any party MOU may negatively affect the Employer's business. 3. An Employer that is a Federal contractor may terminate this MOU when the Federal contract that requires its participation in E -Verify is terminated or completed. In such cases, the Federal contractor must provide written notice to DHS. If an Employer that is a Federal contractor fails to provide such notice, then that Employer will remain an E -Verify participant, will remain bound by the terms of this MOU that apply to non -Federal contractor participants, and will be required to use the E -Verify procedures to verify the employment eligibility of all newly hired employees. 4. The Employer agrees that E -Verify is not liable for any losses, financial or otherwise, if the Employer is terminated from E -Verify. ARTICLE VI PARTIES A. Some or all SSA and DHS responsibilities under this MOU may be performed by contractor(s), and SSA and DHS may adjust verification responsibilities between each other as necessary. By separate agreement with DHS, SSA has agreed to perform its responsibilities as described in this MOU. B. Nothing in this MOU is intended, or should be construed, to create any right or benefit, substantive or procedural, enforceable at law by any third party against the United States, its agencies, officers, or employees, or against the Employer, its agents, officers, or employees. C. The Employer may not assign, directly or indirectly, whether by operation of law, change of control or merger, all or any part of its rights or obligations under this MOU without the prior written consent of DHS, which consent shall not be unreasonably withheld or delayed. Any attempt to sublicense, assign, or transfer any of the rights, duties, or obligations herein is void. D. Each party shall be solely responsible for defending any claim or action against it arising out of or related to E -Verify or this MOU, whether civil or criminal, and for any liability wherefrom, including (but not limited to) any dispute between the Employer and any other person or entity regarding the applicability of Section 403(d) of IIRIRA to any action taken or allegedly taken by the Employer. E. The Employer understands that its participation in E -Verify is not confidential information and may be disclosed as authorized or required by law and DHS or SSA policy, including but not limited to, Page 11 of 17 E -Verify MOU for Employers I Revision Date 06/01/13 �`..•. `i ��trcr.,c� Company ID Number: 1154679 Congressional oversight, E -Verify publicity and media inquiries, determinations of compliance with Federal contractual requirements, and responses to inquiries under the Freedom of Information Act (FOIA). F. The individuals whose signatures appear below represent that they are authorized to enter into this MOU on behalf of the Employer and DHS respectively. The Employer understands that any inaccurate statement, representation, data or other information provided to DHS may subject the Employer, its subcontractors, its employees, or its representatives to: (1) prosecution for false statements pursuant to 18 U.S.C. 1001 and/or; (2) immediate termination of its MOU and/or; (3) possible debarment or suspension. G. The foregoing constitutes the full agreement on this subject between DHS and the Employer. To be accepted as an E -Verify participant, you should only sign the Employer's Section of the signature page. If you have any questions, contact E -Verify at 1-888-464-4218. Page 12 of 17 E -Verify MOU for Employers I Revision Date 06/01/13 colq� r= -Verify Company ID Number: 1154679 Approved by: Employer JetPay Payment Services, FL, LLC Name (Please Type or Print) Title Christopher F Battel Signature Date Electronically Signed 12/29/2016 Department of Homeland Security — Verification Division Name (Please Type or Print) Title USCIS Verification Division Signature Date Electronically Signed 12/29/2016 Page 13 of 17 E -Verify MOU for Employers I Revision Date 06/01/13 = F. -Ve r fy..: �d�« Company ID Number: 1154679 Information Required for the E -Verify Program Information relating to your Company: Company Name JetPay Payment Services, FL, LLC Company Facility Address 316 South Baylen Street Suite 590 Pensacola, FL 32502 Company Alternate Address County or Parish ESCAMBIA Employer Identification Number 812280449 North American Industry Classification Systems Code 522 Parent Company Number of Employees 20 to 99 Number of Sites Verified for 3 Page 14 of 17 E -Verify MOU for Employers I Revision Date 06/01/13 U F. -Verify - Company ID Number: 1154679 Are you verifying for more than 1 site? If yes, please provide the number of sites verified for in each State: FLORIDA 1 site(s) ILLINOIS 1 site(s) MISSOURI 1 site(s) Page 15 of 17 E -Verify MOU for Employers i Revision Date 06/01/13 F.-Verif Y 1.}../v . �•icn Company ID Number: 1154679 Information relating to the Program Administrator(s) for your Company on policy questions or operational problems: Name Carol A Talamo Phone Number (850) 858 - 3312 Fax Number (850) 444 - 9331 Email Address carol.talamo@jetpay.com Name Rick A Carroll Phone Number (850) 858 - 3315 Fax Number (850) 444 - 9331 Email Address rick.carroll@jetpay.com Page 16 of 17 E -Verify MOU for Employers i Revision Date 06/01/13 CF t E-Verifv ::,..... A.9�.. Company ID Number: 1154679 Page intentionally left blank Page 17 of 17 E -Verify MOU for Employers I Revision Date 06/01/13 050 Coder c4m4nty Mn---4rWn Se, � ws Depntrul rcurirv�:a:ie!':trs au%ta^ Form 6: Vendor Substitute W -9 Request Cor Taxpayer Identification Number and Certification In accordance with tile Internal Revenue Service regulations, Collier County is required to collect tile following information for tax reporting purposes from individuals and companies who do business with the County (including social security numbers if used by the individual or company for tax reporting purposes). Florida Statute 119.071(5) requires that the county notify you in writing of the reason for Collecting this information, which will be used for no other purpose than herein stater!. Please complete all information that applies to your business and return with your quote or proposal. I. General Information (provide all information) Taxpayer Name -77-2 (us shown nil hlcrnlle Iux rellu•!l) Business Name 01 di%jer nt f •uln ua' n ver nun - Address 7 %Ci ~rl�� ' 1� FI '7 � 170 city State PA T Zip Telephone &Lo- -,3-?1 Email P;al<, cerr0 Order Information (Must be filled out) Remit l Payment Information (Must be filled out) Address 64 )` N Address *S A1- S / s + &#I % tit 3 �+2.- % t5n Cit State �' Li City At erten 7, SV'Z-- }' p } State Lip [mail6� — Email 12 iCCdt r�r� 1 (' 2. Company Status (check only ones) Individual/ Sale Proprietor Corporation _Partnership _Tax Exempt (Federal income tax-exempt entity Limited Liability Company under Internal Revenue Service guidelines IRC 501 (c) 3) Enter the tax classification .. , r y(I 1 Lizift : i ".= Piirtnershinj 3. Taxpayer Identification Number (Jar tcrr TiEx�rtingr�Trr�Ince.c nnitJ) Federal Tax Identification Number (TIN)(Vendors who do not have a TIN, will be required to provide a social security number prior to an award). 4. Sign and Date Form: Certification: Ulx/C'!' / Certify thea tE e h2 rinalion shown oil this !Orin is cO1.rev it) im, knowludge. Signat re i _t✓'f— JJ hate —✓_4✓ --------- '1'itl� /,f� l �� 1�hUl1e ili>CI' N l CCA -0 Ferro W'9 Request for Taxpayer (five Form to the yew.December 2014) Identification Number and Certification requester. not Dnf the Traaskrry internal Rovontto Service I. send to the IRS. i Name (as shown on your Incomo tax return). Name Is required on this ¢no; do not leave this Una, blank. JetPay Corporation C4 2 Business name/dtarogardod entity name. If different from abovo JetPay Payment Services, FL, LLC 3 Chock appropriate box for federal tax ctasslOca0cm chock only one of the following seven boxes: 4 Exemptions (codes y only to Indvals; ❑ 210 Corporation aembor LLC etch ❑ S Corporation ❑ Partnership ❑ Trustlostato certain entities, not see inatruottons on pogo 3): sing ❑ Umftod U&Uty company. Enter the tax claselfloatIon (C-0 corporation, SwS corporation, Popartnkuehlp) ► Exempt payee code Of any) o Note. For a eingla-member LLC that 1s disregarded, do not chock LLC; chock the appropriate box In the line above for Exemption from FATCA reporting the tax classification of the afnglo-mombor owner. code Of any) au ❑ Other (see lnstructions)► ;Was •waar.wma,tawewab.v»ush 8 Address (number, stroot, and apt. or suite no.) Requostoee name and address (optlonaQ 3939 West Drive m 0 City, state, and ZIP code Center Valley, PA 18034 7 Uet account numbor(S) ham (optional) MiTil Taxpayer Identification Number IN Enter your TIN in the appropriate box, The TIN provided must match the name given on line 1 to avoid I social security number ^� —01 number (SSN). However, for a backup withholding, For Individuals, this Is generally your a Par I Instructions resident oiler, sole proprietor, or disregarded entity, see the Part I Instructlone on page 3, For other entitles, It Is your employer Identification number (EIN), If you do not have a number, see Now to get a TIN on page 3. or Employer Idontiaoallon number Note, It the account Is In more than one name, sea the instructions for One t and the chart on page 4 for I -7T4] guidelines on whose number to enter. 9 0 —1016131212T Under penalties of perjury, I cerUty that: 1. The number shown on this form Is my correct taxpayer identification number (or I am waiting for a number to be Issued to me); and 2. 1 am not subject to backup withholding because: (a) I am exempt from backup withholding, or (b) I have not been notified by the Internal Revenue Service (IRS) that I am subject to backup withholding as a result of a failure to report all interest or dividends, or (c) the IRS has notified me that I am no longer subject to backup withholding; and 3. 1 am a U.S. citizen or other U.S, person (defined below); and 4. The FATCA code(s) entered on this form Of any) Indicating that I am exempt from FATCA reporting Is correct. Certification lnsftWona, You must cross out item 2 above if you have boon notified by the IRS that you are curent(y subject to backup withholding because you have falled to report all Interest an dividends on your tax return. For real estate transactions, Item 2 does not apply. For mortgage Interest paid, acquisition or abandonment of soured property, cancellation of debt, contributions to an Individual retirement arrangement (IRA), and generally, payments other than interest ltd d dands, you are not required to sign the certification, but you must provide your correct TIN. See the Instructions on Dane 3. f le — Here Lsnpourson► Date7/2-0//7 General instructions /i—�� Section roforances aro to the Internal Revenue Code unloss otherwise noted. Future developments. Information about developments offocting Form W-9 (such as (oglslaUon enacted alter we role= h) io at www.Irs.gov1Av9. Purpose of Form An individual or ontity (Fort W-9 requester) who is required to filo an Information return with the IRS must obtain your corroot taxpayer IdanUOoadon number (TIN) which may be your social security numbor (SSN), individual taxpayer Identification number ((TiM, adoption taxpayerfdonll0catlon number (ATii ), or employer Idon0fication number (EIN)to roport on an Information return the amount paid to you, or other amount reportable on an information return. Examples of Information returns Include, but are not ilmitod to, the following: • Form 1099 -INT pnterest named or paid) • Form 1099 -DN (dividends, Including those from stocks or mutual (undo) • Form 1099-MISO (various typos of income, prize*, awards, or gross proeoods) • Form 1099-B (stock or mutual fund Sales and certain other transaction by brokers) • Form 10995 (proceeds from real estate transacUono) • Form 1099-K (msrchant card and third party network transactions) • Form 1098 (tome mortgage Interest), 1098-E (student loan intorosQ,1098-T (tuition) • Form 1099-C (canceled debt) • Form 1098-A (acquisition or abandonment of aecured property) Use Form W-0 only if you are a U.S. person pncluding a resident allon), to provide your correct TIN, it you do not return Form We to the requester with a 77M, you m/ght be subject to bockup wlthtWding. Soo What is backup withholding? on page 2. By signing the flilod-out form, you: 1. Certify that the TIN you aro giving 19 correct (or you aro walUng for o number to be Issued), 2. Certify that you aro not subject to backup withholding, or 3. Claim exemption from backup withholding If you are a U.S. exempt payee. 11 apptieable, you are also certifying that as a U.S. person, your allocable share of any poMerehlp Income from a U.S. trade or business Is not subject to the withholding tax on foreign partners, share of eNoctivo(y connected Incomo, and 4. Certify that FATCA codo(s) entered on this form Of any) Indicating that you aro exempt from the FATCA reporting, Is correct, Sea What Is FATCA reporting? on page 2 for fuller Information, Cot No. 10231X Form W-9 (Rev. 12.2014) at INSURANCE AND BONDING RE 11tRCMENTS Insurance`/ Bond Type Required Limits I. ® Worker's Compensation Statutory Limits of Florida Statutes, Chapter 440 and all Federal Government Statutory Limits and Requirements Evidence of Workers' Compensation coverage or a Certificate of Exemption issued by the State of Florida is required. Entities that are formed as Sole Proprietorships shall not be required to provide a proof of exemption. An application for exemption can be obtained online at itt. tps;!/rt�.f7dfs;com/baccxe n i 2. X Employer's Liability $_100,000 single limit per occurrence 3. X Commercial General Bodily Injury and Property Damage Liability (Occurrence Form) patterned after the $1.000,00(1—single limit per occurrence, $2,000,000 aggregate for Bodily Injury current ISO form Liability and Property Damage Liability. This shall include Premises rued Operations; Independent Contractors; Products and Completed Operations and Contractual Liability. 4, X Indemnification To the maximum extent permitted by Florida law, the ContractorNendor shall defend, indemnify and hold harmless Collier County, its officers and employees from any and all liabilities, damages, losses and costs, including, but not limited to, reasonable attorneys' fees and paralegals' fees, to the extent caused by the negligence, recklessness, or intentionally wrongful conduct of the Contractor/ Vendor or anyone employed or utilized by the Contractor/Vendor in the performance of this Agreement. 5. ❑ Automobile Liability $ Each Occurrence; Bodily Injury & Property Damage. Owned/Non-owned/Hired; Automobile Included b. ❑ Other insurance as ❑ Watercrafi$ Per Occurrence noted; ❑ United States Longshoreman's and Harborworker's Act coverage shall be maintained where applicable to the completion of the work, 5 Per Occurrence ❑ Maritime Coverage (Jones Act) shall be maintained where applicable to the completion of the work. Per Occurrence ❑ Aircraft Liability coverage shall be carried in limits of not less than $5,000,000 each occurrence if applicable to the completion of the Services under this Agreement. S Per Occurrence ❑ Pollution $ Per Occurrence ❑ Professional liability $ Per claim & in the aggregate ❑ Project Professional Liability S.._"_..v.__._._____... Per Occurrence Hm ❑ Valuable Papers Insurance S Per Occurrence X Cyber Liability 55,000,000 Per Occurrence X Technology Errors & Omissions $5,000,000 Per Occurrence 7. ❑ Bid bond Shall be submitted with proposal response in the form of certified funds, cashiers' check or an irrevocable letter of credit, a cash bond posted with the County Clerk, or proposal bond in a sum equal to 5% of the cost proposal. All checks shall be made payable to the Collier County Board of County Commissioners on a bank or trust company located in the State of Florida and insured by the Federal Deposit Insurance Corporation. 8. ❑ Performance and For projects in excess of $200,000, bonds shall be submitted with the executed Payment Bonds contract by Proposers receiving award, and written for 100% of the Contract award amount, the cost borne by the Proposer receiving an award. The Performance and Payment Bonds shall be underwritten by a surety authorized to do business in the State of Florida and otherwise acceptable to Owner; provided, however, the surety shall be rated as "A-" or better as to general policy holders rating and Class V or higher rating as to financial size category and the amount required shall not exceed 5% of the reported policy holders' surplus, all as reported in the most current Best Key Rating Guide, published by A.M. Best Company, Inc. of 75 Fulton Street, New York, New York 10038. 9. ® Vendor shall ensure that all subcontractors comply with the same insurance requirements that he is required to meet. The same Vendor shall provide County with certificates of insurance meeting the required insurance provisions. 10. ® Collier County must be named as "ADDITIONAL INSURED" on the Insurance Certificate for Commercial General Liability where required. This insurance shall be primary and non-contributory with respect to any other insurance maintained by, or available for the benefit of, the Additional Insured and the Vendor's policy shall be endorsed accordingly. 1 I. ® The Certificate Holder shall be named as Collier County Board of County Commissioners, OR, Board of County Commissioners in Collier County, OR Collier County Government, OR Collier County. The Certificates of Insurance must state the Contract Number, or Project Number, or specific Project description, or must read: For any and all work performed on behalf of Collier County. 12. ® Thirty (30) Days Cancellation Notice required. Vendor's Insurance Statement We understand the insurance requirements of these specifications and that the evidence of insurability may be required within five(5) da f the award of this solicitation. Name of Firm J_�X W,Ce5 fi-1t- Date S / 7 70 a Vendor Signature &' Print Name Insurance Agency Agent Name 168-T(— Q,QIAJ6 Telephone Number p 22 /7 73%d