Statement of Work
USPTO falls into the PCI-DSS classification as a level 3 merchant, in that it accepts between 20,000 & 1,000,000 Visa credit card fee payments annually from the public, therefore the USPTO is required to meet Visa’s Plastic Card Industry- Data Security Standards (PCI-DSS), requirements to have an Approved Scan Vendor (ASV) perform recurring (at least quarterly) automated external scans of any server that collects/transmits/stores credit card data to ensure the security and integrity of the servers/systems involved. The USPTO currently has 4 such servers that fall into the criteria for requiring automated scans- (2) EFS-Web (Patent application online filing system servers), PRPS (Patent Appeal online processing system server), and RAM (fee collection system server). The Merchant should provide monthly PCI-DSS external scanning for the above four (4) servers and provide a written report for each scanning. In addition, the Merchant should work with the USPTO Security staff as well as other OCIO Personnel in order to execute the scanning of the servers. The Merchant should also work with the OCFO/OFMS personnel in order to execute the scanning of EFS-Web (Patent application online filing system servers), PRPS (Patent Appeal online processing system server), and RAM (fee collection system server).
Deliverables for All Life Cycle Support Work:
USPTO will require a report after each external scan is performed to show the compliance of the servers scanned, along with any vulnerabilities found. The Merchant should be available to discuss the outcome of the scanning with USPTO personnel.