Meeting_Body
FINANCE, BUDGET AND AUDIT COMMITTEE
JUNE 14, 2023
Subject
SUBJECT: UPGRADE TAP VENDING MACHINES TO MAINTAIN EMV/PCI COMPLIANCE
Action
ACTION: APPROVE CONTRACT MODIFICATION
RECOMMENDATION
Title
AUTHORIZE the Chief Executive Officer to execute Modification No. 173 to Contract No. OP02461010 with Cubic Transportation Systems, Inc. (“Cubic”), so that the TAP Vending Machines can accept payment from credit and debit cards with chips to remain payment card industry (PCI) compliant. This includes upgrades of computer hardware, the Oracle Database, and a Cubic Payment Application (CPA) in the amount of $12,364,519, increasing the total contract value from $389,251,345 to $401,615,864.
Issue
ISSUE
TAP Vending Machines, or TVMs, are installed at rail stations and major bus stops. The TVMs provide on-site access to the customers to purchase fare products and access TAP card information. The operating systems and hardware are reaching the end of life and require an update to receive system patching and support services to maintain network security and remain PCI compliant. The upgrades will also make the hardware ready for open payment technology that uses debit and credit cards for payment.
This contract modification includes two major changes for credit and debit card cybersecurity and compliance. They are:
a) Implement payment card industry (PCI) software modifications to comply with banking requirements for accepting credit and debit card fare payment.
b) Implement software, computer hardware, and EMV (Europay, Mastercard, and Visa) chip reading capability to transfer the liability for fraudulent credit card usage from Metro back to the card issuers.
Background
BACKGROUND
The original Contract No. OP02461010 was awarded by the Board on February 28, 2002. The Universal Fare System was last upgraded in 2016. While the system continues to be maintained by the Cubic Support Services Maintenance Agreement, an upgrade of the software and hardware is needed to help ensure the continued reliability and security of the system.
TAP has grown significantly over the years. TAP is now accepted by 26 transit agencies including, but not limited to, Culver CityBus, Foothill Transit, Long Beach Transit, Santa Monica Big Blue Bus, Torrance Transit, and Angels Flight. TAP can be purchased at almost 1,900 locations throughout Los Angeles County, including Los Angeles County Libraries, online at taptogo.net, rail stations, and major bus hubs.
Discussion
DISCUSSION
To meet the controls for the new Payment Card Industry Secure Software Framework (PCI-SSF) certification and in support of the annual PCI certification assessment of the TAP system at the end of the calendar year 2023, several subsystems require updating. The update includes the purchase, installation, and modification of the Cubic Payment Application (CPA), Oracle Database software, Windows Operating System software, and hardware for the TAP Vending Machines (TVMs).
The second major change is for EMV, which is a technology and payment method designed to limit fraud by using embedded computer chips on credit and debit cards instead of a magnetic stripe card that is currently used on the TVMs. Businesses that do not use systems that accept EMV (chip) cards may become liable for certain fraudulent card transactions.
TAP’s fare collection system requires a version upgrade of the system software to ensure continued reliability and compliance with the latest credit/debit processing standards and patron security. The upgrade involves enhancement in the credit card processing component. It also includes the upgrade of computers and card readers in 577 TVMs.
The update reflects the best approach for extending the life of the existing system, to remain PCI compliant and become EMV compliant, while laying the groundwork for the next generation of payment card technologies. This modification is slated to take up to 16 months to complete after the Notice-To-Proceed is issued.
Financial_Impact
FINANCIAL IMPACT
The project is an approved capital project and is funded in the budget. The fiscal year 2024 funding in the amount of $2,000,000 is included in Cost Center 5440 Revenue Collection in Project 207167.
As this is a multi-year contract, the Senior Executive Officer of TAP Operations and the Executive Officer of TAP/Revenue Collection are responsible for budgeting all future year budget requirements.
Impact to Budget
The funding for these services is from Proposition C 40% and fare revenues. These funds are eligible for bus and rail operating and capital expenses.
Equity_Platform
EQUITY PLATFORM
The system upgrade will provide a benefit for TAP users paying with debit/credit cards by ensuring confidence that their card payment is secure and in compliance with EMV and PCI regulations. In addition, the system improvements will provide faster and more secure sales transactions, which is expected to better serve Metro customers, who often rely on transit as a sole mobility option.
Implementation_of_Strategic_Plan_Goals
IMPLEMENTATION OF STRATEGIC PLAN GOALS
The upgrade of the software and hardware for Universal Fare Collection system will support:
• Strategic Plan Goal #2: Deliver outstanding trip experiences for all users of the transportation system.
• Strategic Plan Goal #5: Provide responsive, accountable, and trustworthy governance with the LA Metro organization.
Alternatives_Considered
ALTERNATIVES CONSIDERED
The Board may choose not to approve the modification of the contract to include the TVM system upgrade project. This could result in fines of up to $100,000/month for each brand (DiscoverCard, MasterCard, Visa, and American Express) or $4.92M over 16 months, higher transaction fees, termination of Metro’s card payment merchant agreement, repetitive violation fines, legal costs, settlements, and judgments due to incidents of compromised data, and the inability to maintain system support, patch and upgrade the TVM and its operating systems. This is not recommended as the TVM and software system upgrade is required to maintain EMV and PCI compliance, which are necessary to avoid additional expenses and to maintain a cost-effective debit and credit card merchant agreement. In addition, the TVMs in their current state cannot accommodate new fare payment technology (open payment and account-based systems).
Next_Steps
NEXT STEPS
Upon approval by the Board, staff will execute Modification No. 173 to Contract No. OP02461010 with Cubic Transportation Systems, Inc. for the TVM upgrade for EMV and PCI compliance.
Attachments
ATTACHMENTS
Attachment A - Procurement Summary
Attachment B - Contract Modification/Change Order Log
Attachment C - DEOD Summary
Prepared_by
Prepared by: Tisha Bruce, Executive Officer, Finance (213) 922-7621
Debra Avila, Deputy Chief Vendor/Contract Management Officer, (213) 418-3051
Reviewed_By
Reviewed by: Nalini Ahuja, Chief Financial Officer, (213) 922-3088
