POL00324854
POL00324854
Fujitsu Services Ref; PA/TEM/007
COMMERCIAL IN-CONFIDENCE Version: 7.0
Date: 07/08/03
Fujitsu Services Ltd CCN NO: 1202
CHANGE CONTROL NOTE
(CCN)
CCN TITLE: Handling PCI Sensitive CHANGE ADMINISTRATION USE ONLY,
Authentication Data and Cardholder CR NO: CRO00957 (&
Data CRO1034v3 for budgetary
purposes only)
CP NO: 4305 (& 4306 for
budgetary purposes only)
RELEASE: HNG-X & Horizon Target EXPIRY DATE: 30" June 2007
Release as at T5 (Data Centre Ready for
HNG-X) plus three months
CCN RAISED BY: Bill Reynolds, Hilary RAISED DATE: 20" June 2007
Forrest, Dave Johns, Jim Sweeting, John
Burton
SUBMISSION DATE: 20" June 2007
EMERGENCY CHANGE PROCEDURE INVOKED: YES/NO
EMERGENCY IMPLEMENTATION DATE: N/A
FUJITSU SERVICES APPROVAL I DATE I POST OFFICE LTD DATE
APPROVAL
SUMMARY OF CHANGE:
Fujitsu Services Limited ("Fujitsu Services") provides, amongst other things, Services and
Applications to Post Office Limited ("Post Office") under an Agreement between them
dated 28 July 1999 (as amended, in particular by CCN 1200) ("Agreement").
Post Office has submitted Change Requests CR00957 and CR0O1034v3 in response to the
Payment Card Industry (PCI) Data Security Standard. This CCN (the “PCI CCN”) has
been raised in response to those Change Requests (although CR01034v3 is only included in
this PCI CCN for budgetary purposes the work being covered by CT577a). This PCI CCN
describes amendments to the Agreement necessary to reflect the changes to be made to
Horizon counters, the HNG-X System and to the Operational Services to handle Sensitive
Authentication Data and Cardholder Data. The intention is to introduce these changes
during the Horizon Release occurring at TS plus three months and as part of Project
HNG-X. For the avoidance of doubt, this PCI CCN does not include work to deliver two
factor authentication for the TESQA application.
This PCI CCN incorporates and consists of this CCN number 1202 and the following
CCN No: 1202 COMMERCIAL IN-CONFIDENCE Page: 1
POL00324854
POL00324854
Fujitsu Services Ref: PA/TEM/007
COMMERCIAL IN-CONFIDENCE _ Version: 7.0
Date: 07/08/03
Attachments:
1. Changes to the Agreement (Attachment 1);
2. Changes to CCDs (Attachment 2);
3. Agreed Requirements (Attachment 3) (the “PCI Requirements”); and
4. _ Illustrative Diagram for Schedule BS, Annex 1, Part 1 (Attachment 4).
OVERALL IMPACT ASSESSMENT: HIGH+MEDHUM/LOW
REASON FOR CHANGE:
To amend the Agreement for the introduction of new and/or modified Applications and
Operational Services as described in this PCI CCN.
DETAILS OF CHANGE:
1. Post Office and Fujitsu Services agree that:
(a) the Agreement and certain CCDs will be amended as set out in this PCI CCN;
and
(b) the PCI Requirements will be included into the Post Office version of the
DOORS tool as agreed Requirements. They will be changeable via the Change
Control Procedure.
2. Each amendment to a CCD or CRD introduced by the Parties in connection with an
amendment to the Agreement described in Attachment 1 will, or will be deemed to,
take effect on the same date on which that amendment to the Agreement takes
effect.
3. Where, in accordance with Sections 1 and 2 above, an amended or new provision of
the Agreement, a CCD or CRD has become effective, but the availability in a Branch
of the function or service described by that new or amended provision is dependent
on the relevant component being activated in that Branch by Post Office, Fujitsu
Services’ obligations in respect of the functionality of the relevant Operational
Services and/or Applications available in or to that Branch prior to such activation
will be those which existed prior to the new or amended provision becoming
effective.
4. As at the date on which this CCN is approved the CCDs and CRDs referenced in
“AMENDED CCDs and/or CRDs Part B” of this CCN have not yet been updated or
approved. Fujitsu Services undertakes to use reasonable endeavours to update
and/or approve these in accordance with the agreed timetable contained in the HNG-
X Programme Plan.
PROPOSED REVISION TO WORDING OF THE AGREEMENT:
CCN No: 1202 COMMERCIAL IN-CONFIDENCE Page: 2
POL00324854
POL00324854
Fujitsu Services Ref: PA/TEM/007
COMMERCIAL IN-CONFIDENCE _ Version: 7.0
Date: 07/08/03
As set out in Attachments I and 4 to this PCLCCN.
COMMERCIAL TERMS or CHARGES APPLICABLE IN RESPECT OF THIS CCN (if
any):
The provisions of Schedule D1 (Charges), Schedule D7 (Migration Charges) and D8 (HNG-
X and Associated Change Development Charges) will be amended as set out in Attachment
1.
None of the charges due from and payable by Post Office under any Work Orders are varied
in any way by this PCI CCN, and all such charges will remain payable in accordance with
such Work Orders.
LIST OF AGREEMENT SCHEDULES AFFECTED:
Schedule 1 - Interpretation
Schedule A4 - Legislation, Policies and Standards
Schedule B4.4 - Existing Service Levels
Schedule BS - Transition and Migration
Schedule D1 - Charges
Schedule D7 - Migration Charges
Schedule D8 - HNG-X and Associated Change Development Charges
NEW CCDs and/or CRDs: N/A
Reference Title Approved
Version
& Date
AMENDED CCDs and/or CRDs:
The list of CCDs below is divided into two Parts.
Part A lists amended CCDs that have been approved by the Parties, the new versions of
which are introduced by this PCI CCN.
Part B contains the CCDs that, following approval of this PCI CCN, will be updated in
accordance with the provisions of Attachment 2. New versions will be introduced in
accordance with the relevant Change Control Procedure.
Reference Title Previous Approved
Version & I Version &
Date Date
Part A
ARC/SEC/ARC/0001 I Security Constraints V1.0 V2.0
: 18/08/06 07/06/07
Part B
EF/IFS/002 Horizon - Streamline Application V7.0 TBC
Interface Specification 23/09/05
CCN No: 1202 COMMERCIAL IN-CONFIDENCE Page: 3
POL00324854
POL00324854
Fujitsu Services Ref: PA/TEM/007
COMMERCIAL IN-CONFIDENCE _ Version: 7.0
Date: 07/08/03
EA/IFS/006 Horizon to POL MIS Application V5.0 TBC
Interface Specification 09/05/06
EF/IFS/001 Horizon - Streamline Technical Interface I V2.0 TBC
Specification 12/05/03
PA/PER/033 Horizon Capacity Management and V5.0 TBC
Business Volumes 10/02/06
VM/SDM/SD/0017 I Security Management Service: Service V1.0 TBC
Description 24/08/06
SVM/SDM/SD/000 I Data Centre Operations Service: Service I V1.0 TBC
3 Description 31/08/06
RS/POL/002 Horizon Security Policy V12.0 TBC
(or its successor) I (or its successor) 05/04/07
Policies and Standards:
Schedule A4 will be amended as set out in Attachment 1.
Service Levels (including any Service Level relief required):
There are no new Service Levels. Schedule B4.4 will be amended as described in
Attachment 1
The Data Centre Operations Service: Service Description (SVM/SDM/SD/0003) will be
amended as described in Attachment 2.
P.O. Ltd Responsibilities:
Post Office shall be responsible for:
(a) provision of a PCI external assessment of the proposed design early in the
development cycle and raising Change Requests for any further changes that
it becomes apparent are required as a result of that assessment;
(b) provision of support from Streamline during HNG-X testing;
(c) providing confirmation that the existing HNG-X Streamline accreditation
testing will include all necessary Streamline accreditation testing for PCI
changes;
(d) confirming that Version 20 of the Streamline document entitled “For the
delivery of transaction data via DIRECT COMMUNICATION” dated
December 2005 constitutes the full documentation from Streamline of the
revised Payment and EMIS file specifications and providing a formal copy of
this document to Fujitsu RMGA Document Management;
(e) providing confirmation from Streamline that the batch interface to Streamline
will continue as at present based on MPPE / RC4;
CCN No: 1202 COMMERCIAL IN-CONFIDENCE Page: 4
POL00324854
POL00324854
Fujitsu Services Ref: PA/TEM/007
COMMERCIAL IN-CONFIDENCE _ Version: 7.0
Date: 07/08/03
(f) providing confirmation that LINK and CAPO networks are PCI compliant;
(g) providing confirmation that no changes are required to the LINK interface
specification;
(h) implementing the roll out of the updates to the Client workstations for
TESQA users;
(i) providing confirmation of the list of authorised TESQA users prior to the
Data Centre move and distribute their new Authentication tokens;
(j) confirming that Streamline will makes changes to their systems that enable
Fujitsu Services to introduce the change to the new payment file format at
the point of the move to the new Data Centres.
Other:
The Horizon changes will be released as a counter upgrade package independently of the
HNG-X Branch migration package. In accordance with normal practice, the Horizon
changes will be piloted prior to roll out to the Branches. Once enabled, Horizon counters
will protect Cardholder Data and Sensitive Authentication Data as described within this PCI
CCN.
Fujitsu Services will provide reasonable assistance for the PCI external assessment referred
to above in PO Responsibilities bullet point (a).
CCN No: 1202 COMMERCIAL IN-CONFIDENCE Page: 5