Awarded to Lucid Support Services Ltd

Start date: Wednesday 11 July 2018
Value: £22,000
Company size: SME
Department for Work and Pensions

PCI -Qualified Security Assessor

3 Incomplete applications

3 SME, 0 large

3 Completed applications

3 SME, 0 large

Important dates

Wednesday 16 May 2018
Deadline for asking questions
Friday 18 May 2018 at 11:59pm GMT
Closing date for applications
Wednesday 23 May 2018 at 11:59pm GMT


Specialist role
Performance analyst
Summary of the work
A Qualified Security Assessor (QSA) to perform an assessment at 2 Data Centres sites, located in the North East England for PCI-DSS compliance standards. The QSA will also be required to undertake further assessments at 2 Contact Centre locations, 1 in North East England and 1 North West England.
Latest start date
Monday 11 June 2018
Expected contract length
It is expected that this piece of work and contract length will be for 4 weeks.
North East England
Organisation the work is for
Department for Work and Pensions
Maximum day rate

About the work

Early market engagement
An internal evaluation has been conducted and the findings have highlighted that an independent third party assessment is required from a suitably Qualified Security Assessor with in date certification to provide a high level assessment of the current payment process of DWP Contact and Data centres.
Who the specialist will work with
The specialist will work with the Principal Architect for New Generation Contact Centres and other principal subject matter experts within the scope of this requirement.
What the specialist will work on
A currently Qualified Security Assessor working for Qualified Security Assessor Company (QSAC) to perform a high level assessment of the current payment processes at two Contact Centres against Version 3.2 of the PCI-DSS standards, whilst considering environment e.g. the agents handling calls.

Perform assessment of process, procedures by interviewing as required to determine the currently suitability, both DWP staff and 3rd Party suppliers.

Produce a report highlighting areas of non-compliance against standards and concerns where DWP may be non-compliant against new PCI-DSS requirements.

Provide information and comment to the DWP architect highlighting possible solutions that DWP may choose to employ.

Work setup

Address where the work will take place
In Manchester and surrounding areas.

In Newcastle and surrounding areas.

Full address details will be provided upon the successful application.
Working arrangements
Visits to sites to conduct audit of Data and Call Centres as a requirement of the role ensuring that all information and evidence is captured. This analysis will result in final presentation and read out to DWP at a Leeds based location.

All travel to DWP sites, accommodation etc. will be arranged by DWP and any expenses incurred to the individual will be refunded in accordance with standard DWP expenses policy.
Security clearance
Baseline Personnel Security Standard (BPSS) vetted

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • A Qualified Security Assessor
  • QSA in date Certification
  • Previous experience working within Payment Card Industry Data Security (PCI-DSS) as a QSA
  • Current employment at a Qualified Security Assessor Company
  • The QSAC/QSA must ahere to the PCI-DSS qualification requirements as laid out by the PCI standards Council
  • Evidence of working with other organizations and outcomes.
Nice-to-have skills and experience
Experience of successfully dealing with Card Not Present (CNP) especially in voice Contact Centres.

How suppliers will be evaluated

How many specialists to evaluate
Cultural fit criteria
  • Have experience of positive engagement with staff
  • Have experience of successfully interviewing staff at all grades
  • Experience of analysis of complex processes,both internal and external
  • Have experience of producing detailed and factual reports
  • Experience of providing recommendations/solutions to highlighted problems
  • Be transparent and collaborative when making decisons
Assessment methods
  • Work history
  • Reference
  • Interview
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. What is the IR35 status and is there a current incumbent?
DWP work with suppliers who are fully compliant with IR35. There is no current incumbent working within this role. Thank you.
2. The job-specification requires a QSA to perform a GAP analysis for the DWP. QSA’s are only able to portray themselves qualified QSA’s if they belong to an QSA organisation as listed on the PCI DSS standards security website. The selected QSA is likely biased towards their own company’s interpretation towards PCI DSS and unlikely to give a clean bill of health to another QSA organisation’s work. Therefore wouldn’t the GAP analysis be better conducted by an independent PCI DSS government-EXPERIENCED-expert in order to provide an objective assessment of the DWP environment? please be clear is this Inside or Outside IR35?
DWP have an obligation to ensure to offer the role openly and fairly in a transparent manner via the Digital MarketPlace and select the supplier based on this. Once a QSA is selected it would be expected that the successful applicant would conduct their assessment fair and transparent manner in accordance with PCI DSS standards.

Regarding IR35 DWP cannot advise a business or supplier on whether they are Inside or Outside IR35 regulations, however we would need to ensure that the selected supplier is fully compliant with the terms of this legislation prior to commencing work for or with DWP.