Payment Card Industry Data Security Standards Audit Readiness.

Quick Summary

The Department of the Air Force (DAF) Air Force Services Center (AFSVC) is seeking a Payment Card Industry Data Security Standard (PCI DSS) compliance expert and a business expert for Audit Readiness. This is a Nonappropriated Fund (NAF) Request for Quote (RFQ) to ensure PCI DSS compliance across DAF NAFI cardholder data environments. Quotes are due by 2:00 PM CST, Thursday, January 29, 2026.

Scope of Work

The contractor will provide expert insight to support AFSVC in achieving and maintaining PCI DSS compliance (v4.0.1 or later). Key tasks include:

• Reviewing data and gap assessments to refine PCI DSS scope.
• Identifying outstanding requirements and developing an expedited compliance path.
• Conducting a formal audit by the end of FY26 (September 30, 2026).
• Guiding the maturation of end-to-end business systems and processes related to merchant processing for 104 worldwide NAFI locations and 2,200+ business activities.
• Deliverables include Project Plans, Strategic Compliance Roadmaps, Risk Assessments, Incident Response & Contingency Planning support, Documentation & Reporting, Security Control Implementation & Remediation, Vulnerability Management, Merchant Services Optimization, Audit Preparation & Execution, Audit Findings & Remediation Plans, PCI DSS Discovery Reports, and Reports on Compliance (ROC) Development.
• The contractor's role is advisory and assessment; technical remediation will be handled under a separate contract.

Contract Details

• Contract Type: Request for Quote (RFQ) F41999-26-Q-0007, anticipated Firm Fixed Price (FFP).
• Funding: Nonappropriated Funds (NAF); Federal Acquisition Regulation (FAR) rules do not apply.
• Set-Aside: None (no requirement for set-asides).
• Period of Performance: One base year plus four one-year option periods, totaling a potential five years. The base year is 12 months after award.
• Place of Performance: Primarily 3515 South General McMullen Bldg. 1, San Antonio, TX 78236-9854, with majority remote work authorized.
• Contractor Qualifications: Must be a Certified Qualified Security Assessor (QSA) with current PCI DSS v4.0.1 certification, experience in DoD/Federal entities, and at least five years of experience establishing enterprise PCI DSS systems for geographically separated organizations. Subcontractor QSA is acceptable.

Submission & Evaluation

• Quotes Due: 2:00 PM CST, Thursday, January 29, 2026.
• Submission Method: Secured email to fay.cameron@us.af.mil and valerie.baltimore@us.af.mil, with a separate email for the password.
• Required Documents: Contractor's Statement of Work (CSOW)/Technical Solution, Supplies/Services/Prices, Deliveries or Performances, NAF Standard Clauses acceptance, Contract Documentation, Contractor Past Performance Information (PPI) (minimum 3 references from last 5 years), Subcontractor/Teaming Partner Consent Letters and PPI (if applicable), and Representations and Certifications.
• Quote Validity: At least 180 calendar days.
• Evaluation: Lowest Price Technically Acceptable (LPTA) based on:
  1. CSOW/Technical Solution (Acceptable/Unacceptable)
  2. Past Performance (Acceptable/Unacceptable)
  3. Cost/Price (realism, balance, reasonableness)
• Oral presentations or interviews may be required.

Key Dates & Contacts

• Questions Due (Past): 4:00 PM CST, Monday, January 12, 2026.
• Consolidated Q&A Posted (Past): 4:00 PM CST, Wednesday, January 14, 2026.
• Primary Contact: Fay Cameron (fay.cameron@us.af.mil, 3804571684)
• Secondary Contact: Valerie Baltimore (valerie.baltimore@us.af.mil, 3804569205)