RFP for SFU Campus Card

** Please note the RFP is only available to download from Merx***** Please go to www.merx.com to download and submit the RFP ***Deliverables Simon Fraser University (SFU) is seeking a qualified Proponent to supply, implement, integrate, and support a comprehensive Campus Card and Mobile Credential System. The solution must provide secure identification, access control, stored-value payments, and mobile services that support daily campus operations. The solution will serve all students, faculty, and staff across the University. This section outlines the Scope of Work and Deliverables that describe the full functional, technical, operational, and service requirements expected from the successful Proponent.For additional information regarding the current environment, please refer to Appendix F – Current State Overview.Scope of WorkThis project aims to modernize SFU’s campus credentialing ecosystem and establish a unified, secure, and scalable identity platform that supports both current and future functional needs across all SFU campuses. The Proponent’s solution must meet SFU’s operational, technical, and privacy requirements while providing seamless user experience for students, employees, and guests.SFU is a multi‑campus institution serving approximately 35,000 students and 7,000 faculty and staff, as well as additional affiliates, contractors, alumni, and guests; the proposed solution must be capable of supporting this population and scaling appropriately over the term of the Agreement.SFU plans to implement similar functionality (plus photo upload capabilities) to what is currently in place as part of the initial rollout, targeting Spring 2027. Other functionality will be rolled out in phases with full project completion targeted for Fall 2027. It is expected that the core functionality that enables future modules will be rolled out as part of the initial phase.Note: If functionality requested for Fall 2027 is included as part of the core functionality in a bundled package at the same cost, it does not necessarily need to be disabled at launch and should be highlighted to be specifically addressed during the interview phase. We may explore the feasibility and expected costs of disabling it at that time.2.1.1 System OverviewThe solution must support:Spring 2027Physical card issuance and management Integration with SFU systems and campus operations Online user account management Administration tools for SFU staff Real-time or near real-time data synchronizationFall 2027Mobile credentials on iOS and Android NFC or equivalent mobile access technologies Stored value accounts (printing, dining, vending, retail, recreation, and other services) The system must be able to serve all SFU campuses, users, and operational units connected to identification, access, and payment services. 2.1.2 Identification & Credentialing The Proponent must provide a system that: Spring 2027Supports personalized physical cards Displays a human‑readable card number in addition to a scannable, machine‑readable identifier on physical cards, to support systems requiring manual identifier entry (e.g., EZProxy authentication). The same identifier requirements apply to physical and mobile credentials.Fall 2027Supports digital/mobile credentials Allows issuing, reissuing, suspending, revoking, and restoring credentials Automatically deactivates older credentials when new ones are issued Supports multiple user affiliations (student, staff, contractor, alumni, temporary visitor) Support issuance of temporary or limited‑purpose credentials (physical or digital) for guests, visitors, and affiliates, with configurable duration, access rights, and optional fees. Provides secure authentication for identity-based transactions and campus access 2.1.3 Stored Value & Payment ServicesThe system must:Fall 2027Support declining balance accounts for campus servicesProvide balance visibility, transaction history, and secure online reloads Support on-campus POS integration Support optional off-campus merchant programs Maintain PCI-compliant handling of all financial transactions Ensure SFU systems do not store credit card information Support offline transaction processing at on-campus POS locations in the event of temporary network or system outages, with secure deferred posting once connectivity is restored Support hybrid meal plans that combine All You Care To Eat (AYCTE) access with declining balance components within a single credential Support the purchase of meal value packs through the mobile app, with immediate availability of funds 2.1.4 Door Access & Physical Security IntegrationThe system must provide: Fall 2027Integrate with SFU’s existing access control infrastructureSynchronize entitlements based on user status Support mobile access (NFC or equivalent) where compatible Provide audit logs and reporting needed for security compliance Door access systems must continue to function during temporary network outages2.1.5 Mobile Credential & Mobile App ServicesThe Proponent must provide:Fall 2027An SFU-branded mobile credential appAbility to use mobile phones for payments and future door access Optional mobile ordering integration for SFU retail and food service providers Push notifications and configurable user messaging (preferred) Mobile credentials must display the card number in a human‑readable format and support presentation of a scannable, machine‑readable identifier, to accommodate systems that require manual entry or automated capture of the identifier (e.g., EZProxy authentication).2.1.6 Online Account ManagementThe solution must include:Spring 2027Administrative tools for card office operationsWeb-based management consoles for authorized SFU staffFall 2027User portal for balances, reloads, transaction history Automated workflows for student/employee onboarding and offboarding All web portals, mobile apps, and administrative consoles must comply with WCAG 2.1 AA. Provide a secure guest deposit flow to allow non‑SSO payers (e.g., parents) to add funds to a user’s SVA.2.1.7 Integration RequirementsRequired integrations include, but are not limited to:Spring 2027SFU Identity Management (SSO, MFA, LDAP/AD)SFU ERP / student information systems (Peoplesoft) HR systems for employee data Residence and housing systems (StarRez) Athletics and Recreation (Fusion) Library Services (Alma) Printing systems (e.g., PaperCut) POS systems (food service, bookstore, parking, vending, recreation) Fall 2027Event access (Ticketing to replace Eventbrite)Door access and security systems (Lenel and Honeywell)All integrations must support API, SSO, secure data exchange, and real-time or near real-time synchronization. 2.1.8 Hosting, Security & Privacy – All for Spring 2027Mandatory Security & Privacy RequirementsThe Proponent must, at minimum:Demonstrate compliance with BC Freedom of Information and Protection of Privacy Act (FIPPA) and applicable privacy legislation Store and process all SFU Personal Information in Canada (on premise, on cloud or hybrid), unless a PIA has been conducted. Provide a current SOC 2 Type II, ISO 27001 certification, or equivalent independent security assessment Maintain documented incident response, vulnerability management, and patching processes Notify SFU promptly of any security incident or breach involving SFU data or systems Maintain third-party risk management practices, and an updated list of all subcontractors with access to SFU data Comply with Secure payment processing (PCI DSS) Commit to ongoing security support and advance notice of product end of life Comply with SFU security, privacy, and data governance policies Have data encryption in transit and at rest Demonstrate adoption of information security controls aligned with an industry‑recognized information security governance framework (e.g., ISO/IEC 27001/27002, NIST Cybersecurity Framework, or an equivalent framework). 2.1.9 Reporting & Analytics – All for Spring 2027The solution must provide:Financial and transactional reports Reconciliation reports for SVA accounts Card activity reports Audit logs (access, issuance, security) Exportable formats for finance, audit, and campus operations2.1.10 Performance & Reliability – All for Spring 2027The solution must:Maintain 99.9% uptime availability Support high availability and redundancy for critical services Follow secure disaster recovery and business continuity practices Scale to support SFU’s population (students, staff, affiliates, guests)2.2 Phased Implementation and TimelinesThe successful Proponent must deliver the following components, services, and outputs in accordance with the phased implementation timelines described below. 2.2.1 System Delivery, Installation & ConfigurationSpring 2027Full deployment of all software and hardware components to enable functionality covered in section 1 Configuration of credentialing, integrations, user portals, and security controls Setup of administrative and reporting modulesFall 2027Configuration of SVA Delivery of mobile credential functionality 2.2.2 Implementation ServicesA complete project plan including milestones, timelines, dependencies, and resource requirements Technical architecture design and documentation Data mapping and migration assistance System integration with all SFU-required platforms Full testing (unit, integration, user acceptance, performance, failover) Production cutover and go-live support Post-implementation stabilization period (minimum 30 days) 2.2.3 Card Production & Credential ToolsCarding software and hardware compatible with SFU environments Support for SFU card branding and multiple card design templates Ability to source photos via camera, upload, or online submission Tools for encoding and issuing credentials Automatic deactivation of replaced credentials SFU prefers solutions that can leverage existing card production, access control, and POS hardware where feasible. Proponents are requested to identify any existing equipment that can be reused, along with any limitations or new hardware requirements. 2.2.4 Non-Production EnvironmentsProvide at least one (1) non-production environment for testing, training, and upgrades Mirror production data structures and integrations as closely as possible 2.2.5 Training & Knowledge TransferInitial training for administrators, card office staff, and IT staff as specified by SFU. (Train the Trainer). Ongoing training for new features, upgrades, and onboarding Written and video documentation for staff and end users Technical documentation for integrations, architecture, and configuration 2.2.6 Support, Maintenance & SLAA defined Service Level Agreement (SLA) including: Response time commitments Resolution time commitments Escalation procedures Support hours (minimum 8am–5pm Pacific) Options for extended or 24/7 support for critical issues Ongoing maintenance, bug fixes, and patches Regular feature updates and enhancements A dedicated Account Manager CVs for all individuals that will be working on implementation of the product and their role in the implementation. 2.2.7 Security, Privacy & Compliance DeliverablesPrivacy Impact Summary Data flow diagrams System architecture diagrams Encryption and access control documentation Confirmation of FIPPA compliance PCI compliance attestation (if applicable) 2.2.8 Roadmap & Product LifecycleA software development roadmap outlining potential future enhancements. Notifications of major releases, changes, and end-of-life components Commitment to ongoing product improvements over the contract term 2.2.9 Reporting & Analytics ToolsDashboards for operational visibility Financial transaction reporting for reconciliation Export tools for SFU Finance and departmental audits Access logs and activity reports 2.2.10 Project Close-OutFinal deliverables package including configuration documents, training materials, project reports, and acceptance sign-off Knowledge transfer to SFU IT and card office teams Final issue resolution prior to project closure Pricing