Confidential

Request for Quotation

ATM Controller System

05 - Sep. - 2024

© 2024 All rights reserved.

This document contains proprietary information of Whale Cloud and is not to be disclosed or used without the prior written

permission of Whale Cloud.

1 / 6
 Confidential

1. Purpose

The purpose of this Request for Quotation(RFQ) is to solicit quotations from potential vendors for the
procurement of an ATM Controller Solution, hereinafter referred to as ATMC in this document.

2. Project Background

The ATM Controller is a component of the Bank Acquiring system. The purpose of the ATM controller is
to ensure interaction between the ATM network and the processing centre. This interaction includes
sending control commands to ATMs, receiving messages from ATMs, transmitting response codes, etc.

Due to the frequent outages of the bank's existing ATMC system, which have impacted ATM services, the
bank needs to procure a new ATMC system to replace the existing one.

3. PROJECT SCOPE AND REQUIREMENTS

This RFQ does not necessarily represent the final statement of requirements. Requirements might be
subject to change, and Whale Cloud reserves the right to make changes.

3.1. Project precondition

 Having rich bank cases of ATMC server

 Having worked with mainstream ATM Terminal vendors, for example Diebold Nixdorf/NCR/GRG
 PCI certificates, EMVCo Letter of Approval - Contact Terminal Level 1&2

3.2. ATMC Server Solution Introduction

The core capability of the system is to support to interconnect with ATM terminals from different vendors
and to forward payment requests to the Acquiring system for subsequent settlement processing.

Below is a simplified overview figure of ATMC, a system running on the internal bank, responsible for
processing ATM transactions and communicating with the international Acquiring System.
 Confidential
3.3. Functional Requirement

3.3.1. Language

The language for this project and related documents will be English. The language for documentation and
training in this project will be English as well.

The language for back-end/APIs part will be English only.

The language for back-office part will be English, Russian and Kazakh.

3.3.2. Supporting Protocol

The ATMC system should support NDC/DDC international specifications.

3.3.3. Function List

No. Function Remark

Terminal Support connection with ATM terminals from different vendors without
1
Management modifying the ATM terminal.
Provide ATM parameters, including ATM States, Business Screens, Financial
Configuration
2 Institution Tables, Terminal Parameters, Encryption Keys, Configuration ID,
Download
etc., and support downloading parameters to ATM terminals.
Receive deposit, withdrawal, inquiry, transfer, QR payment, top-up, and other
Transaction
3 transactions initiated from ATM terminals, and support interaction with the
Processing
bank's backend system to complete transaction processing.

Generate and issue NDC/DDC commands, including sign-in, ATM transaction,

Command
4 parameter configuration, etc., and receive and parse the responses from ATM
Execution
terminals.

Scenario Flow
5 Design and provide ATM transaction processing pages.
Management

Key Provide functions such as terminal master key generation, installation, and
6
Management transaction security verification.

3.3.4. Transaction List

No. Transaction Remark On-Us/Off-Us

Balance Inquiry.
1 BALANCE The process for clients to request information on card On-Us \ Off-Us
account balances and bonus account balances.

Request for a mini-statement of the last ten transactions on

2 MINISTATEMENT On-Us
the card account
 Confidential

SALARY Request for extended payroll statement with selection of

3 On-Us
STATEMENT period (month/year)

The process of withdrawing cash from a client's card

account with a choice of denomination of banknotes issued.
CASH Withdrawal options:
4 On-Us \ Off-Us
WITHDRAWAL 1. Withdrawal from the card.
2. Withdrawal via NFC-module.
3. Withdrawal by card token.
The process of withdrawing cash from a card account
CASH without a card.
5 WITHDRAWAL Withdrawal options: On-Us
CARDLESS 1. Withdrawal by code.
2. Withdrawal via QR scanning.
The process of depositing cash into a card account.
Replenishment options:
NOTE
6 1. Cash deposit via card reader On-Us
ACCEPTANCE
2. Cash deposit via NFC module reading
3. Cash deposit by card token.
The process of depositing cash into a card without a card
{personal(colvir) account.
7 CASH PAYMENT 1. Cash deposit via QR scanning On-Us
2. Cash deposit by entering the card/account number.
3. Cash deposit by entering the customer ID.
The process of exchanging one cash currency for another
CURRENCY with a preliminary display of the exchange rate, with
8 On-Us
EXCHANGE verification of the client and with subsequent deposit of the
change into the card account.
The process of paying third-party providers using a card
account.
9 RETAIL On-Us \ Off-Us
Payments of mobile communications, utility bills, providers,
etc.
TRANSFERS
The process of transferring funds from one card account to
10 PERSON to On-Us \ Off-Us
another card account.
PERSON

11 PIN CHANGE Process of changing or setting a new PIN code on the card. On-Us \ Off-Us

The process of unlocking or resetting the offline password

12 PIN UNBLOCK On-Us \ Off-Us
entry error limit counter.

The process of obtaining information about the 20-digit card

13 IBAN On-Us
account number.

The process of obtaining information about the codeword

14 CODEWORD On-Us
set on the card.

The process of registration in the homebank application by

APP
15 entering the cell phone number and verifying the one-time On-Us
REGISTRATION
password entered at the ATM.

The process of setting up a bank client's trusted number by

SET VERIFIED
16 entering the cell phone number and verifying the one-time On-Us
NUMBER
password entered at the ATM.

Subscription processing\ unsubscription to SMS alerts for all

17 SMS BANKING On-Us
client cards.
 Confidential
FORGOTEN Process of returning the client's card left in ATM with SMS
18 On-Us
CARD notification and PIN code verification.

The process of closing/opening the ATM financial cycle and

printing the following information:
1. cash-in\cashout cycle number
19 END OF DAY 2. number of captured cards per cycle
3. cash balances in cassettes
4. number of dispensed, accepted, rejected, forgotten bills
in each cassette.

3.4. Technical Requirement

1. The entire ATMC must be deployed locally.

2. It is necessary to support Rehat Linux 8. x or later, Oracle 19c or later.
3. It is necessary to support mainstream microservice architecture and distributed deployment technology,
adopt a modular and low coupling product design concept, and have the ability to run 7 * 24 hours and
design high availability balancing.
4. Adopting agile methodologies and possessing, provide complete CICD tool management and delivery
capabilities.
5. Equipped with automatic elastic expansion capability, like deployment using containerization
technology (Docker, OpenShift, etc.)
6. Application upgrade strategy requires support for grayscale publishing, blue-green publishing, rolling
publishing, and A/B Test; Equipped with seamless upgrade capabilities at the database level to ensure
high application availability, such as incremental data changes, database model changes or switching.
7. Possess complete security capabilities, such as network security control, system security, data security,
and application security.
8. System deployment requires the ability to have 2 regions across three centers, with dual active in a
single region to avoid single point failures and single machine room failures.
9. Capable of providing System continuity and immediate response capability.
10. The overall system service availability requires at least 99.99%.

3.5. Performance Requirement

The daily average volume of the current system is 350,000 transactions, and the design indicator is
around 1,000,000 active transactions per day.

The capacity of the system needs to be able to meet the expected transaction volume, which is maximum
500 TPS.

3.6. Project Timeline

The project should complete within 6 (six) months.

 Confidential
3.7. Maintenance Requirement

After the project delivery is completed, at least 6 months of free babysitting time is required to ensure
the stable operation of the project, such as operation training, on-site operation and maintenance,
knowledge transfer, system monitoring, vulnerability repair, etc.

After the completion of babysitting, the formal operation and maintenance period begins, including on-site
and remote support work, such as customer training, system support, bug fixes, vulnerability fixes, health
checks, system resource monitoring, configuration changes, version upgrade releases, emergency
support, etc.

3.7.1. SLA and KPI for Services

The following SLA is applicable to Production environment and DR system.

Fault Handling SLA Terms
Severity P1 Severity P2 Severity P3 Severity P4
Severity Level
Critical Major Moderate Minor
5*8 5*8
7*24 7*24
Service availability Email or Email or
Call the hotline Call the hotline
*eDO/API Call *eDO/API Call

≤ 30 minutes ≤ 30 minutes ≤60 minutes ≤60 minutes

Response Time
(Calendar Day) (Calendar Day) (Business Day) (Business Day)

Provision of Root Cause

Every Working
Analysis and Error Every 2 hours Every 4 hours -
Day
Correction Status Updates
Service Language English & Russian
On-Time Delivery 95%

3.8. Certification Requirement

The system needs to complete relevant certification, including all card schemes certification testing
and PCI certification.

4. Proposal Format

4.1. Technical Proposal

Please provide a complete technical proposal, software and hardware list, delivery execution plan, etc.
The following information must be included into submitted proposal:
 Executive Summary
 Proposed Solutions and Deployment Architecture Approach
 Proposed ATM Terminal Migration Solution
 Delivery Plan
 RACI (Responsibility, Accountability, Consult, and Inform) Matrix
 Bill of Quotation(BOQ) and software licensing scheme/model
 Non-Disclosure Statement
 Appendix: About the Vendor
 Confidential
4.1.1. Executive Summary

This section will present a high-level synopsis of the Vendor’s responses to the RFQ.
The Executive Summary should be a brief overview of the engagement and should identify the main
features and benefits of the proposed solution and deployment approach.

4.1.2. Proposed Solutions and Deployment Architecture Approach

This section should include but is not limited to:

 Details of proposed solution technical specifications, functions, features, capabilities and
 limitations. The vendor should provide the screenshots of the back-end management portal and the
payment gateway demo.
 High level architecture
 Any suggested alternatives or enhancements recommended for this proposal.
 Licensing model.
 Details of Solution deployment procedures that minimize the operation disruption.
 A list of relevant software and hardware configurations, including a list of dependent open-source
software, hardware server specifications, several sets of environments, etc., which are provided by
bidder and which require the owner to provide.

4.1.3. Proposed ATM Terminal Migration Solution

The solution provided needs to describe how to migrate the bank's thousands of existing ATM terminals
and directly connect them to the new ATMC system.

4.1.4. Delivery Plan

Vendors must provide the corresponding delivery plan and steps.

4.1.5. RACI (Responsibility, Accountability, Consult, and Inform)

Matrix

Vendor must clearly state who is accountable and responsible for each step in the projects, as well as
who should be informed and consult.

4.1.6. Bill of Quotation(BOQ)

Vendor must provide details BOQ including service offering as stated in this RFQ.

4.1.7. Non-Disclosure Statement

The Vendor and team members involved in this project shall agree to not disclose information given, or
found before, during, and after project to any party other than assigned XX staff(s).
 Confidential
4.1.8. Appendix: About the Vendor

This section of the response Vendor should provide the following details about the Bidder
and the partners selected for the delivery of the proposed assignment
 Organization overview
 Management Structure
 Year of establishment (minimum 5 years)
 Key Customers, especially in Banking industry
 Current market position of the product proposed
 Geographical spread of operations and services
 About local presence in Kazakhstan
 Quality Certifications for the service proposed
 Number of engineers in Kazakhstan
 Experience in the execution of similar assignments (min 3 years), The vendor should provide the
scanned copy of the key pages of the contracts.

4.2. Commercial Proposal

Vendors shall provide the below information in their Commercial Proposals, but not limited to:
 Detail product and service cost, including the necessary component for this proposal (ATM
server, certification support, etc.), and the optional part(APP for ATM terminal, the certification
for Card scheme, payment gateway, etc.)
 Support service cost including annual maintenance

5. Schedule of Events, and Proposal

Below are schedule of events.

No Event Date
1 Issue RFI
2 Issue RFQ
Bidder Submission of Technical and Commercial
3
Proposal
4 Proposal presentation
5 Technical Evaluation (Select Finalist/Short-list Bidders)
6 Commercial Evaluation and Negotiation
7 Award RFP to Successful Bidder