E-Commerce Car Park – Table of Compliance for System Requirements

This document specifies the main technical and functional requirements for the E-Commerce Platform designed for the IAA car park Pre-booking and ancillary services.

For each line the Bidders shall specify one of the following: Full Compliance / Partial Compliance / Non-Compliance / Not Applicable and shall provide details and explanations regarding their response. Additional detailed information per compliance and the technical data that is required can be attached in external document with proper reference per item.

Par.

Subject Description of the requirement Mandatory requirement

Compliance Technical Data required from respondent

Data to be filled out by respondent

1 Commercial Aspects

1. A payment interactive platform for car park booking and its respective management systems.

NO

2. Cloud based system, complying with requirements and recommendations for human-centered design principles and activities (ISO 9241-210:2010).

NO Specify cloud architecture

3. The system will support Customers accounts (member)login with member's credentials, and Non-member as a guest, both with secured environment for payment transactions. The offerings will be identical while members will enjoy additional membership benefits.

YES State machine flow of both offering

4. Members will be able to view past bookings and payment history, and change/edit/modify existing bookings they have made

YES

a. Member will have context oriented access permission per system definition

YES

b. Non- member will have access permission only to his last transaction.

YES

5. Payment method for all will follow the known standard PCI for credit cards, and electronic payment systems (like PayPal).

YES Full description of the target implementation

6. The system will be fully branded to the IAA, with seamless experience while transitioning from the IAA web site (home page or any other page) to the car park booking subsystem.

NO

7. The system will be extensible for add-ons per IAA request with Supplier responsible for any required installations training etc., at no additional charge.

NO

8.The system should offer a variety of products and services. In order to simplify this, the requirements in this document will use the word product for both.

NO

9. The system shall allow the customer to make multiple transactions (the purchase of a single or multiple products) within one global business transaction.

YES Describe flow

10. Product handling will include linkage to the booking engine promotion's repository list for automatic enabled promotions.

NO

11. The booking engine will allow print of coupons and/or tickets (with QR) .

YES Screen capture/sketch

12. The system will allow edit/delete/change during transaction within a pre-defined time window from the start of the transaction, and will follow the Israeli law, upon completion of transaction.

YES Screen capture/sketch

13. Changes made to advanced transactions may be modified up to 10 minutes prior to the event time.

NO

14. Refund procedure will be handled directly between the customer and the service provider.

NO State machine flow

15. The flowchart (SEE Technical document) Confirm compliance16. The following will take place upon customer login: YESa. The relevant screens' sequence flow will lead the user through the actions.

YES

b. The system will issue a single receipt statement per occurrence.

YES

c. The system will conclude the transaction by issuing the respective vouchers to the customer.

YES

17.The system will interact with respective business, per transaction, from start to end concluding with sending invoice e-mail to the customer.

YES Description of multi business fellow

18.All financial data will be directly transferred to the Parking Management System (PMS) including the accounting and bank clearance transactions, and invoices will present the ID of the parking operator

YES

19.Additional commercial requirements should comply with the following:

YES

a. During a transaction operation, the customer’s identifiable data record will be pushed into a database that will allow future usage of the saved data. This must comply with all Israeli legal requirements and regulations in regards to security, privacy, Credit Card information in accordance with PCI STD, user information etc. The user will be required to agree to a EULA describing this. Registered users will be required to agree once and upon changes, while non-registered users will be required to agree on every transaction.

YES Database description & interface with external

systems

b. The stored data including the transactions will be the property of the IAA. The database itself will be owned by the IAA and will be operated under full responsibility of the Supplier, including all legal aspects and in accordance with the requirements guidance stated by the IAA (see "IT Aspects"). The Supplier can decide whether to locate the database on premise (his) or in the cloud, in either case, the Supplier will have to comply fully with specific security and regulation directives as will be dictated by the IAA. Financial transactions will be directed to the bank account of the individual supplier based on the product involved within the transaction (i.e operator of the PMS for booking parking) (Not including credit card information used to make payment). The Supplier shall acquaint itself and shall be responsible for compliance with all local laws and regulations applicable to this kind of transactions. The

YES Database location & security guideline

Supplier shall obtain all licenses necessary for its operation.c. The supplier will be the sole responsible entity on the success or the failure of the operation, the transaction and the clearance with the clearance institutes involved in the transaction. This will include, but not be limited, to changes or cancelation of parts or the complete transaction, failure to receive the service, failure at clearance stage of the transaction etc., to the complete satisfaction of the customers.

YES Specify clearance institution & describe flow

of transaction.

d. Financial transaction data will be maintained by the Supplier for at least 7 years, operational transaction data will be maintained by the Supplier for at least 7 years, both in a fully protected and secured environment.

YES

e. The system must be fully redundant as far as its ability to perform banking transactions process by maintaining a fully redundant link to the banking network.

YES Technical description

f. Data records will be encrypted using a strong well known and market acceptable encryption scheme. The IAA must approve this scheme in advance.

YES Technical description

g. The Supplier will provide a description of the method and encryption scheme for storing credit card information. The Supplier will have to comply with PCI STD and any directives of the IAA.

YES Provide a description method

h. The data in the system, owned by the IAA, will have set access rules to allow access only by authorized IAA users.

YES

i. The basic access permission will be of the following: 1. Super Administration - with full permissions of Read & Write access;

2. Operator- with full Read Only access (viewer);3. Technician- with Limited Read Only access to

pre-defined scope of the system;4. End-user with access to user pre-defined area;

YES

j.The system should allow the access rules to be extended in the future to support approved vendors (ex: airline

YES Technical description

tickets office, Travel Agent platform, etc.).2 Functional

AspectsThe system should comply with the currently deployed IAA system of- the Scheidt & Bachmann Parking

Management System.

(1) Operational Aspects

1.The system must have an attractive design, with current deployed look and feel of the IAA website, using the same three languages (English, Hebrew and fully integrated into the Airport’s Parking Management Systems (PMS). Any flow between the system and the IAA site will be smooth & seamless with the same conceptual flow of the IAA system

YES Screen Capture/sketch

2.The system must have easy & intuitive UX navigation across.

Screen Capture/sketch

3.The system must have an exceptionally fast response time.

Specify response in msec

4.The system will be optimized for desktop, tablet and mobiles making the browsing experience smooth and seamless, making it efficient and attractive.

YES

5.The system should have high speed processing of all transactions:

yes Description of hardware dependency &impact on

response timea. Remote devices will have a maximal delay of (1) second from the user's last input and the system's response to that action (If one is required)

YES Benchmark

b. 10000 concurrent users and 1000 users within an hour will be able to request product within a 2 seconds interval between requests

YES Benchmark

c. 95% of all transactions will have no more than (0.5) second delay between the user's last input and the system's response to that action (If one is required)

YES Benchmark

d. The remaining 5% of transactions will have up to (1) second delay between the user's last input and the system's response to that action (If one is required)

YES Benchmark

6.The system will consist of 4 access permission profiles: YES Descriptive table of access

Administrator, Operators, User and Customer’s permission vs activities7.The system will require a username and password for login to the management system, and to member's accounts.The system will have a 2 factors authentication scheme.

YES

8.The system must implement a hard password scheme requiring passwords with at least 7 characters, at a combination of capital letters, small letters, numbers or special characters (three of four)

NO Description

9.The system will force password change at least once every 180 days (6 months)

NO

10.(M) The system will be locked after 3 login failures. Management users will get their user released by the system administrator, while customers will be self- released using built in mechanism.

YES

11.The system will Interface with the current active and future IAA parking systems.

NO

InterfaceProvider

Parking Management SystemScheidt & Bachmann

Web SiteIAAMobile Application URLIAAVarious Franchisees (Airlines, Travel Agencies, Coffee, restaurants, Duty Free shops, etc.)

TBD

12.The system must be able to integrate with the following systems:

YES

Management System

13.The management system will have local & remote Web interactive interface

NO

14.The web management interface will include a YES Layout & descriptive info

Interaction comprehensive range of operational actions, including pre-defined graphical reports and dashboards to track real-time management, sales, and finance (for example):a. Handling customers online based on defined criteria profile;

YES

b. Handling the capacity and occupancy online (average occupancy, peak, uptime);

YES

c. View the currently pre-booked capacity; YESd. View projected pre-booking capacity; YESe. View sales (orders) based on defined criteria;

i. Sales trends by product (top performance);

ii. Sales trends by hour[s] or date[s];

iii. Sales trends by customer profile;iv. Revenue;v. Average transaction value;

vi. Revenue per passenger;vii. Historical and current peaks and

averages;viii. Transactions reports by month;

ix. Daily list of all financial transactions per suppliers including the specific customer name per transaction

x. Daily list of all financial transactions per customers, divided according to respective suppliers

YES

f. View customer profile base on past usage and purchasing;

YES

g. Customer value on past system used; YESh. Forecast future sales based on criteria to maximize revenue

YES

15.The system will send alerts to the PMS such as the following:

YES

a. Crossing threshold on predefined capacity of parking space

YES

b.Multiple reservation for the same car at the same time/date

YES

16.The system will send an indication to the PMS identifying customers with active transactions at the entrance and exit from the parking lots,

NO

17.The system will maintain audit trails of all user actions YES18.The audit trail will allow an operator with specific rights to search for records based on dates, times, event type, users and keywords

NO

19.The system will have a build in mechanism for Localization, starting with the English LTR, and Hebrew RTL.

NO

20.The system will support recognition of various technologies including but not limited to: ANPR, credit card, bar-code, QR code and PIN access.

YES Describe technology

21.The system will Support changeable hourly pricing tariffs.

NO Describe logistic

22.The system will provide dynamic pricing being configured interactively or via a file upload capability (CSV or XML)

YES

23.The system will allow full control and flexibility on the availability & pricing of the Add-on through configurable business rules variable by product, car park and location at any desirable time. (LOOK AT TABLE)

YES Describe mechanism

Customer end Interaction

24.The system will support memberships and guest customers.

NO

25.The system will provide members with a user account to manage online purchases, anytime, anywhere, from any

YES

device by login via a Self-Manage entry called “My Account/My space”.26.Members will log in with: YESa. Full name/Company name & registration ID, email address, credit card number and password

YES

b. Some form of secondary authentication mechanism such s DUO or Symantec's "VIP Access" system

YES Describe mechanism

27) .Casual (customers will be supported via multiple customer identification methods like: e-mail, license plate number, credit card details, QR/bar code, booking reference etc.Registration will require an email be sent to the customers entered email address and the customer will then be required to click a link to authorize the registration process

YES Describe specification

28.The system must implement a hardened password scheme with at least 7 characters, combining capital letters, small letters, numbers or special characters (three of four

YES

29.The system will be locked after three login failures YES30.The system will retrieve or renew password for customer based on members' credential (i.e. an email address as well as a secured questions, or via an SMS code sent to the customers’ cell phone.

NO Describe mechanism

31.2-factor authentication for password retrieval or release should be utilized (sending a code to the cell phone, sending a code via email etc.)

NO

32.Simple, fast & minimal booking procedure for any transaction collecting the following details:

a. Full Name,b. Mobile number,c. Departure and arrival dates and times,d. Car plate number,e. E-mail.

YES Screen flow

33.Customers will have link to the booking engine for printing of applicable promotion's coupon or ticket

NO

34.Members can view their list of bookings, payment history and future bookings

YES

35.The system will display real time parking availability for pre-booking.

NO

36.The system will recommend the most suitable parking products based on value and convenience

NO

37.The system will allow the Customer to check for parking space availability

YES

38.The system will offer the customer an upgrade service such as parking outdoor vs. indoor

NO

39.The system will enforce prepay in advance when a booking is made

YES

40.The system will Provide a booking confirmations via email and/or SMS, dependent on the customer's request

YES

41.The system will support passing the booking information to the PMS in order to automated entry and exit to and from the parking area

YES

42.The system will have the ability to provide credit/refund to the customer in case of cancelation or transaction that has not been executed.

NO

3. IT Aspects 1. The system will be an off the shelf core system customized to meet the functionality and commercial requirements of the IAA.

NO Provide description

2.The system is expected to be fully functional under all operational and environmental conditions, with High Availability and 99.99% uptime target

YES

3.The system will be fully redundant with no single point of failure at all layers of internal architecture

YES Describe internal architecture

a. Geographical Redundancy is expected for hardware components, data base, servers, and external interfaces, the system will be implemented using two complete physical units configured in full redundancy

YES

(Active\Passive).b. Redundancy is expected for network connectivity. YES4.Maintenance and service activities (installations and configurations) will not cause interruptions to the normal operation and no downtime. The service will have a high level of tolerance to partial failure.

NO Describe service

5.The system redundancy, resiliency and reliability should be described in detail with proof of actual measurements.

YES Provide descriptions

a. “Switch over procedure” at failure will be handled automatically, but should allow for manual handling by an operator as well.

YES

b. There must be no service loss during the above occurrence.

YES

c. All End Point Devices and interfaces will continue to operate automatically and seamlessly when a switch over occurs

YES

d. The system will have an internal self-restart mechanism, returning the system to the last healthy state of operation, with internal self-testing mechanisms to confirm full health status

YES

6. The system will include a test environment (staging) that is based on a separate set of HW elements.

NO

7.The system will be designed with high standards and state of the art equipment, fully certified and in compliance with well-known acceptable standards (e.g. servers, workstations, displays, peripherals, database, communication protocols, networking devise, etc.),

YES Describe system components

8.All communication protocols will be based on standard protocols; preferred interface among components (SOAP/XML or REST/JSON) and file transferred using SFTP

YES Specify protocols

9.The Testing environment (staging) will allow for the following:

a. Installation of new versions,b. Replacement of any “EOL” component

NO

with its respective certified component that complies with all criteria.

c. Connectivity to external interfaces to verify new versions and compatibility aspects,

d. Support training sessions,

10. The system will be cloud based and will be acquired as a service. The cloud server's farm is preferably be located in Ireland. (The technology infrastructure will be defined by the bidder at the time of architecture planning specifying all expected components, and considering and complying with all security guidelines and regulations followed by IAA). [IAA reserve the rights to perform black box penetration test at any given time to verify the system level of protection]. In any event the storage facilities must be approved in advance by the IAA, and the IAA will maintain the right to request a change of venue if the storage facilities sit in countries that are not "friendly" by the IAA

YES Provide descriptions

11) The system will have the ability to define what geographical area the data is stored in

NO

12.a. The cloud solutions will leverage the latest hardware, virtualization and software solutions, with any data center's infrastructure

YES Provide details

13.The following Browsers and devices operating systems should be supported:

YES

a.Internet Explorer, Chrome, Firefox, Safari, Microsoft Edge

YES

b. Mobile O/S support iOS, and Android, three recent versions in all platforms

YES

14.The system will be design with the capacity for growth without the need for any financial investment and or replacement of essential components

NO Specify capacity & method of growth

15.The system storage will store all applications, YES

configurations, audit logs, data base and system events16.The system is expected to grow at a pace of 30%- 40% per year. Upon having persistence alert (more than 5 times per day at interval of 60 min) of capacity usage of any component, the respective component will undergo upgrade or similar process to continue and maintain operational status below the threshold level

YES Describe capacity handling

17.Backup dataData will be maintained for 7 years

YES

18.Licenses, Upgrade YES Describe upgradea. The system will send an alarm within 4 hours of occurrence of any hacking or suspected event of hacking

YES

b. Upgrades policy: The Bidder will ensure periodic upgrades for Patches, Minor and Major Software Releases, Add-On Enhancement and installation- all continuous usage of the system and at no additional cost. The above will be provided and pre coordinated from time to time with the IAA in writing.

YES

c. Additional upgrades for smooth compatibilities with upgraded interfaced add on systems will be committed and coordinated at no additional cost to the IAA as well

YES

d. The supplier will ensure continues maintenance and support of the hardware and software components to comply with state of the art offering and smooth migration in case of end of life “EOL” of any component within the system Hardware or Software

YES

e. The license will be provided in the form of a Site License as needed in accordance with the number of seats and the user volume per seat

YES

19.Service (SLA)- see technical Document YES Provide comments