Is Your e-file Tax Return Secure?

Wednesday, March 23, 2011

Ken Stasiak


The IRS is hoping that new security requirements address common shortcomings associated with online (Cloud Providers) filing your tax return on your behalf.

The IRS issued six new security and privacy requirements to supplement GLBA and other security regulations. The ruling went into effect on January 1, 2010, with a one year grace period. 

That means as of now, all Cloud Providers that either store, process, or transmit individual income tax returns must demonstrate, at a minimum, compliance with the following:

1. Extended Validation SSL Certificate

2. External Vulnerability Scan

3. Information Privacy and Safeguard Policies

4. Protection Against Bulk Filing of Fraudulent Income Tax Returns

5. Public Domain Name Registration

6. Reporting of Security Incidents

Who is affected?

Providers that collect, process, and store income tax returns need to comply with these requirements. The IRS uses the term “collect”; however, based on their requirements, I believe they should have stayed consistent with the Payment Card Industry’s (PCI) language, which is “store, process, or transmit."

Common Cloud Providers include TurboTax, H &R Block, and TaxACT; however, if you are using a regional or local CPA firm they too need to be compliant with the new requirements if they are filing your return electronically.

If you read the IRS mandate, it references the Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS, and compliance with applicable requirements.  If you have read the PCI standard, there are over 220 controls; which ones are applicable to your environment?

"Online Providers of individual income tax returns whose systems are hosted shall ensure that their host complies with all applicable requirements of the PCI DSS."

However, most of us use software on our own PC to submit our tax returns. I wonder if the IRS will mandate secure coding practices around these products? Because the IRS is using PCI requirements, will they require TurboTax and others to conform to Payment Application-DSS standards?

Breaking down the IRS’s six new security and privacy requirements

As a Cloud Provider you must own and operate your website, have your own registered IP address with ICANN, and use a secure and validated SSL certificate; this would cover requirements 1 and 5:

1. Extended Validation SSL Certificate     

5. Public Domain Name Registration

Along with functioning as a legitimate online provider, you must demonstrate the ability to protect your client’s data. Probably the most shocking requirement is weekly ASV Scans as well as compliance with applicable PCI DSS requirements. Click here for a list of Approved Scanning Vendor (ASV) firms.

The PCI DSS requirements also can be found at PCI Security Along with these requirements, you must take corrective actions to reduce vulnerabilities.

Section 12.0 of the PCI DSS requires policies and procedures to safeguard information; the IRS requires a license or accreditation seal from a consumer protection and privacy organization. 

The IRS references TRUSTe and BBBOnLine as two sources. This relates to requirements 2 through 4:

2. External Vulnerability Scan

3. Information Privacy and Safeguard Policies

4. Protection Against Bulk Filing of Fraudulent Income Tax Returns


As with most regulations, Incident Response is a key requirement. In the event a breach does occur, the ability to respond to and address it in a timely manner is critical.

The IRS mandate is no different, requesting notification of a breach no later than the next business day after confirmation of an “incident.”

In addition to these requirements, if a Cloud Provider’s Web site is the proximate cause of an incident, the provider shall cease collecting taxpayer information via their Web site immediately upon detection of the incident and until the underlying causes of the incident are successfully resolved.

This involves requirement 6:

6. Reporting of Security Incidents

So what do I do?

Don’t wait; tax season is approaching fast! You will need to demonstrate compliance with these requirements effective January 1, 2011, and continue to be compliant with them throughout the year. 

Because the IRS is aligning with PCI standards, I would recommend contacting a Qualified Security Assessor (QSA) to assist in meeting the security requirements. Because most QSAs are ASVs, you can get your scans performed by the same vendor.

Possibly Related Articles:
SSL PCI DSS Cloud Security IRS Tax Return e-file
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.