IRS e-file Security and Privacy Standards FAQs


Are these standards mainly for On-Line (as defined by IRS) providers?

The requirement to report security incidents applies to all Authorized IRS e-file Providers. The other five apply only to e-file Providers that actively participate in Online Filing of individual income tax returns.

The Extended Validation SSL certificate (EVSSL) would offer little additional security relative to the standard SSL certificate of equal encryption "strength." In addition, EVSSL could limit the number of browsers e-file providers could support.

We do not require EVSSL because of its encryption "strength" or because of the highly visible and informative way EVSSL-compatible browsers display EVSSL certificates. We require EVSSL because EVSSL is the only type of SSL certificate whose issuance is subject to a uniform and strict set of standards for authentication of the certificate applicant's identity.

In the text of the requirement, you reference "… in accordance with PCIDSS." Can you please describe where the weekly requirement is listed? When I reviewed 11.2 of the PCIDSS, it identified a quarterly requirement for scanning.

PCIDSS 11.2 requires that the scans be performed "at least quarterly." "At least quarterly" does not necessarily mean "quarterly." Daily, weekly, and monthly all meet the definition of "at least quarterly."

Defining "system components" as "any network component, server, or application that is included in or connected to the taxpayer data environment" and extending that to say "the taxpayer data environment is that part of the network that possesses taxpayer data or sensitive authentication data" isn't clear to us.

Our definitions of "system components" and "taxpayer data environment" are word-for-word out of PCI Data Security Standards except that we replaced "cardholder" with "taxpayer."

Our monitoring tools are likely to detect the type of attack that CAPTCHA could prevent. Rather than implement CAPTCHA, why can't we improve the tools we have? 

The requirement is for an effective challenge-response protocol to protect websites against malicious bots. CAPTCHA is mentioned only as an example.

Clarity is needed on the application of CAPTCHA. Would it be acceptable to only implement this technology on account creation? Or would the IRS require this technology to be used every time a taxpayer saves their data and e-files their return?

The requirement is for an effective challenge-response protocol to protect websites against malicious bots. CAPTCHA is mentioned only as an example. The selected protocol must be implemented in such a way as to detect and prevent attempts at automated bulk submission of fraudulent tax returns.

Because there are many types of security incidents, many types of responses are required. For example, would taking a website offline be an appropriate response to a loss of taxpayer information in printed form? 

There is no requirement for the website to be taken offline. If the website is the proximate cause of the incident, however, the Provider shall cease collecting taxpayer information via the compromised website until the underlying causes of the incident are successfully resolved. Clearly, the website cannot be the proximate cause of loss of taxpayer information in printed form.