The IRS has developed six (6) new security and privacy standards to better protect taxpayer information collected, processed and stored by Authorized IRS e-file Providers (Providers) participating in Online Filing of individual income tax returns.

These new standards are based on industry best practices and are intended to supplement the Gramm-Leach-Bliley Act and the implementing rules and regulations promulgated by the Federal Trade Commission.

The IRS strongly encourages Providers participating in Online Filing of individual income tax returns to implement these six (6) new measures for the 2009 filing season.

1. Extended Validation SSL Certificate
   This standard applies to Authorized IRS e-file Providers participating in Online Filing of individual income tax returns that collect taxpayer information via the Internet. These Providers shall possess a valid and current Extended Validation Secure Socket Layer (SSL) certificate using SSL 3.0 / TLS 1.0 or later, and minimum 1024-bit RSA / 128-bit AES.
   
   
2. External Vulnerability Scan
   This standard applies to Authorized IRS e-file Providers participating in Online Filing of individual income tax returns that collect, transmit, process, or store taxpayer information. These Providers shall contract with an independent third-party vendor to run weekly external network vulnerability scans of all their “system components” in accordance with the applicable requirements of the Payment Card Industry Data Security Standards (PCIDSS). All scans shall be performed by a scanning vendor certified by the Payment Card Industry Security Standards Council and listed on their current list of Approved Scanning Vendors (ASV). In addition, Providers whose systems are hosted shall ensure that their host complies with all applicable requirements of the PCIDSS.
   
   For the purposes of this standard, “system components” is defined as any network component, server, or application that is included in or connected to the taxpayer data environment. The taxpayer data environment is that part of the network that possesses taxpayer data or sensitive authentication data.
   
   If scan reports reveal vulnerabilities, action shall be taken to address the vulnerabilities in line with the scan report’s recommendations. Retain weekly scan reports for at least one year. The ASV and the host (if present) shall be located in the United States.
   
   
3. Information Privacy and Safeguard Policies
   This standard applies to Authorized IRS e-file Providers participating in Online Filing of individual income tax returns that own or operate a Web site through which taxpayer information is collected, transmitted, processed or stored. These Providers shall have a written information privacy and safeguard policy consistent with the applicable government and industry guidelines and including the following statement: “we maintain physical, electronic and procedural safeguards that comply with applicable law and federal standards.”
   
   In addition, Providers’ compliance with these policies shall be certified by a privacy seal vendor acceptable to the IRS.
   
   
4. Web site Challenge-Response Test
   This standard applies to Authorized IRS e-file Providers participating in Online Filing of individual income tax returns that own or operate a Web site through which taxpayer information is collected, transmitted, processed or stored. These Providers shall implement an effective challenge-response protocol (e.g., CAPTCHA) to protect their Web site against malicious bots. Taxpayer information shall not be collected, transmitted, processed or stored unless the user successfully completes this challenge-response test.
   
   
5. Public Domain Name Registration
   This standard applies to Authorized IRS e-file Providers participating in Online Filing of individual income tax returns that own or operate a Web site through which taxpayer information is collected, transmitted, processed or stored. These Providers shall have their Web site’s domain name registered with a domain name registrar that is located in the United States and accredited by the Internet Corporation for Assigned Names and Numbers (ICANN). The domain name shall be locked and not be private.
   
   
6. Reporting of Security Incidents
   This standard applies to Authorized IRS e-file Providers participating in Online Filing of individual income tax returns that collect, transmit, process, or store taxpayer information. These Providers shall report security incidents to the IRS as soon as possible but not later than the next business day after confirmation of the incident. For the purposes of this standard, an event that can result in an unauthorized disclosure, misuse, modification, or destruction of taxpayer information shall be considered a reportable security incident. See instructions for submitting incident reports.
   
   In addition, if the Provider’s Web site is the proximate cause of the incident, the Provider shall cease collecting taxpayer information via their Web site immediately upon detection of the incident and until the underlying causes of the incident are successfully resolved.

Important Notice:

In July 2007, the IRS issued an e-file rule requiring all Authorized IRS e-file Providers to submit to the IRS the Uniform Resource Locator (URL) of Web sites they own or operate through which taxpayer information is collected, transmitted, processed or stored. This requirement remains mandatory for all Authorized IRS e-file Providers. See instructions for submitting the URL information.

For additional information see the Frequently Asked Questions (FAQs)