IRS E-file Security & Privacy Compliance Services

To comply with the E-file Security, Privacy and Business Standards Mandate, all providers must meet standard number six, and all online providers must meet all six standards. 

These standards break down as follows:

1. Online providers must have a current, valid Extended Validation SSL Certificate.
2. Online providers must undergo weekly third-party network vulnerability scans per the Payment Card Industry Data Security Standards (PCI DSS) and retain records of those scans for no less than one year. And if the online provider operates using hosted systems, the host must be PCI DSS compliant.
3. Online providers who collect, transmit or process taxpayer data via a website must have and follow a written data privacy and safeguard policy. The policy must also include the following statement: “We maintain physical, electronic and procedural safeguards that comply with applicable law and federal standards.”
4. Online providers who operate via a website must protect their website against the bulk filing of fraudulent returns.
5. Online providers operating through a website must register their domain name with a U.S.-based registrar accredited by the Internet Corporation for Assigned Names and Numbers (ICANN) and keep the domain unlocked and public.
6. All providers must report security incidents no later than the business day following confirmation of the incident. If the provider's website caused the incident, the provider must stop using the website to collect taxpayer information until all issues are rectified.

Besides complying with these standards, providers to whom the Gramm-Leach-Bliley Act applies must follow the Financial Privacy and Safeguard Rules, which requires the development and implementation of an information security program suitable to the size of the institution.