IRS Publication 1345 - Six Supplement Standards

IRS Publication 1345: Updated Standards for Secure Online Tax Filing (Rev. 10-2024)

The latest version of IRS Publication 1345 emphasizes security, compliance, and customer service objectives for Online Providers and Authorized IRS e-file Providers. These standards ensure that taxpayer data is handled securely and responsibly, addressing critical areas such as secure data transmission, vulnerability scanning, privacy safeguards, and incident reporting. Here’s an overview of the key requirements:

1. Extended Validation SSL Certificate

Online Providers of individual income tax returns must have a valid Extended Validation Secure Socket Layer (SSL) certificate using TLS 1.2 or later with a minimum of 2048-bit RSA/128-bit AES encryption. This ensures encrypted and secure connections for all taxpayer transactions.

2. Weekly External Vulnerability Scans

Online Providers must contract with a Payment Card Industry Security Standards Council (PCI SSC)-certified vendor to conduct weekly vulnerability scans. These scans assess "system components," including networks, servers, and applications connected to the taxpayer data environment. Providers are required to:

• Address vulnerabilities identified in scan reports promptly.
• Retain reports for at least one year.
• Ensure hosting vendors also meet PCI DSS requirements.
  All scanning vendors and hosts must be based in the United States.

3. Information Privacy and Safeguard Policies

Authorized IRS e-file Providers collecting taxpayer data must establish a written privacy and safeguard policy aligned with government and industry standards. The policy must include the statement:
"We maintain physical, electronic, and procedural safeguards that comply with applicable law and federal standards."
Compliance with this policy must be validated by an IRS-approved privacy seal vendor.

4. Protection Against Bulk Filing of Fraudulent Returns

To combat fraud, Online Providers must deploy effective technologies that prevent the bulk filing of fraudulent tax returns. Taxpayer information must only be collected, processed, or stored through compliant and secure systems.

5. Public Domain Name Registration

Online Providers must register their website domain names through a U.S.-based, ICANN-accredited registrar. Domains must be locked and not use private registrations to ensure accountability and transparency.

6. Reporting of Security Incidents

Authorized IRS e-file Providers must report any security incidents, such as breaches or unauthorized data access, to the IRS immediately and no later than the next business day. Providers must:

• Cease collecting taxpayer data from websites implicated in an incident until issues are resolved.
• Follow instructions outlined in the IRS guide Data Theft Information for Tax Professionals for incident reporting.

Ensuring Compliance and Security in Tax Filing

Publication 1345 provides a robust framework for securing taxpayer data in the digital age. By adhering to these standards, Providers not only protect sensitive information but also build trust with clients and maintain compliance with federal regulations. To access the full guide and stay updated on IRS requirements, visit IRS Publication 1345.

This IRS "6" Mandated Standards are ATTACHMENT #15 to MyPTIN WISP document for only #29!