SSTP IMPLEMENTATION FROM A CSP PROSPECTIVE FTA … · 1 FTA TECHNOLOGY CONFERENCE AUGUST 2005...
Transcript of SSTP IMPLEMENTATION FROM A CSP PROSPECTIVE FTA … · 1 FTA TECHNOLOGY CONFERENCE AUGUST 2005...
1
FTA TECHNOLOGY CONFERENCE AUGUST 2005
Presented by: Charles Collins, VP Taxware
Moe Turcotte, Sr Manager. Taxware
SSTP IMPLEMENTATION FROM A CSP PROSPECTIVE
2
Effective DatesEffective Dates
Interstate agreement: 10-01-2005
Amnesty: 10-01-2005 to 9-30-2006
Contracts for Certified Service Providers (10-01-2005)
Initial operation of Governing Board: 10-01-2005
2
3 Governing Board Chart
Full Members
IN July 1, 2005 2.22IA July 1, 2005 1.07KS July 1, 2005 .98KY July 1, 2005 1.47MI July 1, 2005 3.62MN July 1, 2005 1.79NE July 1, 2005 .62NC July 1, 2005 2.93OK July 1, 2005 1.26SD July 1, 2005 .28WV July 1, 2005 .66
4 Governing Board Chart
States Compliant July 1, 2005 16.90 % (Associate Members Until Date Noted)NJ October 1, 2005 3.06NDOctober 1, 2005 .23NVOctober 1, 2005 (Expected) .73UT July 1, 2006 .81TN July 1, 2007 2.07OH January 1, 2008 4.14AR .97WY .18 Members and Associates 29.09 %
October 1, 2005: 14 member states and 20.92% 19 total states and 29.09%
3
5 Required Functions
Determine requirementsDevelop/revise systemDeploy system/hardwareGet solution certifiedMarket serviceIntegrate with sellersMaintain system
6 Determining the Requirements
Request for Proposal dated November 1, 2004 Streamlined Sales and Use Tax Agreement adopted November 12,
2002 as amended Certification Issue Paper Tax laws, rules and procedures by states not included in SSUTA Schemas released by states Databases released by states Tax laws, rules and procedures by non streamlined states (seller
requirement)
Multiple requirements with many stakeholders
4
7 SSUTA Requirements
SSUTA CAS Integrate CAS with seller’s system Remit tax collected File returns Protect privacy of tax information Enter into contract with member states and comply with provisions
8 Request for Proposal Requirements
Uniform Sourcing Exemption Processing Uniform Rounding Rates and Boundary Changes Tax Collection Procedures Liability Relief Tax Remittance Procedures Tax Reporting Procedures Record Retention Procedures Audit Requirement Taxpayer Privacy
Issue Resolution Procedures (Not Addressed)
5
9 Proposed Technology Model 1:
Certified Service Provider (CSP) Third party providing tax calculation service Service includes software for calculation, filing of returns and remitting tax CSP software applications must apply SSTP certification standards
Calculation accuracy standards Technology standards (e.g., ISO 17799, SAS70)
CSPs are government contractors compensated by states Businesses use CSP at no cost, including integrations
10 Liabilities and Responsibilities In The CSP World
Certified Service Provider Integrations Applied data and tax calculations
Rates Exemptions Special rules Sourcing rules Certificate maintenance
Tax liability and statistical reporting Funds transfers System performance
Merchant Fraud or malfeasance Accounts payable transactions
(purchases)Government Anything missed in the
certification processConsumer Claimed entity- or use-based
exemptions
6
11 Technical Requirements
Capacity CSP and Merchants – Can the CSP handle the volume? CSP and States – Can the States handle the volume?
Redundancy / Business Continuity / Disaster Recovery CSP – Service all Merchants 24 * 7 * 365 States – Service Clients (CSPs) ? * ? * ?
Security Merchants’ Transmissions State Transmissions (HHTP, Web Services, FTP)
Privacy Non-Public Personally Identifiable Information (NPI)
12 Implementation of a Hosted Solution
Defense Strategy
•Systems and facilities should be secured by multiple layers of security to ensureadequate protection of resources.
•Ensures that access to critical resources must pass through multiple layers of securitybefore access is granted.
Focus: Risk Assessment Best Practices: Industry Recognized Assurance, Governance, & Compliance Developed Application Security Deployment Assurance & Security Certification Application Security Physical Security Network Security Incident Response
7
13 Implementation of a Hosted Solution (cont)
Unacceptable RiskUnacceptable Risk
People & People & Process ControlsProcess Controls
Technology Technology ControlsControls
InformationInformation
Asset Value
Threats
Risk AssessmentRisk Assessment
Acceptable RiskAcceptable RiskOperate, Maintain, Monitor, Train
Enhance ControlsEnhance Controls
Vulnerabilities
Information Security & Risk
14 Implementation of a Hosted Solution (cont)
Security in Systems DeploymentMinimum Competencies (Only a few listed)
Ensure information security controls and processes are followed in thesystems development model. Do not mix test and production environments or data. Depersonalize test data
used in testing. Validate. Institute strict controls upon the access to development program source and
libraries. Validate. Infrastructure support and operational staff should not have access to source
code. Validate. Ensure formal change controls procedures are followed for all development tasks.
Validate Source code should never physically or logically migrate outside of the protected
internal company network. Validate. Risk assess to develop the most cost effective and efficient information security
controls within developed software. Validate.
8
15 Implementation of a Hosted Solution (cont)
Application SecurityMinimum Competency
All application servers must be hardened by eliminating unnecessary services,regularly applying security updates, and ensuring U.S. DoD C2 levelrequirements are met.
Operating systems and hosted applications must adhere to strict ISO 17799based security policies that set requirements for accounting, authorization, andauthentication.
System logs and alerts must be continually monitored.
16 Implementation of a Hosted Solution (cont)
Physical SecurityMinimum Competency
Ensure facilities are considered trusted facilities supporting a U.S. Department ofDefense trusted computing base rated at DoD C2 level or above.
General Security Presence at all Points of Entry Digital Access Cards Required CCTV Surveillance of all Entry Points and Data Centers 24x7 All Employees/Contractors Must Pass a Background Verification, Supply
Fingerprints and Handwriting Analysis Before Granted Access to Facilities andSystems
Visitors should be escorted at all times
Data Center Mantrap Entrance for Data Centers Temporary Use, Digital Access Cards Required for Data Center Access
9
17 Tasks for States and CSP’s
Stabilizing the requirements Finalize requirements Account for differences among states Deal with new states Maintain compliance Establish a process for making changes
Marketing the Program States CSP
Implement Service Integration Calculation Filing and remitting
18
Pending IssuesPending Issues
Policy Issues
Digital equivalent definitions
Use tax issues
Audit processes
Compensation issues
Exemption Administration Issues
Operation of Governing Board
10
19 Questions, Answers & Issues
Please feel free to ask Mr. Collins as many questionsas you please.
Thank you
20