1

FTA TECHNOLOGY CONFERENCE AUGUST 2005

Presented by: Charles Collins, VP Taxware

Moe Turcotte, Sr Manager. Taxware

SSTP IMPLEMENTATION FROM A CSP PROSPECTIVE

2

Effective DatesEffective Dates

Interstate agreement: 10-01-2005

Amnesty: 10-01-2005 to 9-30-2006

Contracts for Certified Service Providers (10-01-2005)

Initial operation of Governing Board: 10-01-2005

2

3 Governing Board Chart

Full Members

IN July 1, 2005 2.22IA July 1, 2005 1.07KS July 1, 2005 .98KY July 1, 2005 1.47MI July 1, 2005 3.62MN July 1, 2005 1.79NE July 1, 2005 .62NC July 1, 2005 2.93OK July 1, 2005 1.26SD July 1, 2005 .28WV July 1, 2005 .66

4 Governing Board Chart

States Compliant July 1, 2005 16.90 % (Associate Members Until Date Noted)NJ October 1, 2005 3.06NDOctober 1, 2005 .23NVOctober 1, 2005 (Expected) .73UT July 1, 2006 .81TN July 1, 2007 2.07OH January 1, 2008 4.14AR .97WY .18 Members and Associates 29.09 %

October 1, 2005: 14 member states and 20.92% 19 total states and 29.09%

3

5 Required Functions

Determine requirementsDevelop/revise systemDeploy system/hardwareGet solution certifiedMarket serviceIntegrate with sellersMaintain system

6 Determining the Requirements

Request for Proposal dated November 1, 2004 Streamlined Sales and Use Tax Agreement adopted November 12,

2002 as amended Certification Issue Paper Tax laws, rules and procedures by states not included in SSUTA Schemas released by states Databases released by states Tax laws, rules and procedures by non streamlined states (seller

requirement)

Multiple requirements with many stakeholders

4

7 SSUTA Requirements

SSUTA CAS Integrate CAS with seller’s system Remit tax collected File returns Protect privacy of tax information Enter into contract with member states and comply with provisions

8 Request for Proposal Requirements

Uniform Sourcing Exemption Processing Uniform Rounding Rates and Boundary Changes Tax Collection Procedures Liability Relief Tax Remittance Procedures Tax Reporting Procedures Record Retention Procedures Audit Requirement Taxpayer Privacy

Issue Resolution Procedures (Not Addressed)

5

9 Proposed Technology Model 1:

Certified Service Provider (CSP) Third party providing tax calculation service Service includes software for calculation, filing of returns and remitting tax CSP software applications must apply SSTP certification standards

Calculation accuracy standards Technology standards (e.g., ISO 17799, SAS70)

CSPs are government contractors compensated by states Businesses use CSP at no cost, including integrations

10 Liabilities and Responsibilities In The CSP World

Certified Service Provider Integrations Applied data and tax calculations

Rates Exemptions Special rules Sourcing rules Certificate maintenance

Tax liability and statistical reporting Funds transfers System performance

Merchant Fraud or malfeasance Accounts payable transactions

(purchases)Government Anything missed in the

certification processConsumer Claimed entity- or use-based

exemptions

6

11 Technical Requirements

Capacity CSP and Merchants – Can the CSP handle the volume? CSP and States – Can the States handle the volume?

Redundancy / Business Continuity / Disaster Recovery CSP – Service all Merchants 24 * 7 * 365 States – Service Clients (CSPs) ? * ? * ?

Security Merchants’ Transmissions State Transmissions (HHTP, Web Services, FTP)

Privacy Non-Public Personally Identifiable Information (NPI)

12 Implementation of a Hosted Solution

Defense Strategy

•Systems and facilities should be secured by multiple layers of security to ensureadequate protection of resources.

•Ensures that access to critical resources must pass through multiple layers of securitybefore access is granted.

Focus: Risk Assessment Best Practices: Industry Recognized Assurance, Governance, & Compliance Developed Application Security Deployment Assurance & Security Certification Application Security Physical Security Network Security Incident Response

7

13 Implementation of a Hosted Solution (cont)

Unacceptable RiskUnacceptable Risk

People & People & Process ControlsProcess Controls

Technology Technology ControlsControls

InformationInformation

Asset Value

Threats

Risk AssessmentRisk Assessment

Acceptable RiskAcceptable RiskOperate, Maintain, Monitor, Train

Enhance ControlsEnhance Controls

Vulnerabilities

Information Security & Risk

14 Implementation of a Hosted Solution (cont)

Security in Systems DeploymentMinimum Competencies (Only a few listed)

Ensure information security controls and processes are followed in thesystems development model. Do not mix test and production environments or data. Depersonalize test data

used in testing. Validate. Institute strict controls upon the access to development program source and

libraries. Validate. Infrastructure support and operational staff should not have access to source

code. Validate. Ensure formal change controls procedures are followed for all development tasks.

Validate Source code should never physically or logically migrate outside of the protected

internal company network. Validate. Risk assess to develop the most cost effective and efficient information security

controls within developed software. Validate.

8

15 Implementation of a Hosted Solution (cont)

Application SecurityMinimum Competency

All application servers must be hardened by eliminating unnecessary services,regularly applying security updates, and ensuring U.S. DoD C2 levelrequirements are met.

Operating systems and hosted applications must adhere to strict ISO 17799based security policies that set requirements for accounting, authorization, andauthentication.

System logs and alerts must be continually monitored.

16 Implementation of a Hosted Solution (cont)

Physical SecurityMinimum Competency

Ensure facilities are considered trusted facilities supporting a U.S. Department ofDefense trusted computing base rated at DoD C2 level or above.

General Security Presence at all Points of Entry Digital Access Cards Required CCTV Surveillance of all Entry Points and Data Centers 24x7 All Employees/Contractors Must Pass a Background Verification, Supply

Fingerprints and Handwriting Analysis Before Granted Access to Facilities andSystems

Visitors should be escorted at all times

Data Center Mantrap Entrance for Data Centers Temporary Use, Digital Access Cards Required for Data Center Access

9

17 Tasks for States and CSP’s

Stabilizing the requirements Finalize requirements Account for differences among states Deal with new states Maintain compliance Establish a process for making changes

Marketing the Program States CSP

Implement Service Integration Calculation Filing and remitting

18

Pending IssuesPending Issues

Policy Issues

Digital equivalent definitions

Use tax issues

Audit processes

Compensation issues

Exemption Administration Issues

Operation of Governing Board

10

19 Questions, Answers & Issues

Please feel free to ask Mr. Collins as many questionsas you please.

Thank you

20