header
header
header

Summing It Up

Keeping you ahead of the curve with timely news & updates.


PCI DSS 3.2 Req 6.4.6 - Views on Updating PCI DSS Compliance Programs Upon Significant Changes to a Cardholder Data Environment

If you are classified as a merchant or service provider, anytime you make a significant change to your cardholder data environment, you are required to ensure that all relevant PCI DSS requirements have been applied to that change. This means adding an extra step of analyzing any PCI DSS requirements that apply to that change and documenting how you've ensured that those requirements have been applied like updating network diagrams or data flow diagrams.

Click to see a short video on PCI DSS 3.2’s Section 6.4.6 requirements

PCI DSS 3.2 Req. 6.4.6

 

Freed Maxick 6.4.6 Guidance   

PCI DSS is a rolling and perpetual standard which requires organizations to approach any chances to their environment with compliance considerations in mind. Any significant changes to the PCI CDE (Cardholder Data Environment) may require additional scrutiny on the creation of documentation or reviews of system configurations.

 

PCI DSS Resources 

For additional insights and guidance on 6.4.6 compliance and other PCI DSS requirements, read our blog post and get a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here. If you wish for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651

View full article

PCI DSS 3.2 Req 8.3.1 - Views on Multi-Factor Authentication

If you're classified as a service provider or merchant, you're required to implement multi-factor authentication for any non-console administrative access into your cardholder data environment . There are multiple ways this can be accomplished, and you should consult with your QSA about the most appropriate way for you and your company to make it happen.

Click to see a short video on PCI DSS 3.2’s Section 8.3.1 requirements

PCI DSS 3.2: Req. 8.3.1

 

Freed Maxick 8.3.1 Guidance   

Multi-factor authentication is a means to confirm a user’s claimed identity through knowledge, something they and only they know as well as possession, something they and only they have. MFA creates a defense mechanism which makes it more difficult for hackers or unauthorized users to access system resources.

 

PCI DSS Resources 

To receive more insights and guidance on 8.3.1 compliance and other PCI DSS requirements, read our blog post and get a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here. If you wish for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651

View full article

PCI DSS 3.2 Req 10.8 and 10.8.1 - The Process for Detecting, Reporting, and Responding to Failures in Security Mechanisms

If you're classified as a service provider you need to implement policies and procedures, and response mechanisms for addressing any failures in critical security mechanisms including firewalls, intrusion detection systems, intrusion prevention systems, and antivirus file integrity management systems.

Click to see a short video on PCI DSS 3.2’s Section 10.8 and 10.8.1 requirements

PCI DSS Req. 10.8 and 10.8.1

 

Freed Maxick 10.8 / 10.8.1 Guidance   

Policies and procedures should be reviewed and updated in the event of process changes and should accurately reflect the organization’s current PCI environment. Detection mechanisms should be configured appropriately to alert trained and qualified personnel in the event of critical security control failure. 

Critical security control failures should be responded to as soon as possible. Any lag time in response or remediation can lead to unauthorized control of system resources, data leakage, or the installation of malicious software. It is necessary that documentation is prepared to support security failure response from an employee and system level perspective.

 

PCI DSS Resources 

To receive more insights and guidance on 10.8 and 10.8.1 compliance and other PCI DSS requirements, read our blog post and get a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here. If you wish for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651.

 

View full article

PCI DSS 3.2 Req 11.3.4.1 - Views on Semi-annual Penetration Testing

If you are a service provider that uses network segmentation to reduce the overall scope of your PCI DSS assessment, what was formerly an annual requirement to obtain a penetration test is now a semi-annual requirement meaning it must be done every six months.  Make sure to reach out to your QSA to ensure that you are compliant with this timing requirement. 

Click to see a short video on PCI DSS 3.2’s Section 11.4.3.1 requirements 

PCI DSS 3.2 Req. 11.3.4.1

 

Freed Maxick 11.3.4.1 Guidance   

Organizations should schedule penetration tests in advance to meeting the timing restriction of this requirement. An experienced and qualified penetration tester independent of the organizational unit should be consulted to perform this assessment to validate and confirm the scope of the cardholder data environment

 

PCI DSS Resources 

For more guidance on 11.4.3.1 compliance and other PCI DSS requirements, read our blog post that includes a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here, but for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651.

View full article

Why You Might Want to Wait on an R&D Tax Credit Study… Even if You Pass the 4-part Test

BlogBefore spending, consider these 2 additional R&D tax credit tests from the experts at Freed Maxick

We’ve written a lot about how the Research and Development (R&D) Tax Credit delivers tax savings for businesses with qualifying activities. 

It’s important to know that claiming the Credit involves preparing a detailed study, documentation, and interactions with the IRS. Most firms engage a professional to help them claim the credit and consider the fees they pay as an investment. 

In our work helping businesses identify costs and calculate the credit, we’ve noticed that even though some businesses may have expenses that meet the 4-part test, they may still not benefit from the credit because of circumstances that limit its applicability. 

That’s why our R&D Tax Credit Team does a Situation Assessment prior to an engagement. That includes performing two initial additional “tests” complementing the 4-part test that can identify factors limiting your company’s ability to claim the credit. 

If the company does not pass these tests, we may recommend deferring activities pursuant to claiming the credit until a later date. These include: 

Additional Test 1: Do You Own the Risks and Rewards of the R&D Activity? 

If a business is hired to conduct qualified research activities by another business, the claim for the credit will generally flow to the business that bears the risk of failure and owns the rights to success. Businesses may be hired to develop a product or process by another company. These contracts often call for the researching business to receive a fixed fee for the work regardless of result and it transfers the rights to the results to the hiring business. 

Even though research costs might qualify for the credit, the company that hired the research business would be the one to claim it. 

The determining factor in a situation like this will be the contract between the two companies. If your company performs research on a contract basis for other businesses, it’s important to consider the value of the R&D tax credit when negotiating a contract. 

Your business might still end up in a better position if you are paid regardless of result, but understanding the value of the tax credit foregone can lead to more equitable pricing for both parties. 

Additional Test 2: Do You Owe Taxes? 

In addition to the ownership of risks and rewards, businesses sometimes find that they qualify for a credit but can’t claim it in the current year because they aren’t making money, and therefore have no tax liability.  For individuals, alternative minimum tax (AMT) limitations could prevent one from claiming credit, but recent tax changes significantly increased the AMT exemptions and therefore reduced the likelihood that AMT would limit credit on an individual taxpayer level. 

The R&D Tax Credit is not a refundable credit—it can reduce the balance of taxes that you owe, but if you don’t owe taxes it will not generate a refund. The PATH Act, passed in 2015, allows certain start-up businesses to apply the credit against payroll taxes owed, but if you don’t qualify for that break your business will have to carry the credit forward until a year in which it owes taxes. 

So, it may not make sense to invest in having an expert conduct an R&D study and prepare the documentation for claiming the credit.  However, at the time when you have taxable income, claiming the credit may be a prudent strategy … assuming the tax benefit you’ll receive is greater than the cost of the study that needs to be performed!  Regardless of when you do the study, you will want to maintain good internal documentation.  If you do multiple years of R&D credit claims together it is important to have good R&D tax credit documentation so you aren’t “recreating” records and reduce audit risk. 

Connect with a Freed Maxick R&D Tax Credit Expert

The important thing to remember is that a claim for the R&D Tax Credit requires careful planning. If you’re looking to hire research on a contract basis or to perform research for hire, your agreements should reflect an understanding of the value of the credit and who will have the right to claim it. 

If your business performs R&D activities but isn’t yet profitable enough to claim the credit now, you need to understand how soon you will get the value of those expenditures back on your tax return. 

These can be complicated issues, and it’s our recommendation that before pulling the trigger on a R&D Tax Credit Study, you look at applicability issues in detail. 

We can help. 

In a 30-minute phone call we can identify whether you’re eligible for the credit and if it makes sense to proceed with a claim. 

To discuss your situation contact us by clicking the button or call us at 716.847.2651.

Tax Situation Review

 

View full article

PCI DSS 3.2 Req 12.4.1 - Views on Establishing Responsibility for the Protection of Cardholder Data

If you're classified as a service provider, you are required to formally establish the overall responsibility for PCI compliance and the protection of cardholder data. Your PCI DSS Charter should be approved by executive management at least annually and anytime that there are major changes to your organization.

Click to see a short video on PCI DSS 3.2’s Section 12.4.1 requirements.

 

 

 

Freed Maxick 12.4.1 Guidance   

Establishing authority and responsibility for a PCI program within an organizational is an essential step in maintaining compliance. Aligning strategy with explicit requirements allows for increased level of cybersecurity and protection of sensitive customer data. Executive management’s role in PCI compliance promotes a more holistic approach to data security

 

PCI DSS Resources 

For more guidance on 12.4.1 compliance and other PCI DSS requirements, read our blog post that includes a downloadable overview of all recent updates and revisions.

An overview of Freed Maxick services for PCI DSS Compliance can be found here, and for a more detailed discussion of your organization’s situations and needs, contact us here or call me at 716.847.2651.

View full article

PCI DSS 3.2 Req 12.11 and 12.11.1 - Views on Performing Quarterly Reviews and Maintaining Documentation of Quarterly Review Process

If you're classified as a service provider, you are required to implement a process for internal quarterly review of critical security procedures to ensure those procedures are operating effectively. You also need to perform and maintain documentation of the quarterly review process.

Click to see a short video on PCI DSS 3.2’s Section 12.11 and 12.11.1 requirements. 

 

 

Freed Maxick 12.11 and 12.11.1 Guidance   

Quarterly reviews of PCI procedures help to promote accountability within the organization. It is essential to document the results of all quarterly reviews and train employees to be familiar with specific PCI requirements. Retaining appropriate documentation and evidence of quarterly reviews helps to support the completion of required PCI DSS procedures.

 

Our PCI DSS Resources 

For more guidance on this issue and other PCI DSS requirements, read our blog post on new requirements for 2018, and see an overview of Freed Maxick PCI DSS Compliance services here. 

For a more detailed discussion of your organization’s situations and needs, contact us here or call me at 716.847.2651.

 

View full article

Tax Reform and the R&D Tax Credit for Corporations

tax-reform-potential-state-taxation-impactTax Cuts and Jobs Act of 2017 didn’t change the R&D Tax Credit, but the repeal of the corporate Alternative Minimum Tax (AMT) expanded the potential benefit to all corporations that were in AMT.

The Tax Cuts and Jobs Act (TCJA) enacted at the end of 2017 did not make specific changes to the Research and Development (R&D) tax credit, but one significant change to the corporate tax system could benefit businesses that claim the R&D credit on their returns. 

TCJA repealed the corporate alternative minimum tax (AMT) for taxable years beginning after December 31, 2017.  As a result, the new law could make all corporate tax credits and carry forward, including the R&D credit, more valuable in the next few years.  

Corporate AMT and R&D Tax Credits 

Before TCJA, a corporation that was subject to the AMT in one year could take an offsetting AMT credit in subsequent years only to the extent that its regular tax liability exceeded its tentative minimum tax. Some corporations were perennially subject to AMT tax and the AMT credits increased over time and were unusable. 

Refund of AMT Credit Carryforwards. Under the new law, any AMT credit carry forwards that weren’t used before the AMT was repealed can now be used to offset the corporation’s regular tax liability. The credit carried forward can be refunded in an amount equal to 50 percent of the excess of the credit for the tax year over the amount of the credit allowable for the year against regular tax liability. (That increases to 100 percent for tax years beginning in 2021.) 

Corporations that have AMT credit carryforwards may now get an additional benefit from the R&D tax credit. To the extent the R&D credit reduces the regular tax liability, it could also accelerate the amount of AMT credit carryforwards that could be refunded during the “50 percent” years.

Application for All Corporations 

In a previous blog, we discussed provisions of a 2015 law change that allowed only certain “eligible small businesses” (ESBs) to apply the R&D tax credit against their AMT due.

Under current law, it appears that this benefit would apply to all corporations, regardless of whether they previously qualified as ESBs for purposes of deducting the R&D tax credit from their AMT liabilities. 

In effect, the elimination of the AMT under the TCJA has expanded the benefit to all corporations. The availability of the R&D credit to ESB would still apply to individual partners or S corporation shareholders who are subject to the AMT on their personal returns. 

Connect with a Freed Maxick R&D Tax Credit Expert

Calculating and claiming the R&D Tax Credit for a corporation is a complicated process, and it’s made even more challenging if your business is carrying forward AMT credits from prior years. 

If you have any questions or concerns about how the AMT and the R&D credit affect your personal or business taxes, connect with us by clicking on the button or please call the Freed Maxick Tax Team at 716.847.2651. to discuss your situation.

View full article

PCI DSS 3.2 Req 3.5.1 - Views on Documented Cryptographic Architecture

If you're classified as a service provider, you're required to maintain a documented description of your cryptographic architecture including any cryptographic algorithms security protocols and keys, including the keys specific to usage expiration date and strength

Click to see a short video on PCI DSS 3.2’s Section 3.5.1 requirement.

 

Freed Maxick 3.5.1 Guidance   

Relative to documented cryptographic architecture, our recommendation is that organizations who are subject to PCI DSS compliance should take proactive steps to maintain an up to date listing of cryptographic tools being utilized to protect cardholder data.

 

PCI DSS Resources 

For more guidance on this issue and other PCI DSS requirements, read our blog post on new requirements for 2018 that includes a downloadable overview of all recent updates and revisions.

 

An overview of Freed Maxick services for PCI DSS Compliance can be found here. For a more detailed discussion of your organization’s situations and needs, contact us here or call me at 716.847.2651.

……………………………………………………

 

View full article

Freed Maxick Healthcare Business Analytics Management Tool

In Healthcare there are significant amounts of siloed data. At Freed Maxick, we've created a tool that allows you to bring all that data together under one roof.

Our tool shows you visualizations and dashboards that allow you to manage the way you operate your organization. Having all that data at your fingertips visually, will allow you to identify opportunities to reduce cost, and identify inefficiencies in your processes.

To watch our latest video on this tool and how it can help your organization, please click here.

View full article