Tag: business information technology

Posted on

Is this email legitimate? QuickBooks Payroll ACH ID Changes go live on the 22nd!

Is this email legitimate? QuickBooks Payroll ACH ID Changes go live on the 22nd!

Trusted QuickBooks Advisors – here’s another thing for you to help your clients with

Intuit recently sent an e-mail to QuickBooks Online Payroll (QBOP) and QuickBooks Full Service Payroll (QBFSP) customers about an ACH ID change.  It kind of looks like a phishing thing, but it is really a legitimate email from Intuit, and it is important to pay attention if your company uses the impacted services and a banking feature called “debit filtering”.  There isn’t much time to act, either, because the changes go live in 3 days (February 22, 2016).

Impacted services are QuickBooks Online Payroll and QuickBooks Full Service Payroll, so it is pretty important to address.  Nobody wants their business payroll processes interrupted, and this could easily do just that.

Intuit has added some new ACH ID numbers for use with direct deposit and other processes which work with the bank, so customers using a fraud-prevention method known as “debit filtering” will need to contact their banks to add the new IDs or their bank transactions will fail.

Debit filtering allows customers to tell their banks which ACH IDs are allowed to perform transactions with the bank account, like removing or depositing funds.  It is an extra level of fraud security that protects the bank account from unauthorized access, but it is also something that can work against the business if it is not managed.  In this case, contacting the bank to add the new IDs is critical to keeping things processing and flowing smoothly.  It is also important that the old IDs not be removed yet, as they may be tied to historic transactions that must be tracked and reported on for tax and other purposes.

“Is this really from Intuit? It seems like Intuit would have a better way to make such changes than to ask millions of subscribers to contact their bank”

Source: Is this email legitimate? ACH ID Changes; – QuickBooks Learn & Support

QuickBooks users don’t have much time to reach their banks and supply the new IDs, so pull the email out of the SPAM folder and call the bank right away. Intuit won’t be sending notices to the banks, and they have no authority to add different IDs to your approved list, anyway… which is a good thing.  If just anyone could add an approved ACH ID on your account, then just anyone could get to your funds.  Better to make the phone call yourself.

jmbunnyfeetMake Sense?

J

Posted on

No REST for QuickBooks Desktop Integration Developers

No REST for QuickBooks Desktop Integration Developers

elastic-cloudIntuit, the maker of QuickBooks small business accounting software (among other things), is discontinuing service for the REST API and the Sync Manager on March 1, 2016 [1].  Developers with applications which integrate with the desktop editions of QuickBooks using this method must change their approach right away or risk having their integrations simply stop functioning.  It’s not that Intuit will DO something on March 1st.  Rather, they’ll stop doing something – like handling Sync Manager integrations.

There are a lot of different types of businesses in the world, and each of them produces and consumes a lot of information.   From sales to human resources; from operations to finance – every business generates and manages information to support the various processes which make up the business activities.  Computer systems and software represent the tools businesses use to develop and manage information, and often become foundations for structuring the information which flows through the organization. Just as there may be different people in the business, each with their own responsibilities and job functions, there are likely software applications which are similarly oriented to support different processes within the business.  Integrating or connecting different applications and processes within the business helps the organization be more efficient with information usage, generally increasing the quality of access and reporting throughout the business while at the same time reducing or eliminating redundant data entry and the potential for errors.  Software integrations are a big thing to many businesses, which is why the discontinuation of Intuit’s Sync Manager for QuickBooks Desktop editions is a big deal.

Intuit’s Sync Manager was the big thing just a few short years ago.  Providing developers with a seamless method for accessing QuickBooks company data and passing it to/from web-based and other applications was a boon to the online application model and paved the way for many disk-based integrated solutions to migrate to SaaS offerings instead.  Developers who saw success operating in Intuit’s QuickBooks marketplace as recognized add-ons were encouraged to use Sync Manager so that they would be able to seamlessly market to, subscribe and onboard new users who purchased QuickBooks products. Whether or not the developer participated in Intuit’s application marketplace, the Sync Manager and the REST API provided them with some very important capabilities and supported new methods now recognized as “standards” for development of web-based solutions and services.

The World Wide Web has succeeded in large part because its software architecture has been designed to meet the needs of an Internet-scale distributed hypermedia system. The modern Web architecture emphasizes scalability of component interactions, generality of interfaces, independent deployment of components, and intermediary components to reduce interaction latency, enforce security, and encapsulate legacy systems. http://dl.acm.org/citation.cfm?doid=337180.337228

In order to integrate a solution with QuickBooks desktop products, there are two essential problems to solve.  First, there must be access to the QuickBooks data.  Few products are able to directly access the data in a QuickBooks data file; generally, the QuickBooks program itself is used to ‘broker’ access to the company file. So, developers need a way to work inside of QuickBooks to use it to access the data their applications need.  Second, the data must be transported (via the Internet) to allow for data to come from QuickBooks into another app, or to allow data from the other app to come to QuickBooks.  The REST API and the Sync Manager addressed both of those problems and provided developers with the mechanisms required to facilitate the data integration as well as transport the data.

REST (representational state transfer) is “the software architectural style of the World Wide Web [2]” and represents a standard for creating scalable, distributed system interactions.  Using this method, developers were able to make their online solutions access, read and write data in QuickBooks desktop products because Intuit had first sync’d the data to its servers, so developers needed only to reach the Intuit servers to reach the data.  The Sync Manager provided the transport, carrying the data to/from the desktop installation where the Sync Manager service was running.  And, because the Sync Manager was basically built-in to QuickBooks, there was no additional software to install and maintain on the computer because it was all part of the QuickBooks installation.

Intuit did a fantastic job of getting developers to move to the API integration method, positioning all those lovely 3rd party solutions for linkage via an Intuit.com account and, now, to QuickBooks Online.  Intuit is clearly favoring the QuickBooks Online edition and the API integration method available with that platform, and is telling developers that they must convert their customers to QBO in order to retain the easy connective ability they had with the desktop editions via Sync Manager.

Now that Intuit has announced the discontinuation of the REST API and the Sync Manager, what options do QuickBooks integration developers have, and how can customers using 3rd party integrations keep using them?  Options do remain, and they aren’t all that bad.  In fact, the options which remain continue to be the methods of choice for certain developers. These developers recognized early on that Intuit’s somewhat “lightweight” methods couldn’t handle the complexity or full functionality of their integrations facilitated their solutions using the SDK and never looked back (and still don’t).  For this community of developers – many of whom likely never considered trying to market their solutions in the Intuit app marketplace – the elimination of the REST API and Sync Manager don’t really matter.  They didn’t bother with them in the first place, just as they aren’t bothering with QBO.  Those solutions don’t fit their customers, anyway.

The QuickBooks desktop SDK (Software Development Kit) has been around for years, and using the SDK developers have been able to craft tight integrations between their solutions and the QuickBooks desktop products.  From payment plug-ins to fully integrated sales, customer relationship, inventory and manufacturing solutions – a broad range of integrated applications built with the SDK have been successfully deployed to QuickBooks customers all over the world.   Many applications which integrate with QuickBooks desktop solutions are desktop products themselves and are designed to work within the same desktop and network environment as QuickBooks, so there is no need to worry about “transport” of the data over the Internet.

For other solutions, such as online applications and services, there may be a need to exchange data via the Web. The QuickBooks Web Connector has also been a very popular solution for developers of applications that integrate data with QuickBooks.  The Web Connector is just what its name implies: it is a way to connect QuickBooks to the web and vice versa. With the Web Connector application and a web connector configuration file, developers could provide a method of exchanging data between QuickBooks desktop and another solution fairly simply.  While the Web Connector is quite useful in providing a means to transport integrated data to/from the QuickBooks desktop to an external system (like an online application), it only allows access to whatever data Intuit decides.  For this reason, many developers use both an SDK application and the Web Connector so their applications can access all data required and also have a web service available to transport it.

There are numerous implications relating to the sunset of QuickBooks REST API and Sync Manager, and another among them is the impact in hosted environments.  For customers who are (or might) benefit from hosted QuickBooks delivery models, what does the end-of-life of the Sync Manager mean?  Since the Sync Manager was basically built into QuickBooks desktop editions, it meant that there wasn’t any extra software to install or manage when a company wanted to adopt a Sync Manager-based 3rd party integrated solution. In a hosting environment, this means that the customer could easily add integrated applications to work with their hosted QuickBooks and the service provider might never even know it was being done.  There would be no additional software to install on the host servers; so many providers would simply be unaware that their customers were using these other solutions.

As developers return to SDK and Web Connector implementations in order to integrate with QuickBooks desktop, customers will ask their hosting providers to install the QWC (QuickBooks Web Connector) and/or integration software in their service.  In shared service delivery models, this may be virtually impossible to do without potential compromise to existing customers using those servers or other applications resident on the systems.  Hosting customers will not always understand that a “simple plug-in” actually represents installable software that must be secured, maintained, managed, and kept from improperly interacting with other software in the environment.  Some providers may not even be willing to work with the new integration software, while others may allow it but will not take adequate precautions to ensure proper and secure function.

Intuit has said to many constituent groups that its focus on desktop editions of QuickBooks will continue, and new certifications and benefits for desktop ProAdvisors (and continued development of interoperability with other solutions, like the Revel POS integration for QuickBooks desktop) give support to those statements.  Yet developers who support integrations with QuickBooks desktop are once again adjusting to the not infrequent changes Intuit makes to developer programs and philosophies.  The push to QBO and connected apps may be the focus for QuickBooks marketing dollars, but there are still quite a number of (very busy!) developers supplying solutions to businesses who don’t shop inside their QuickBooks software.

Joanie Mann Bunny FeetMake Sense?

J

[1] https://developer.intuit.com/blog/2014/09/08/timeline-to-discontinue-the-quickbooks-desktop-rest-api

[2] https://en.wikipedia.org/wiki/Representational_state_transfer

Paperless_468x80

Posted on

Report Right or It’ll Cost You (double)

Report Right or It’ll Cost You (double)

paper-stackReporting requirements for business just keep growing, and so do the penalties for doing it wrong.  New this year and just in time for the annual reporting season (makes it sound almost fun, huh?) are new forms to file and an increase in penalties for not making an effort to get the information correct and into the hands of the proper recipient. Failure to file by the due date can cost businesses $250 per item, up to $3,000,000 in penalties ($1,000,000 for small businesses).  Add to that the warning about intentionally not filing or having an “intentional disregard of the requirements to furnish a correct payee statement”, which carries a penalty of at least $500 per payee statement and has no maximum penalty. Clearly, the cost of making sure the information is correct and filed in a timely manner is far less than the cost of not getting it done – or done right.

Growing problems around wage and revenue reporting have caused the IRS to pursue a variety of measures over the years to try to improve information reporting.  The Affordable Care Act has also had quite an impact on wage and benefit reporting, increasing reporting requirements substantially.  From the introduction of health plan reporting on W2s to the new mandatory forms 1095-C and 1094-C (for applicable large employers), businesses of all sizes are feeling the pressure.

February 2016 marks the date when employers and healthcare providers are required to file those shiny new IRS information returns regarding employer-provided healthcare coverage, providing a copy of the return to each employee much like a W2. The information would then enable the IRS to enforce rules established under the Affordable Care Act by revealing whether an individual might be eligible for a premium tax credit, or if an employer may be subject to non-compliance penalties. Penalties for failing to comply essentially double in 2016.  And the IRS suggests that a “good faith effort” standard will be applied to information reporting, offering no relief for employers that fail to make the effort to file timely and correctly.

It wasn’t very long ago that 1099 filing requirements expanded substantially, forcing businesses to get far more detailed in their production of information to the IRS and to payment recipients.  While this filing requirement impacted businesses both large and small, most lived through it (with the help of their trusted accounting professional!) and were able to comply.  That effort informed the IRS on a wide variety of business payments and expenses not previously tracked, in particular payments made for services and non-employee compensation.

The increasing scrutiny of wage and earning information may also help in efforts to curtail tax refund fraud.  Identity thieves use stolen (or borrowed) social security numbers to file false tax returns early in the year. Unfortunately, with the IRS motto of “pay first, prove later” the cross checking won’t likely be done until after the refund check has been sent. Once the task is performed, however, the taxpayer could end up getting a letter from the IRS stating that more than one tax return was filed using the social security number, they owe for a tax year for which they did not file a return, or the IRS indicates that wages were reported from an employer the taxpayer doesn’t know.

The IRS expects tax refund fraud to top $21 billion by 2016, which is an increase of 223% from 2013 numbers. Tax refund fraud costs every taxpayer.  No wonder the IRS is getting tougher with the penalties for not filing information returns accurately or on time.

jmbunnyfeetMake Sense?

J

Following is the text from the IRS, which outlines the “Increase in Penalties for Failure to File Correct Information Returns and to Provide Correct Payee Statements — 31-JUL-2015

L. 114-27, section 806, increased penalties for failure to file correct information returns and provide correct payee statements for information returns required to be filed after December 31, 2015.

Penalties are discussed in Section O in the General Instructions for Certain Information Returns. The penalties in the bulleted list under “Failure To File Correct Information Returns by the Due Date (Section 6721)” are revised as follows.

  • $50 per information return if you correctly file within 30 days (by March 30 if the due date is February 28); maximum penalty $500,000 per year ($175,000 for small businesses).
  • $100 per information return if you correctly file more than 30 days after the due date but by August 1; maximum penalty $1,500,000 per year ($500,000 for small businesses).
  • $250 per information return if you file after August 1 or you do not file required information returns; maximum penalty $3,000,000 per year ($1,000,000 for small businesses).
Posted on

Payment Card Roll Call: “Not Present” fraud likely to increase as EMV takes hold

Payment Card Roll Call: “Not Present” fraud likely to increase as EMV takes hold

rollingballNo retailer wants to become the next Target (pun intended).  Payment card fraud costs businesses and consumers billions of dollars every year.  What’s even more frightening, many of the breaches in the news are the result of innocent participants inadvertently granting access to the bad guys.  The Target breach in 2013 exposed the data of 110 million payment cards.  Hackers got into the network using perfectly good credentials of the HVAC company.  Sometimes password security just isn’t enough, which might bring in to question the security of all those SaaS subscriptions and online shopping sites folks use these days.

EMV chip technology, the standard around the world which has just recently become a standard in the United States, has done a lot to stem the tide of credit card fraud in other countries.  As it was implemented in various countries, guess where it pushed the fraudsters?  Where the anti-fraud technology wasn’t, of course! The United States was among the laggards in requiring EMV chip technology for payment cards, opening the door for bad guys and turning the US into a veritable haven for credit card fraud, “accounting for nearly 50% of global fraud losses, according to the Nilson Report[1]”.

EMV chip (or chip and pin) technology will go a long way to prevent credit card fraud for businesses accepting payment cards… in-person and counterfeit card fraud, anyway. Online retail, on the other hand, not so much.  A chip on the card doesn’t really help when the transaction is completed with the card not present (CNP).  Some industry analysts suggest that CNP fraud losses will exceed $6 billion within the next few years, making e-commerce and online payment security a high stakes game for even the smallest of retailers.  As it gets more difficult to hack the payment system when the card is presented, bad guys will fall back in even greater numbers to the card-not-present model to find their victims.

Online retailers and service providers must take additional steps to secure their systems and protect customers and business partners, and face the challenge with the understanding that effort must be ongoing as new threats emerge. Tokenization is a prime method of layering the system with security, making the merchant system somewhat less of a worthy target by not storing the card data in the system.  Even if the system becomes compromised, the bad guys wouldn’t find customer payment card information.  There are numerous other steps a business can take to secure the CNP sales, including applying behavioral analytics which might identify rogue activities, or using 3D Secure to authenticate a cardholder’s identity at the time of purchase.   The point is that CNP fraud is likely to spike as EMV technology takes a firm hold in the US.

Card fraud is already escalating rapidly for ecommerce retailers and other card not present channels – it didn’t take EMV to start on that roll but it will surely give it a push.  Paperless payment systems, SaaS subscription services and online application service usage are increasing dramatically and there’s no chip to get in the way of these transactions.  Sellers of any and every service utilizing online payments need to now pay particular attention to system and information security.  The risk has always been there, and EMV chips and other shifts in pay card technology simply give it a push.

jmbunnyfeetMake Sense?

J

 

[1] Chipping away at Credit Card Fraud with EMV; Information Week Tech Digest powered by Dark Reading, Nov 2015; NilsonReport http://www.nilsonreport.com/publication_newsletter_archive_issue.php?issue=1071

Posted on

Mobile Device Security is a Moving Target

Mobile Device Security is a Moving Target

mobile-devicesAs businesses mobilize their workforces and processes the volume and variety of sensitive data passing through and sitting on mobile devices increases dramatically.  Even though the business owner or IT manager may recognize the importance of mobile data and device security, doing something useful about it is altogether another issue.  New considerations enter into the picture frequently, turning mobile security into a moving target. Protecting the business – the organization, its employees and its customers – requires adopting mobile security strategies that cover a broad range of issues.

First of all, is there any means of monitoring the activities of the connected or mobile devices?  Knowing which devices are interacting with your information would seem to be an essential part of business information security, yet smartphones and tablet devices often fall under the proverbial radar of IT or business management.  Actually, business management is likely among the base of users with the very mobile devices in question.

Are there ways to limit what information is accessible via these mobile devices, and is that data encrypted?  Consider also that data is sometimes at rest (like when it is just sitting on a hard drive) and sometimes in transit (like being uploaded/downloaded/transmitted over the wire).  In either state, the data should be encrypted in order to be more secure.

Is there a standard set of apps or services that users can enable, or is it pretty much personal choice?  Too often a user will innocently install a malicious app on their device, exposing the business to a variety of potential threats.  Creating strict policies around app selection and use is a really good idea, and finding a way to actually enforce them is even better.

The big issue is separation of work and personal apps and content.  Especially in small businesses where personal devices are the norm (well, not just in small business… Hey Hillary!) it is quite a challenge to create any useful separation between personal and business use.  The mobile device is often adopted as a personal choice of the user – who elects to invest their personal mobile device in their work – so exacting any real level of control in how the device is used is tough.  The security of the information is only as good as the security of the device, meaning that it is usually up to the device owner to decide if a password or pin is required.  Unfortunately and for the sake of convenience, there is often little or no real security on the device meaning there is no real security around the information on the device in the event that it becomes lost, stolen or compromised.

There are a lot of things that the business can do in order to improve the security of their business data in a mobile device environment.  Here are a few of the basics:

  1. Have defined procedures for what happens when a device is lost or stolen; make sure they’re followed
  2. Have a way to do a remote wipe of the device
  3. Make sure all devices lock after a period of inactivity, and that they have password or pin protection
  4. Have a mobile device use policy, and make sure all employees understand why it matters and agree to it.

jmbunnyfeetMake Sense?

J

Posted on

Why Offering Anytime, Anywhere Work Works

Why Offering Anytime, Anywhere Work Works

An Anytime, Anywhere Work Survey was completed by ConvergenceCoaching, LLC this spring, and they’ve published the results.  In the survey, they asked firms to provide feedback on the results of flexible work programs, asking for both the good and the bad aspects of having an anytime/anywhere working model.  It isn’t much of a surprise that the positive outweighed the negative, given the popularity of cloud computing and mobile working models.

anywhere-anydeviceThe benefits of providing flexibility where and when people work is something that many businesses are just realizing.  It took a while for the idea to catch on (and for the technology to catch up) but enterprise and small business alike are now taking advantage of flexible work programs to improve employee morale and the business bottom line. Keeping employees happy and engaged is critical to running and growing a successful business, and providing a level of flexibility in work programs can deliver a big boost to worker satisfaction.

Supporting a flexible work environment and mobile employees takes some additional attention to detail, especially when it comes to communication. If workers aren’t certain of their responsibilities and boundaries, then expectations may not be fully met.  Training and communication become key elements in the business, making sure that employees understand what to do and how to get it done before they are allowed to operate remotely and with less on-site support.

There may also be some workers who feel that disconnecting is not an option when they are allowed some flexibility in hours and place of work.  Often electing to error on the side of caution, these users may put in more hours than usual simply to make sure that their work and contribution is recognized.  It is the “out of sight, out of mind” scenario they play over and over again, fearing that they will be forgotten or their usefulness minimized simply because they are not present in the office.  On the other hand, many workers describe being more effective in their jobs because they’re able to focus better and find themselves to be more creative or efficient when working away from the office. The company must provide clear lines of communication and work validation which support offsite employees and allows workers to embrace the freedom an anytime/anywhere approach offers if they want positive and productive results.

The survey demonstrated that businesses offering flexibility in work programs saw improvement of employee work/life balance and better overall morale than those offering no such flexibility.  Building and improving trust among teams was another cited benefit, as was the positive impact to the job of finding and retaining staff.  I think the best attribute of the Anytime/Anywhere working model listed from the survey was “It is worth it!”. Maybe it’s just because I agree.

jmbunnyfeetMake Sense?

J

Source: Why Offer Anytime, Anywhere Work? | ConvergenceCoaching, LLC