The Security Standard for Add-on Marketplaces (SSAM) applies to DSPs with cloud based applications that feature an API powered third party ecosystem. This means DSPs may have to revise their processes and controls to reflect these standards.
NOTE: These standards do not apply to DSPs who do not host an API powered third party ecosystem.
How does this impact add-on developers?
If you have developed an app that integrates via API with a DSP ecosystem (eg. Xero, Intuit or MYOB etc.), then you will be required to complete a security questionnaire by that DSP as part of the certification process.
The security requirements specified in the SSAM were modelled closely on Intuit's QBO App Store guidelines. If your app is currently certified by Intuit, then you will probably already meet the SSAM requirements.
If your app does not adequately comply with the SSAM security requirements, then a DSP is required to send you a written notice and give you up to 30 days to advise the treatment plan and up to a further 60 days to complete the required work.
If your app is unable to meet the minimum DSP security standards within a 90 day period, then the DSP is expected to limit or restrict your access to their API and withdraw your listing from their marketplace.
What do add-on developers need to do?
Here is a checklist of action items for add-on developers:
- Double check that you do not qualify as a Digital Service Provider;
- Review the SSAM scope and security requirements;
- Self assess your software against the security requirements and complete the questionnaire supplied by the DSPs once a year;
- Report any breaches or account takeovers to the DSPs within 30 days of detection;
- Ask ABSIA or the developer evangelist team from your DSP if you have any questions.
What role are DSPs playing?
DSPs play a role in the regulation of third party apps as a part of this standard.
DSPs will be asked to provide a list of third party apps with more than 1,000 cloud based API connections or access, via API, to the practice client list of a registered BAS or tax agent. They may also be required to report any security breaches or account compromises to the ATO.
The role of the ATO
To support a strengthened environment, the ATO will update the Security Questionnaire to understand high level details of app stores that
are provided by DSPs. The ATO will also provide a clarification in the data breach requirements, to ensure that any information incident
within a third party app must be reported to the ATO.
When do the standards come into effect?
The SSAM is expected to apply from:
- 1 July 2020 for connections in place as at 31 December 2019
- 1 January 2020 for all other connections