Requirements for products and services

There are minimum requirements Digital Service Providers (DSPs) must meet to access our APIs and digital services.  These requirements depend on whether your product or service is controlled by you, the client, or is considered a commercial or non-commercial product or service.   

On this page

Products controlled by DSPs

Services include cloud and Software as a Services (SaaS), gateways and sending service providers.

Requirements Category A Category B Category C
 
  • Commercial product or service controlled by DSP, and either
  • Low to high risk APIs with greater than 10,000 unique client records, or
  • Sending Service Providers
  • Commercial product or service controlled by DSP, and
  • Medium to high risk APIs with less than 10,000 unique client records
  • Commercial product or service controlled by DSP, and either
  • Low risk APIs with less than 10,000 unique client records, or
  • No risk APIs regardless of unique client records
Audit logging Mandatory: Audit logging functionality must be implemented in software products to enable traceability of user access and actions. Audit logs must be kept for a minimum 12 months.

Authentication

 

 

Mandatory: Multi-Factor Authentication (MFA) must be implemented by all staff and end users who have access to Taxation, Accounting, Payroll, Business Registry or Superannuation related information for themselves or other entities or individuals, including Tax Agents and Employers as per  Australian Government - Guidelines for system hardening.

  • Shared logins are not permitted and must be blocked by the DSP.
  • Remember me functionality must be limited to less than 24 hours.
  • MFA should not include social media logins.
    If social media applications are included in the proposed business model, DSPs should discuss this with the DPO.

Certification

 

 

Mandatory:

Independent certification against either:

  • iRAP (ISM) or
  • ISO/IEC 27001

 

 

 

Mandatory:

Independent certification or self-assessment against one of the following:

  • ISM
  • ISO / IEC 27001
  • ISO / IEC 27002
  • ISO / IEC 27017
  • NIST

(DPO may request evidence of some self-assessed controls)

Mandatory:

Independent certification or self-aAssessment against one of the following:

  • ISM
  • ISO / IEC 27001
  • ISO / IEC 27002
  • ISO / IEC 27017
  • SOC2
  • OWASP ASVS 3.0 or later
  • NIST
Data hosting Mandatory: Data hosting must be onshore by default, offshore hosting arrangements, including redundant systems are managed by exception only.
Encryption Key Management Mandatory: Encryption key management and public key infrastructure (PKI) policy must include asymmetric or public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography
Encryption at Rest Mandatory: DSPs must apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography
Encryption in Transit Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography
Entity validation Mandatory: DSPs must implement entity validation to ensure consumers or users of a commercial software product are legitimate businesses and have a genuine need to access our APIs.
Personnel security Mandatory: Personnel security procedures must be in place for hiring, managing and terminating employees including contractors.
Security monitoring Mandatory: Security monitoring practices must be implemented at the network/infrastructure, application and transaction layer to enable DSPs to scan environmental threats and act.
Supply chain Mandatory: DSPs must provide us with an overview of their supply chain.
Third party add-on Mandatory: If DSPs integrate with third party add-ons via an API, they must take reasonable care to ensure appropriate security controls are in place for any add-on partners. We recommend using the security standards for add-on marketplaces or an equivalent set of controls.

Products controlled by a client

Services include desktop and server-based software, including cloud applications where the application is primarily under the control of the client.

Requirements Category D
 
  • Commercial product or service controlled by client, and
  • Low, medium or high-risk APIs regardless of unique client records

OR

  • In-house developer by a client, and
  • Low risk APIs only with greater than 10,000 unique client records

Note: We recognise DSPs may have some level of control of the requirement, the mandatory element applies where a DSP has control to implement a solution. Some controls may not be applicable.

Audit Logging Mandatory: Audit Logging functionality must be implemented in software products to enable traceability of user access and actions. Audit logs must be kept for a minimum of 12 months.

Authentication

 

 

Mandatory: At a minimum, all solutions must have user-based access, including unique client logins with authentication and authorisation controls implemented, such as unique username and password.

  • Shared logins are not permitted and must be blocked by the DSP.
  • Remember me functionality must be limited to less than 24 hours.

To strengthen your authentication, we recommend implementing multi-factor authentication (MFA) as best practice. This can be applied as per Australian Government - Guidelines for system hardening.

  • MFA should not include social media logins. If social media applications are included in the proposed business model, DSPs should discuss this with the DPO.

Certification

 

Mandatory: Self-assessment against one of the following:

  • ISM
  • ISO / IEC 27001
  • ISO / IEC 27002
  • ISO / IEC 27017 
  • SOC2
  • OWASP ASVS 3.0 or later
  • NIST
Data hosting Mandatory*: If the product provides any element of data hosting it must be onshore by default. Offshore hosting arrangements, including redundant systems are managed by exception only.
Encryption Key Management Mandatory*: If the product manages Encryption key management and public key infrastructure (PKI) policy must include asymmetric or public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography
Encryption at Rest Mandatory*: DSPs should apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography
Encryption in Transit Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography
Entity validation Mandatory: DSPs must implement entity validation to ensure consumers/users of a commercial software product are legitimate businesses and have a genuine need to access our APIs.
Personnel security Mandatory: Personnel security procedures must be in place for hiring, managing and terminating employees including contractors.
Security monitoring Mandatory*: If the product can relay data to the DSP, security monitoring must be implemented to enable DSPs to scan environmental threats and take action.
Supply chain Mandatory: DSPs must provide us with an overview of their supply chain and third-party add-ons.
Third party add-on Mandatory*: If DSPs integrate with third party add-ons via an API, they must take reasonable care to ensure appropriate security controls are in place for any add-on partners. We recommend using the security standards for add-on marketplaces or an equivalent set of controls.

Commercial products or in house developers

Services include desktop and server-based software, where the application is under the control of the client.

Requirements Category E
 
  • Commercial product or service controlled by the DSP or the client, and
  • No risk APIs regardless of unique client records

OR

  • In-House developer controlled by the client and
  • Low Risk APIs only with less than 10,000 unique client records, or
  • No risk APIs regardless of unique client records

Note: ATO recognise DSPs (including in-house developers) may have some level of control of the requirement, the mandatory element applies where a DSP has control to implement a solution. Some controls may not be applicable

Authentication

 

Mandatory: At a minimum, all solutions must have user-based access, including unique client logins with authentication and authorisation controls implemented, for example, unique username and password.

  • Shared logins are not permitted and must be blocked by the DSP.
  • Remember me functionality must be limited to less than 24 hours.

To strengthen your authentication, we recommend implementing multi-factor authentication (MFA) as best practice. This can be applied as per Australian Government - Guidelines for system hardening

  • MFA should not include social media logins. If social media applications are included in the proposed business model, DSPs should discuss this with the DPO.

Data hosting

 

Mandatory*: If the product provides any element of data hosting it must be onshore by default. Offshore hosting arrangements, including redundant systems are managed by exception only.
Encryption Key Management Mandatory*: If the product manages Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric/public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography  
Encryption Key Management Mandatory*: If the product manages Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric or public key algorithms as per Australian Government - Guidelines for using cryptography
Encryption at Rest Mandatory*: DSPs should apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography
Encryption in Transit Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography

 

Optional consideration for DSPs in Category E to strengthen security

To improve the security of your ecosystem, product(s) or service(s), please consider implementing the below security controls:

  • Audit Logging
  • Certification
  • Multi-Factor Authentication
  • Personnel Security
  • Security Monitoring Practices

See also

Last modified date