There are minimum requirements Digital Service Providers (DSPs) must meet to access our APIs and digital services. These requirements depend on whether your product or service is controlled by you, the client, or is considered a commercial or non-commercial product or service.
On this page
- Products controlled by DSPs
- Products controlled by a client
- Commercial products or in-house developers
Products controlled by DSPs
Services include cloud and Software as a Services (SaaS), gateways and sending service providers.
| Requirements | Category A | Category B | Category C |
|---|---|---|---|
| NA |
|
|
|
| Audit logging | Mandatory: Audit logging functionality must be implemented in software products to enable traceability of user access and actions. Audit logs must be kept for a minimum 12 months. | ||
|
Authentication
|
Mandatory: Multi-Factor Authentication (MFA) must be implemented by all staff and end users who have access to Taxation, Accounting, Payroll, Business Registry or Superannuation related information for themselves or other entities or individuals, including Tax Agents and Employers as per Australian Government - Guidelines for system hardening.
|
||
|
Certification
|
Mandatory: Independent certification against either:
|
Mandatory: Independent certification or self-assessment against one of the following:
(DPO may request evidence of some self-assessed controls) |
Mandatory: Independent certification or self-Assessment against one of the following:
|
| Data hosting | Mandatory: Data hosting must be onshore by default, offshore hosting arrangements, including redundant systems are managed by exception only. | ||
| Encryption Key Management | Mandatory: Encryption key management and public key infrastructure (PKI) policy must include asymmetric or public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography | ||
| Encryption at Rest | Mandatory: DSPs must apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography | ||
| Encryption in Transit | Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography | ||
| Entity validation | Mandatory: DSPs must implement entity validation to ensure consumers or users of a commercial software product are legitimate businesses and have a genuine need to access our APIs. | ||
| Personnel security | Mandatory: Personnel security procedures must be in place for hiring, managing and terminating employees including contractors. | ||
| Security monitoring | Mandatory: Security monitoring practices must be implemented at the network/infrastructure, application and transaction layer to enable DSPs to scan environmental threats and act. | ||
| Supply chain | Mandatory: DSPs must provide us with an overview of their supply chain. | ||
| Third party add-on | Mandatory: If DSPs integrate with third party add-ons via an API, they must take reasonable care to ensure appropriate security controls are in place for any add-on partners. We recommend using the security standards for add-on marketplaces or an equivalent set of controls. | ||
Products controlled by a client
Services include desktop and server-based software, including cloud applications where the application is primarily under the control of the client.
| Requirements | Category D | |
|---|---|---|
| NA |
OR
Note: We recognise DSPs may have some level of control of the requirement, the mandatory element applies where a DSP has control to implement a solution. Some controls may not be applicable. |
|
| Audit Logging | Mandatory: Audit Logging functionality must be implemented in software products to enable traceability of user access and actions. Audit logs must be kept for a minimum of 12 months. | |
|
Authentication
|
Mandatory: At a minimum, all solutions must have user-based access, including unique client logins with authentication and authorisation controls implemented, such as unique username and password.
To strengthen your authentication, we recommend implementing multi-factor authentication (MFA) as best practice. This can be applied as per Australian Government - Guidelines for system hardening.
|
|
|
Certification
|
Mandatory: Self-assessment against one of the following:
|
|
| Data hosting | Mandatory*: If the product provides any element of data hosting it must be onshore by default. Offshore hosting arrangements, including redundant systems are managed by exception only. | |
| Encryption Key Management | Mandatory*: If the product manages Encryption key management and public key infrastructure (PKI) policy must include asymmetric or public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography | |
| Encryption at Rest | Mandatory*: DSPs should apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography | |
| Encryption in Transit | Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography | |
| Entity validation | Mandatory: DSPs must implement entity validation to ensure consumers/users of a commercial software product are legitimate businesses and have a genuine need to access our APIs. | |
| Personnel security | Mandatory: Personnel security procedures must be in place for hiring, managing and terminating employees including contractors. | |
| Security monitoring | Mandatory*: If the product can relay data to the DSP, security monitoring must be implemented to enable DSPs to scan environmental threats and take action. | |
| Supply chain | Mandatory: DSPs must provide us with an overview of their supply chain and third-party add-ons. | |
| Third party add-on | Mandatory*: If DSPs integrate with third party add-ons via an API, they must take reasonable care to ensure appropriate security controls are in place for any add-on partners. We recommend using the security standards for add-on marketplaces or an equivalent set of controls. | |
Commercial products or in house developers
Services include desktop and server-based software, where the application is under the control of the client.
| Requirements | Category E | |
|---|---|---|
| NA |
OR
Note: ATO recognise DSPs (including in-house developers) may have some level of control of the requirement, the mandatory element applies where a DSP has control to implement a solution. Some controls may not be applicable |
|
|
Authentication
|
Mandatory: At a minimum, all solutions must have user-based access, including unique client logins with authentication and authorisation controls implemented, for example, unique username and password.
To strengthen your authentication, we recommend implementing multi-factor authentication (MFA) as best practice. This can be applied as per Australian Government - Guidelines for system hardening
|
|
|
Data hosting
|
Mandatory*: If the product provides any element of data hosting it must be onshore by default. Offshore hosting arrangements, including redundant systems are managed by exception only. | |
| Encryption Key Management | Mandatory*: If the product manages Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric/public key algorithms, hashing algorithms and symmetric algorithms as per Australian Government - Guidelines for using cryptography | |
| Encryption Key Management | Mandatory*: If the product manages Encryption Key Management and public key infrastructure (PKI) policy must include asymmetric or public key algorithms as per Australian Government - Guidelines for using cryptography | |
| Encryption at Rest | Mandatory*: DSPs should apply encryption at the disk, container, application or database level. Encryption at rest should follow Australian Government - Guidelines for using cryptography | |
| Encryption in Transit | Mandatory: Encryption in transit must use endorsed approved cryptographic protocol, for example, TLS 1.2 or TLS 1.3 as per Australian Government - Guidelines for using cryptography | |
| Optional consideration for DSPs in Category E to strengthen security |
|---|
|
To improve the security of your ecosystem, product(s) or service(s), please consider implementing the below security controls:
|