What the new Security Standards for Add-on Marketplaces means for developers

In a world of open data, we, as software developers, need to take the right precautions to protect any sensitive information we collect on behalf of our customers.

In Australia, the tax office has taken a proactive stance, engaging with key industry participants through the Australian Business Software Industry Association (ABSIA) to develop a common framework in order to safeguard Australian’s tax and accounting data. Other industries have long implemented similar frameworks, such as PCI-DSS for credit card data or EU’s GDPR for user data.

In August 2019, ABSIA released a new security standard: the Security Standards for Add-on Marketplaces, or SSAM. This standard applies to all developers who consume accounting APIs, such as the QuickBooks accounting APIs.

If you are reading this article, chances are that you have an app on the QuickBooks App Store, or that you’re building one, and want to find out what this standard means to you. We talked to David Martin, technical compliance manager at Intuit, to learn more about SSAM and to get the lowdown.

My app does not collect any tax data, either directly from the ATO or from the QuickBooks APIs. Does SSAM apply to me?

Yes, SSAM still applies. The ATO defines two levels within its security standards: One for Digital Service Providers (DSPs) and another for Marketplace Add-Ons. A DSP is someone such as Intuit that has a direct technical relationship to the ATO systems; for example, in order to submit tax lodgements from QuickBooks. A Marketplace Add-On is someone that consumes APIs from the DSP (i.e. QuickBooks). As a developer who consumes QuickBooks APIs, the SSAM applies to you.

I already have an app that is listed on the QuickBooks marketplace. What should I do to be compliant with SSAM?

Nothing! The SSAM was developed in consultation with Intuit, and to a large degree, based on Intuit’s existing requirements for third-party developers. In addition, Intuit checks all apps annually to ensure they keep on meeting the required security standards. Just keep an eye for an email from Intuit for your annual review.

I am building a new QuickBooks app. What should I do?

If you meet the Intuit requirements laid out on the Intuit Developer website, you will meet all the SSAM requirements. Just review the outlined security requirements and follow the app security review process that kicks in when you publish your app, or reach 500 QuickBooks connections, whichever comes first. As part of the security review, Intuit will perform a vulnerability test on your app and provide you a report summary of any found vulnerability, along with information to remediate the issue. You should then expect a notification from Intuit to perform your annual review some time after that.

We are a small company and do not have security experts in the team. Can I build an app that satisfies SSAM requirements?

Fear not! The SSAM has been designed with every developer in mind, providing good security while still allowing smaller companies that may not have the depth of security expertise to implement it. The standards are straightforward and designed for developers leveraging cloud hosting environments, such as Azure or AWS, which provide the ability to enable some of these security requirements during setup (encryption, SSL version). As a QuickBooks developer, refer to our security requirements for more details.

Will there be any impact on my users?

No. The SSAM only applies to you as a developer and has no impact on your end user experience.

I also integrate with other accounting platforms. Do I need to update these integrations?

The aim of SSAM is to standardise the requirements for app developers across all accounting platforms. You will need to follow the same SSAM standards in Australia, whether you integrate only with Intuit’s offerings or also those from other vendors. Do check with your accounting provider for details about the process you need to follow.

My app is listed in other countries via the QuickBooks marketplace. Are there similar standards in other countries that I should be aware of?

We have indeed noticed increased diligence from various governments to regulate API usage and developers’ marketplaces across the world, such as GDPR from Europe and CCPA for the United States. Intuit keeps a close pulse on market regulations and will keep you informed should you need to implement any changes in your app listing. As you build your product, simply be aware that the location of your customer is going to determine what regulations you need to adhere to. When onboarding new customers, always track where your customers are from. It will make your life much easier should you need to implement changes in the future to adhere to a specific country regulation.

If you have more questions about security or SSAM, feel free to check out the resources below or ask a question in the comments and we’ll get back to you!

For more information:






Leave a Reply

Your email address will not be published. Required fields are marked *