Use this checklist to reduce the chaos and risk of your partner API activation process
Systems integration in the automotive retail industry is wide and deep – dozens of car manufacturers (OEMs) integrate with hundreds of Dealer Management System (DMS) providers and other auto tech companies, DMS providers integrate with thousands of auto tech providers and related providers of other data services. All of these parties are exchanging customer, vehicle and other data to ultimately deliver a consumer experience that drives sales and customer retention at the point of sale.
With increased scrutiny on data privacy, tightly managing partner authentication, authorization and activation is more important than ever. Let’s start with defining what we’re talking about.
Authentication – when two systems connect, authentication is the initial step to make sure that the requesting system is who it says it is. As an analogy, when you travel by air, a trained TSA agent will verify your face, mask down, matches the identity on a publicly legitimized form of identification such as a passport or driver’s license before allowing you access to your airplane.
Simply stated, authentication proves an identity.
Authorization – once the initial connection or access is granted to the authenticated party, authorization is about specifying which assets the requesting party has permission to access. In auto retail, a CRM application may connect with a DMS, but only be authorized to access certain types of customer information stored in the DMS, and be restricted from other types of data.
Simply stated, authorization grants the right to access specific assets.
Activation – Activation is the actual workflow whereby partner systems are both authenticated and authorized, and practically granted the credentials or keys necessary to exchange authorized data across systems on behalf of any particular dealership.
There are several methods for authentication, and lots of great information online comparing the merits of each. Over the past decades, history has proven that new methods of web services and RESTful authentication continue to make gains in security, with OAuth 2.0 being the current front runner.
Yet despite the ever improving technology to make authentication more secure, risk will continuously lie in the underlying workflow or process your organization uses to track requests, authorize parties, and ultimately activate partners. With a growing number of integration points, an increased need for real-time data, and increasing scrutiny on data privacy, an organized, fail proof process is critical. If you are currently using email, paper forms, or (shh, we won’t tell anyone) sticky notes to manage activation requests, you’ve got risk.
Here is a checklist of considerations to ensure a secure process.
- Access requests – does your process have means to ensure the requesting party meets all of the requirements necessary to connect? This can include:
- Attainment of an integration certificate from the API publisher
- Authorization on behalf of the end customer (usually a dealer)
- Compliance with the publishing party’s security requirements (ex. SOC2 compliance)
- Where one provider replaces another, does your process validate the respective start and end dates for each and manage activation, de-activation and conflict resolution accordingly?
- As various actions and approvals are required across a handful of parties, does your process have built-in communications to follow up and ensure each party understands and has taken action on its part?
- To comply with increasing data privacy legislation, is your system able to audit on-demand where, in the ecosystem, an individual’s data exists at any given time?
Need a way to automate and manage your activation process?