Technical safety device

from Wikipedia, the free encyclopedia

A technical security device (TSE) is a security module in electronic cash registers that is used for the seamless and unchangeable recording of all cash register transactions. The term comes from the German Kassensicherungsverordnung (KassenSichV) , which from January 1, 2020 requires the complete, unchanged and tamper-proof storage of business transactions and some other processes.

Together with the general obligation to issue receipts, which is also provided for in the KassenSichV, tax evasion in Germany is to be contained.

Technical security devices must be certified by a test center that has been accredited by the Federal Office for Information Security (BSI).

Duties and deadlines

Basically, the KassenSichV assumes that operators of electronic cash registers have integrated a certified technical security device (TSE) from January 1, 2020 and will continue to use it. Since no certified TSE was available on the market until the beginning of November 2019, the Federal Ministry of Finance issued a non-objection regulation on November 6, 2019. According to this, cash register operators generally have an extended deadline until September 30, 2020 and are not objected to during this period if they do not comply with the conditions of the KassenSichV and are therefore de facto not GoBD- compliant. In July 2020, almost all federal states issued further non-objection regulations until March 31, 2021.

Cash register operators are obliged to take care of the conversion of their cash registers independently as soon as possible. You bear the expected acquisition costs for a certified technical safety device of around € 250 yourself.

For cash registers that are demonstrably non-convertible due to their design and that were purchased between November 25, 2010 and the end of 2019, a transition period until December 31, 2022 applies.Template: future / in 2 years

Fraud prevention

When the TSE is installed, the cash registers are also obliged to report. Every cash register must be reported to the responsible tax office within four weeks of using the TSE . However, with the non-objection regulation of November 6, 2019, the obligation to report is suspended until digital transmission is possible.

Since a technical security device can only secure what was also entered in the cash register, the obligation to issue receipts was also necessary in order to curb tax fraud. In the past there were a number of fraud scenarios that are now either to be prevented by the TSE, the "Receipt requirement" or both together. Thanks to the obligation to issue receipts, the tax office will in future be able to check within minutes within the framework of a checkout whether a company is working in compliance with the KassenSichV. Failure to comply may result in fines. The review process is legally secured by Section 146b AO.

Certification

The production of a TSE is technologically not restricted. Anyone can submit one to the appointed test centers and have it certified. According to the Federal Office for Information Security, the implementation is open to technology. In addition to hardware solutions in which the storage takes place on a physical medium on site (e.g. on SD cards or USB sticks ), cloud solutions are also planned.

The Federal Office for Information Security (BSI) has so far authorized seven test centers that are supposed to test and certify the technical security devices submitted if they meet the requirements of the KassenSichV:

  • TÜV Informationstechnik GmbH
  • SRC Security Research & Consulting GmbH
  • Fraunhofer IOF
  • CTC advanced GmbH
  • Data protection cert Ltd.
  • IABG Industrieanlagen-Betriebsgesellschaft mbH
  • MTG AG
  • secunet Security Networks AG

In December 2019, several TSE as USB stick and SD card format as well as TSE cloud solutions were in the certification process. On December 20, 2019, EPSON and Swissbit received the first certificates for certified TSE. The first functioning TSEs were the USB and SD solutions from Swissbit, which had already been successfully tested in the DFKA field test by the project management of Gastro-MIS (member of the taxonomy working group). The certificates of these TSEs usually run for 5 years plus 6 months tolerance for logistics and integration into the cash register. The TSEs from Diebold Nixdorf, which offer a 7-year certificate period, are an exception. The USB stick or SD card must be replaced at the end of its useful life. EPSON (can be integrated in BON printer) and Diebold Nixdorf (7 year TSE) also offer TSE modules. Another provider of such a TSE module is D-TRUST, a company of Bundesdruckerei GmbH, and its technology partner cryptovision, who offer a certified TSE in the form of an adaptable microSD card. All previously certified TSEs can be connected via network or locally.

In general, a distinction is made between hardware TSE (HW-TSE) and so-called cloud TSE. HW-TSE combine the functional groups CSP (Crypto Service Provider) and SMAERS (Security Module Application for Electronic Record Keeping Systems) in one hardware module. Cloud TSE typically separate CSP and SMAERS locally, with the SMAERS component being or can be integrated as a software library in the POS software and the CSP is operated in a data center. On the other hand, the simplicity of the rollout of the cloud TSE requires a security assessment of the cash register software, which is not necessary with HW TSE. A LAN-TSE is a hybrid between cloud and local TSE, where one or more HW-TSE are located at a central point in the store and can be addressed by the cash registers via the local network without hardware intervention. The SMAERS component is therefore of particular importance. While HW-TSE will be certified from December 2019, Cloud-TSE are still in certification. The current SMAERS protection profile is available in V 1.0. The certified HW-TSE use the previously certified SMAERS protection profile V 0.7.5, which is not a defect, but is based on the previous certification. These HW-TSE are approved by the BSI for 8 years.

Technical functionality

Every checkout process will in future be saved on the TSE and signed electronically by it. A concatenation principle is used here. Each transaction receives an electronic signature, a signature counter and a time stamp. This means that each signature can only be produced exactly once. This ensures that it is impossible to make changes to the chain of transactions afterwards without this being verifiable. The technical security device can consequently be checked by the tax office with test software for manipulation , gaps and changes. A journal of all transactions is saved, which must be exportable for the tax office at any time. The file with the exported data is in TAR format .

Web links

Individual evidence

  1. KassenSichV. (PDF) Federal Ministry of Finance, September 26, 2017, accessed on October 6, 2017 .
  2. Non-objection regulation. (PDF) Federal Ministry of Finance, November 6, 2019, accessed on November 6, 2019 .
  3. ZDH - Several federal states are granting deadlines for upgrading cash registers. July 29, 2020, accessed July 29, 2020 .
  4. Bavarian State Tax Office: mandatory reporting for electronic cash register systems. Retrieved July 24, 2020 .
  5. Tax Code - § 146b Cash Review. Retrieved July 24, 2020 .
  6. Swissbit TSE for the fiscal market - easy to plug in. - Swissbit. Retrieved July 24, 2020 .
  7. BSI - Press releases from the BSI - BSI certifies technical security devices for cash register systems. Retrieved July 24, 2020 .
  8. joint press release from Swissbit and Gastro-MIS. Retrieved February 26, 2020 .
  9. EPSON: EPSON Fiscal Solutions. In: EPSON website. EPSON, July 24, 2020, accessed July 24, 2020 .
  10. Diebold Nixdorf -. Retrieved July 24, 2020 .
  11. Protection for digital cash register data. Retrieved July 7, 2020 .
  12. SMAERS protection profile V1.0. Retrieved August 5, 2020 .