Cash Register Security Regulation
Status quo and remaining tasks
PantherMedia / stokkete
In Germany, the so-called Kassensicherungsverordnung (KassenSichV or Cash Register Security Regulation) enters into force on January 1, 2020, and will affect more than three million point of sale (PoS) systems. At that time, cash registers in Germany must be equipped with a certified technical security device (TSE).
A TSE serves to protect against retroactive manipulation of digital basic records and to prevent subsequent tax evasion and tax fraud.
Due to the requirements for certification of the TSE, the record-keeping system must only be adapted to the TSE. Certification of the record-keeping system itself is not required.
Although the KassenSichV stipulates that existing cash registers and POS systems must be upgraded or retrofitted by December 31, 2019, there is currently no available solution on the market that has already been certified by the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). Due to delays and changes to the requirements as defined by the technical requirements and protection profiles on the part of the BSI, a fully certified and legally compliant TSE solution is not expected this year. As a result, the BSI will give TSE manufacturers provisional approval to allow for on-time delivery of record-keeping systems with security devices. Well-informed sources predict the announcement of a transitional period by the end of September 2019. Exemption from punishment applies during this time if a respective security solution has not yet been established. Notwithstanding, come January 1, 2020, taxpayers must still be able to demonstrate an attempt at KassenSichV implementation. In other words, they must have commissioned their PoS manufacturer with the installation of a TSE solution at this time.
Generally, retailers and merchants can implement the KassenSichV by choosing between a cloud-based or a hardware solution. At this point, both are only subject to provisional approval of the TSE and the Secure Module Application (SMA) by the BSI. Full certification is presently not an option as the specifications for the Crypto Service Provider (CSP) are still under revision. The provisional BSI approval is granted for one year and can be extended for an additional year. During this period, adaptation and CSP certification must be completed. TSE and SMA must likewise be recertified.
When using a hardware solution, all hardware components run the risk of needing replacement within this two-year period. Once a TSE is fully certified (expected between 2020 and 2021), the certification is valid for five years. The TSE must be recertified after the expiration date. If adaptations are required in the interim, existing TSE hardware must be replaced after five years. It is therefore likely that TSE hardware will result in higher costs for field service management.
A cloud-based TSE is not affected by this since the implementation and certification only pertain to fiskaly cloud components, and not the components at the ultimate taxpayer location. In the worst-case scenario, a software update is required if interface changes are necessary.
Interface descriptions to connect cloud-based systems are available online. TSE manufacturer fiskaly makes a detailed interface description and a test system available on the kassensichv.io website. To facilitate an easy integration, fiskaly provides open-source software development kits (SDK) for various platforms and languages at github.com/fiskaly. The SDKs enable easy integration of the certified SMA component directly into input devices. Compensation mechanisms for network failures or similar disruptions are also included.
