Maintenance work FinanzOnline

The Austrian Federal Ministry of Finance draws attention to planned maintenance work on the FinanzOnline portal. The service will not be available on Wednesday March 2nd 2022 from 15:30 until 18:00. Even afterwards, until 19:30, there may still be disruptions to operations.

As usual, the RetailForce system forwards any cash register messages (registrations, deregistrations, message of failed signature creation devices) to FinanzOnline as soon as the portal is available again without restrictions. We recommend that planned cash register registrations are carried out at a later date, if possible.

Current release – Fiscal Client 1.2.8.

The latest release of the Fiscal Client (version 1.2.8) is available in the downloads section of the RetailForce website. Major innovations mainly concern the German country version (FiskalDE) under Linux.

FiskalDE – swissbit Hardware TSE

As main features, the new version 1.2.8. supports the swissbit hardware TSE under Linux, via the Docker container, and under android (beta).

IntelliSense

For the nuget implementation, the IntelliSense class documentation has been added to the nuget packages, making development easier.

RetailForce Cloud Portal

The Global Search Box of the RetailForce Cloud Portal has been improved so that global search terms can now be used for search results from organisations, companies, shops as well as terminals.

Furthermore, larger files can now also be transmitted to the RetailForce Cloud. For large files, the upload continues (restart).

The complete release notes can be found in markdown in the folder of version 1.2.8 in the downloads directory: https://www.retailforce.cloud/downloads/Version%201.2.8/ReleaseNotes1.2.8.md

Maintenance work FinanzOnline

Attention is drawn to a new maintenance window at the Austrian Federal Computing Centre. The FinanzOnline service will not be available on Wednesday, 02 Feb. 2022, between 15:30 and 19:00. Feb. 2022, im Zeitraum zwischen 15:30 und 19:00 Uhr steht der Dienst FinanzOnline nicht zur Verfügung. In addition, operations may also be disrupted from 19:00 to approx. 19:30 on the same day. The Austrian Federal Ministry of Finance asks for your understanding.

As usual, the RetailForce system forwards any cash register messages (registrations, deregistrations, message of failed signature creation devices) to FinanzOnline as soon as the portal is available again without restrictions. We recommend that planned cash register registrations are carried out at a later date, if possible.

New Release – Fiscal Client 1.2.7.

The current version of the Fiscal Client – v. 1.2.7. – is available for download: https://www.retailforce.cloud/downloads/Version%201.2.7/. The version contains an important update for Austria (FiscalAT).

FiscalAT

Due to an error, the automatic annual receipt is not created correctly. This bug has been fixed in the current version. We recommend that all customers upgrade to the latest version so that the annual receipt can be checked correctly via FinanzOnline.

Furthermore, the reduced tax rates for all food and beverages in the catering sector, as well as services in the cultural sector, which were reduced to 5% in the course of the Corona measures, were set back to the original values of 10% and 13%.

Docker Hub

As of this version, the Docker container of the Fiscal Client can be downloaded directly from the Docker Hub. Below is the link to download: https://hub.docker.com/r/retailforce/trusted-fiscal-service.

Digital receipt

Another innovation concerns our “digital receipt” service. The delivery page for digital receipts can be adapted to the company’s own corporate design. We will be happy to support you in this. Please contact us via the contact form contact form, or send us an e-mail.

As usual, you will find all changes of version 1.2.7. in the Release-Notes.

Maintenance work FinanzOnline

Once again, the Austrian Ministry of Finance informs us about a FinanzOnline maintenance window: Extensive maintenance work (network, server, databases) will be carried out at the Federal Computing Centre on 22 January, 2022, between 09:00 and 19:00 CET. FinanzOnline is not available during this period. Furthermore, the operation of FinanzOnline may be disrupted outside this time, from 00:00 on Saturday 22 January 2022 to 23:00 on Sunday 23 January 2022.

As usual, the RetailForce system forwards any cash register messages (registrations, deregistrations, message of failed signature creation devices) to FinanzOnline as soon as the portal is available again without restrictions. We recommend that planned cash register registrations are carried out at a later date, if possible.

New year and new release

The coming turn of the year brings with it a change in the VAT regime in Austria. As part of the measures adopted by the federal government in the course of Corona, the VAT rates of 10% and 13% were temporarily reduced to a reduced rate of 5%. The measure applied to gastronomy, the hotel industry, the cultural sector as well as the publication sector. This temporary regulation expires at the end of the year. As of 01 January 2022, the old VAT rates pursuant to § 10 of the Value Added Tax Act (UStG 1994).

Cash register systems and other electronic recording systems must be converted accordingly in good time. The VAT department of the Federal Ministry of Finance (BMF) has issued a statement on the offsetting of services extending over the turn of the year.

Zitat: “For reasons of administrative economy, turnover in the hotel and catering sector that is exported during the night from 31 December 2021 to 1 January 2022 may be treated uniformly in accordance with the legal situation up to 31 December 2021 or in accordance with the legal situation from 1 January 2022.”

This means that hotels and restaurants that entertain guests in the night from 31.12.2021 until midnight and provide services that are not invoiced until after the turn of the year can choose whether to apply the reduced tax rate or the old one.

The new “old” VAT rates can be validated from version 1.2.7, which will be made available by us this week.

Version 1.2.6

Since this week, a new version of the Fiscal Client is available for download. As announced, the Fiskal Client is now available as a Docker Container on the Docker Hub: https://hub.docker.com/u/retailforce. Instructions for commissioning the container can be found on our support portal at: https://support.retailforce.cloud/hc/en-gb/articles/4413162938641-Linux-TrustedFiscalService-as-Docker-Container.

Significant new functions and improvements

  • Austria: the RestoreByCloud function now automatically checks whether the cash register is already registered in FinanzOnline. If this is not the case, the cash registration will be carried out.
  • Austria: to avoid rounding differences, VAT totals can be transmitted for the entire document (Document model version 1.0.3.)
  • General: the last saved document can be retrieved by the Fiscal Client

Furthermore, the error handling has been improved.

As always, you will find all changes, additions and improvements in the current Release-Notes.

Security breach “Log4Shell”

Currently, a critical vulnerability in the logging library for JAVA applications log4j is increasingly being used for cyber attacks. By logging a specific string, remote code execution is made possible. The security vulnerability is listed under the term “Log4Shell”. All RetailForce systems (RetailForce Cloud, Fiskal Client,…) are free of this security vulnerability, as no JAVA-based services are being used.

According to our information, the Fiscal Cloud Connectors (FCC) of Cloud TSEs of the providers swissbit and Deutsche Fiskal are affected by “Log4Shell”. According to swissbit / Deutsche Fiskal, external tools of the AZURE environment of the TSE web services as well as the central cloud applications were assessed according to the current state of the art and classified as non-critical. Physical TSEs (“hardware TSE”) are also not affected by the vulnerability.

Recommendation on the part of the Cloud TSE providers:

Check of the Fiscal Cloud Connector (FCC).
To immediately fix the vulnerability, we strongly recommend all customers to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true on the account running the FCC application. The FCC service must then be restarted afterwards.
For all customers who cannot perform this procedure, we will provide an update of the FCC as soon as possible as version 3.2.4, which will perform the adjustment of the environment variables during the update process.

Statement DF on BSI CVE-2021-44228

Further information can be found in the BSI publication (“Critical vulnerability in log4j published”): https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=3

Complete statement / customer information of Deutsche Fiskal (DF):

Dear users of the Fiskal Cloud,
On behalf of DF Deutsche Fiskal GmbH, we would like to provide you with an update on the current security situation with regard to the security notice published by the BSI on 11.12.2021 (BSI: CVE-2021-44228).
DF Deutsche Fiskal GmbH also uses JAVA based services and therefore cannot exclude that its systems might be affected.
Within the scope of a task force the following measures have been defined and partly already implemented. Details on this as of 13.12.2021 are given below:

Check all external JAVA-based services/tools:
According to current knowledge, the security measures recommended by the BSI and the manufacturers have been implemented for the external tools in the AZURE environment.
(STAT 12/13/21: Done).

Check of Bundesdruckerei’s central TSE web service:
D-Trust GmbH, as a subsidiary of Bundesdruckerei and operator of the TSE web service, has confirmed in a preliminary information that the aforementioned “log4j logger” is not used in the central TSE web service environment.
(STAT 12/13/21: Done).

Check of all internal central Fiscal Cloud applications:
According to initial findings, the prerequisite for exploiting the vulnerability is that the Log4j 2 parameter “formatMsgNoLookups” must be set as a value of “false” and a Java Runtime 8 Update 191 or 11.0.1 or older is in use for the exploit to work. For newer versions, the exploited functionality is disabled by default by the Java Runtime.
However, since there are ways to bypass the JDK protection, all Fiscal Cloud services have been additionally reconfigured to prevent the exploit from working in order to increase security. Furthermore, in FCC version 4.0.0. the new library (from version 2.15) will be used to increase the protection again. die neue Bibliothek (ab Version 2.15) genutzt werden, um den Schutz nochmals zu erhöhen.
(STAT 12/13/21: Done).

Check of the Fiscal Cloud Connector (FCC).
To immediately fix the vulnerability, we strongly recommend all customers to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true on the account running the FCC application. The FCC service must then be restarted afterwards.
For all customers who cannot perform this procedure, we will provide an update of the FCC as soon as possible as version 3.2.4, which will perform the adjustment of the environment variables during the update process.

We are continuing the analyses and as soon as new findings are available, we will inform you immediately.

With kind regards
Your DF Support Team

Important Fiscal Cloud customer information / statement DF on BSI CVE-2021-44228

We recommend that all users of the Fiscal Cloud Connector take the steps recommended by DF to close the vulnerability.

Current release – Fiscal Client v. 1.2.5.

As of today, the new version 1.2.5. of our Fiscal Client is available for download at https://retailforce.cloud/downloads/. IIn this version we have extended and improved the integration possibilities of the Fiscal Client for different operating systems. You can also access the preview version of the licence accounting in the RetailForce portal.

Docker Container

The RetailForce Fiscal Service is now available as a Docker container for the country implementations Germany and Austria. If you are interested in the implementation via Docker, please contact us by (office at retailforce dot cloud) or via our Solution Center (RetailForce Software GmbH).

For Germany, the following technical security devices (TSE) are supported under Linux:

  • swissbit Cloud TSE
  • fiskaly Cloud TSE (v. 2.0)

From the upcoming version 1.2.6. the Docker Container will be available on Docker Hub.

Fiskal Service as nuget package

As a further integration variant, we are now providing the Fiscal Service as a nuget package. You can find the packages in the nuget-store at: https://www.nuget.org/profiles/RetailForceDevelopment.

Fiskaly 2.0

The integration of the Fiskaly Cloud TSE into the Fiscal Service has been completed and can also be used as of v. 1.2.5. If you use the automatic configuration of the Fiscal Clients (ConfigClient byCloud), the fiskaly Cloud TSEs are automatically provisioned via the RetailForce Cloud and stored in the Fiscal Client.

Preview for v 1.2.6.

In the next release, we plan to include the following features and functions, among others:

  • Support swissbit hardware TSE under Linux (Docker Container)
  • Deploy Docker Containers on Docker Hub

All detailed information about the new version can be found in the Release notes.

RKSV certificates expire

After five years, some certificates of the signature and seal creation units used within the framework of the Cash Register Security Ordinance (RKSV) in Austria are now expiring. The signature or seal creation unit is part of the technical security device with which every cash register must be equipped since 1 April 2017. The three Austrian trust service vendors (TSV) that issue RKSV signature creation devices (a-trust, Globaltrust and PrimeSign) have each given their RKSV products different certificate validities. While PrimeSign and a-trust certificates are issued for a period of 5 years, Globaltrust offers its RKSV signature smart cards with a validity period of 3, 5 or 10 years.

Continued use of expired certificates

Expired certificates may continue to be used regularly in normal cashiering operations according to § 15 para. 3, provided that the signature algorithm in the certificate is considered secure. Currently, there is no information that the algorithm would be considered unsafe.

Commissioning of new cash registers

However, if a cash register is to be put into operation for the first time, a new signature or seal creation unit with an unexpired certificate must be used. Otherwise, the registration will be rejected by FinanzOnline.

HSM / Remote Signing

In addition to the signature smart cards, the a-trust signature service of the 1st generation is also affected by the certificate expiry. The online certificates were issued with a validity of 5 years at the time of introduction and are no longer renewed. a-trust discontinues its old signature service (a.sign RK Online). As an alternative, a-trust offers the signature service (2nd generation) a.sign RK HSM. RemoteSigning certificates from PrimeSign are not affected. The provider always automatically extends the validity of the HSM certificates by one year.

What to do?

If the certificates of your signature or seal creation units expire in the coming year, we will be happy to advise you on an exchange. Contact us via our contact form, or via email at office at retailforce dot cloud.