Transitional regulation cv cryptovision TSE

As known, the certification of version 1 of the TSE of the company cv cryptovision GmbH (product: D-TRUST TSE Module) expired on 7 January 2023. An initial transitional arrangement has been created for TSEs acquired before 7 July 2022. These should still be allowed to be used until 31 July 2023 (even without a valid certificate).

Now the highest German tax authority informs in their letter of 16 March that:

The replacement of the no longer certified technical security device […] shall be carried out immediately at the latest from the certification of the TSE version 2 of the company cv cryptovision GmbH [ist] and the legal requirements shall be fulfilled immediately. [sind]. Insofar as the transitional arrangement has been used and the competent tax office has been notified in writing or electronically, no adverse consequences, solely from the lack of certification of the TSE, will be drawn for the period until 31 July 2024.

This also includes TSEs acquired after 7 July 2022. If a company has already submitted a notification to the competent tax office to make use of the transitional arrangement on the basis of the BMF letter dated 13 October 2022, it is no longer necessary to submit a further notification to make use of the extension. However, it is recommended to record this accordingly in the procedural documentation.

The complete letter can be found on the website of the BMF.

Expiry of the TSE certificate “Bundesdruckerei D-TRUST”

In its letter dated 8 July 2022, the German Federal Ministry of Finance informs about the expiry of the certificate of the technical security device “Bundesdruckerei D-TRUST TSE, Version 1.0” of cv cryptovision GmbH.

The current certificate “BSI-K-TR-0491-2021”, for the above-mentioned TSE, is only valid for a limited period until 07.01.2023. According to the BSI, the requirements for connection certification according to the technical guidelines “BSI TR-03153-2 Regulation 2” have not yet been met at present.

More information is available on the BSI website:

Sources:

DSFinV-K new version valid from 1 July 2022

Last week, the German Federal Ministry of Finance announced the publication of a new version of the so-called “Digital Interface of the Tax Administration for Cash Register Systems (DSFinV-K)”. The specifications were published on the website of the Federal Central Tax Office. The current version, 2.3, must be used from 1st of July 2022.

RetailForce integrates the changes resulting from the new version into the Fiscal Middleware.

Changes

The majority of the changes are textual additions and clarifications, but a few more serious changes have also been fixed.

One of these significant changes to the DSFinV-K concerns the cash register number (KASSE_SERIENNR). Quote:

“For technical reasons, neither slashes (“/”) nor underscores (“_”) may be used in the cash register serial number.” [translated from the original German text]

DSFinV-K, annex E Nr. 3, p. 69.

In the RetailForce system, the cash register number is used for initialising the Fiscal Client and is entered in the “Terminal number” field in the Cloud Portal when a new terminal (= cash register) is created. We recommend not using slashes (“/”) or underscores (“_”) when assigning “Store number” (creation of a new store) and “Terminal number” (only numbers and letters – without separators).

Compared to the previous version, the payment method “rechargable value card” (not to confuse with credit cards!) has been described in much more detail. The explanation is based on the EU Directive 2015/2366 on payment services in the internal market. Important: These value cards are mere means of payment and are considered as such if they can be exchanged back for the amount originally paid (or the amount not yet used) at any time and without preconditions. They are therefore not equivalent to single-purpose vouchers.

Furthermore, a small but decisive textual adjustment was made to the receipt reference. The short description of the reference date (DSFinV-K field: REF_DATUM) was changed from: (v2.2) “Timestamp of the transaction being referenced” to: (v2.3) “Timestamp of the cash closure being referenced”.

In view of the changes to the KassenSichV, which were passed by the Federal Council last summer (see our article from July 2021), the section “Definition of the QR code for machine-verifiable cash receipts” was also revised. An edge length of at least 3 cm is prescribed for the display of the QR code. Further information on the QR code can also be found in our Solution Centre. An edge length of at least 3 cm is prescribed for the display of the QR code. Further information on the QR code can also be found in our Solution Centre.

From today’s perspective, all changes resulting from the new version of the DSFinV-K can be implemented by RetailForce without adapting the integration. Should there be any changes to this assessment, we will inform you in good time. The changes will be made available via a new version of the Fiscal Client, which is expected to be published by us at the beginning of the second half of May.

Security breach “Log4Shell”

Currently, a critical vulnerability in the logging library for JAVA applications log4j is increasingly being used for cyber attacks. By logging a specific string, remote code execution is made possible. The security vulnerability is listed under the term “Log4Shell”. All RetailForce systems (RetailForce Cloud, Fiskal Client,…) are free of this security vulnerability, as no JAVA-based services are being used.

According to our information, the Fiscal Cloud Connectors (FCC) of Cloud TSEs of the providers swissbit and Deutsche Fiskal are affected by “Log4Shell”. According to swissbit / Deutsche Fiskal, external tools of the AZURE environment of the TSE web services as well as the central cloud applications were assessed according to the current state of the art and classified as non-critical. Physical TSEs (“hardware TSE”) are also not affected by the vulnerability.

Recommendation on the part of the Cloud TSE providers:

Check of the Fiscal Cloud Connector (FCC).
To immediately fix the vulnerability, we strongly recommend all customers to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true on the account running the FCC application. The FCC service must then be restarted afterwards.
For all customers who cannot perform this procedure, we will provide an update of the FCC as soon as possible as version 3.2.4, which will perform the adjustment of the environment variables during the update process.

Statement DF on BSI CVE-2021-44228

Further information can be found in the BSI publication (“Critical vulnerability in log4j published”): https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=3

Complete statement / customer information of Deutsche Fiskal (DF):

Dear users of the Fiskal Cloud,
On behalf of DF Deutsche Fiskal GmbH, we would like to provide you with an update on the current security situation with regard to the security notice published by the BSI on 11.12.2021 (BSI: CVE-2021-44228).
DF Deutsche Fiskal GmbH also uses JAVA based services and therefore cannot exclude that its systems might be affected.
Within the scope of a task force the following measures have been defined and partly already implemented. Details on this as of 13.12.2021 are given below:

Check all external JAVA-based services/tools:
According to current knowledge, the security measures recommended by the BSI and the manufacturers have been implemented for the external tools in the AZURE environment.
(STAT 12/13/21: Done).

Check of Bundesdruckerei’s central TSE web service:
D-Trust GmbH, as a subsidiary of Bundesdruckerei and operator of the TSE web service, has confirmed in a preliminary information that the aforementioned “log4j logger” is not used in the central TSE web service environment.
(STAT 12/13/21: Done).

Check of all internal central Fiscal Cloud applications:
According to initial findings, the prerequisite for exploiting the vulnerability is that the Log4j 2 parameter “formatMsgNoLookups” must be set as a value of “false” and a Java Runtime 8 Update 191 or 11.0.1 or older is in use for the exploit to work. For newer versions, the exploited functionality is disabled by default by the Java Runtime.
However, since there are ways to bypass the JDK protection, all Fiscal Cloud services have been additionally reconfigured to prevent the exploit from working in order to increase security. Furthermore, in FCC version 4.0.0. the new library (from version 2.15) will be used to increase the protection again. die neue Bibliothek (ab Version 2.15) genutzt werden, um den Schutz nochmals zu erhöhen.
(STAT 12/13/21: Done).

Check of the Fiscal Cloud Connector (FCC).
To immediately fix the vulnerability, we strongly recommend all customers to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true on the account running the FCC application. The FCC service must then be restarted afterwards.
For all customers who cannot perform this procedure, we will provide an update of the FCC as soon as possible as version 3.2.4, which will perform the adjustment of the environment variables during the update process.

We are continuing the analyses and as soon as new findings are available, we will inform you immediately.

With kind regards
Your DF Support Team

Important Fiscal Cloud customer information / statement DF on BSI CVE-2021-44228

We recommend that all users of the Fiscal Cloud Connector take the steps recommended by DF to close the vulnerability.

Firmware Update Swissbit Hardware TSE

A firmware upgrade is available for the Swissbit hardware TSE. We recommend that all customers who use a Swissbit hardware TSE in Germany to comply with the KassenSichV and received it before 01 July 2021 upgrade to the current firmware. According to swissbit, the new firmware (version 1.1.0.) increases product reliability and should be installed to prevent hardware defects that may occur in rare cases.

The functionality of the TSE is not affected by the firmware update, downward compatibility is confirmed by swissbit. The testing of the new software version by the BSI has already been successfully completed.

Replacement of TSE, in case of hardware defects will only be carried out if they already contain the new firmware. In principle, Swissbit only delivered TSEs with the new firmware version after 01 July 2021. Due to scheduling overlaps in hardware shipping, it cannot be ruled out that TSEs with older firmware still arrived at customers shortly after 01 July.

We therefore recommend checking the firmware version of swissbit hardware TSEs in use.

We have created a solution article for you in the RetailForce Support Portal, which describes how to check the firmware version of the TSE and perform the firmware update. You can find the article at: https://support.retailforce.cloud/hc/de/articles/4411327044497-Firmware-Update-swissbit-Hardware-TSE-1-1-0-

The new firmware version can be found in the download section of the RetailForce website at: https://www.retailforce.cloud/downloads/Swissbit/TseFirmwareUpdate/

German Bundesrat decides on amendments to KassenSichV

In its 1006th plenary session on 25.06.2021, the German Bundesrat approved an amendment to the Cash Register Anti Tampering Ordinance (KassenSichV). These changes are reflected in the “Ordinance Amending the Cash Register Anti Tampering Ordinance”.

Exception for car park ticketing machines and e-charging stations

In its letter of 3 May of this year, the Federal Ministry of Finance had already exempted cash registers for car park management and charging points for electric or hybrid vehicles from the KassenSichV in a transitional regulation. This exemption was now decided in the course of the plenary session.

Pay stations and parking ticket machines for parking space management as well as charging points for electric or hybrid vehicles therefore do not (or no longer) have to fulfil the requirements of the KassenSichV.

The BMF justifies this step with the fact that these systems are functionally and technically comparable to ticket vending machines and ticket printers, which were excluded from the scope of the KassenSichV from the beginning.

Furthermore, parking and charging services are interconnected services, as charging usually takes place over several hours and thus (quote:) „the parking service becomes an inseparable and integral part of the charging process“ [translated from the original German quote], according to the justification why billing systems for charging services are also exempted from the KassenSichV.

Compliance for taximeters

Another change will affect so-called EU taximeters and odometers in the future. These are obliged to comply with the KassenSichV from 01.01.2024 and thus be equipped with a technical security device (TSE) like cash register systems. This serves to ensure uniform and efficient tax enforcement – according to the BMF’s justification.

The proposal contained in the recommendations to the Federal Council to extend the KassenSichV to gambling machines is not reflected in the ordinance.

Receipt verification – signature as QR code

The requirements for the cash receipt have also been expanded (§ 6 – KassenSichV). In order to make the verification of receipts more efficient and to be able to carry out cash register inspections more quickly, cash register receipts must contain two additional minimum details:

  • the check value according to § 2 sentence 2 number 7 KassenSichV, as well as
  • the consecutive counter set by the security module (= „signature counter“)

This allows receipts to be verified off the premises of the company. In the future, however, the information according to § 6 KassenSichV can be displayed as a QR-Code on the receipt as an alternative to issuing it in legible form.

The amendment to § 6 sentence 2 KassenSichV specifically:
„The information on a receipt pursuant to sentence 1 must be legible to anyone without machine assistance or readable on a QR code.“ [Translated from the German original Version].

The structure and the technical specifications for the QR code must in any case comply with the digital interface of the tax authorities (DSFinV-K).

According to the Federal Ministry of Finance, this measure will shorten the length of printed documents, which, according to estimates by the Federal Ministry, means a saving of 108,000 km of paper annually, with an equivalent value of EUR 2.1 million.

Further changes as of 1st of Jan. 2024

Furthermore, additional amendments were adopted, which – such as the exemption for EU taximeters and odometers – will come into force on 1st Jan. 2024.

  • In the future, the transaction shall contain both the serial number of the electronic recording system and the serial number of the security module: § 2 sentence 2 item 8: The serial number of the electronic recording system or and the serial number of the security module.
  • • This is also reflected in the information on the receipt: §6 sentence 2 number 6: the serial number of the electronic recording system or as well as the serial number of the security moduleand (new addition): §6 Satz 2 Ziff. 7: the verification value within the meaning of §2 sentence 2 number 7 and the consecutive signature counter determined by the security module.

Digital Receipts powered by RetailForce

You can achieve even greater savings than the changes to the KassenSichV passed by the Bundesrat (Federal Council) if you dispense with paper receipts altogether! We will be happy to advise you on digital receipt issuing via the RetailForce system. [Contact us!]

Resources

Link to protocol of 1006th plenary session of the Bundesrat: https://www.bundesrat.de/SharedDocs/termine/DE/plenum/2021/2021-06-25.html?nn=4352766