Fiscalization and the technical security device (TSE)

The German legislator has laid down the framework conditions in the Digital Primary Accounting Record Anti-Tampering Act, in the German Fiscal Code and the Cash Register Anti-Tampering Ordinance (KassenSichV, Kassensicherungsverordnung). The technical specifications for the development and certification of the technical security device (TSE) have been defined by the Federal Office for Information Security (BSI). The Fiscal Code Application Decree in turn specifies specifically how the TSE is to be used and also describes the data interface with the tax authorities.

The ‘Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access’ (GoBD) need no explanation. As an administrative regulation of the Federal Ministry of Finance, it defines the principles according to which traders should organize their bookkeeping. One of the main principles being that entrepreneurs must ensure that the original content of a book entry always remains traceable.

The GoBD also lists various hardware and software options to ensure that this can be maintained. But these options remain vague and do not provide a binding concept. This is precisely where the Cash Register Anti-Tampering Ordinance steps in, providing details and explaining first and foremost which concrete technical measures traders should take to make their systems tamper-proof. It not only prescribes the introduction of a technical security device (TSE), but also defines its three components. 

Since 1 January 2020, all electronic POS systems must be equipped with a technical security device (TSE).

No, if these devices basically only compile shopping baskets and if the sales process always takes place via dedicated downstream recording systems, such as cash registers, no connection to a TSE is required. However, if these devices have a cash register function, they must be connected to a TSE.

This depends on the place of payment. Orders with online payment in the webshop and collection in the store are not affected. Orders or even reservations with collection and payment in the store must be signed like normal purchases.

The German Federal Office for Information Security (BSI) announced on 8 July 2022 that the BSI-K-TR-0491-2021 certificate will expire on 7 January 2023. This means that the “D-Trust TSE Version 1.0” technical security unit distributed by D-Trust no longer fulfills the provisions for operating a TSE since 8 January 2023.

Affected users of this TSE module 1.0 can continue to use it without restriction and without adverse consequences until 31 July 2024. According to a letter dated 16 March 2023, the Federal Ministry of Finance (BMF) requires that taxable cash register operators contact their competent tax office directly.

Basically, all cash register solutions can be used with the TSE module. Bundesdruckerei provides the programming interface in Java and C. Cash register programs that are not compatible with these two programming languages can be integrated by the cash register manufacturers themselves. Solution support regarding other development languages, such as Visual Basic (VB6, VBA, VB.net), C#, C++ or even Delphi, is available on request. If you have specific questions, please feel free to contact our experts by e‑mail at support-tse@d-trust.net.

Our solution provides the export interface according to TR- 03153 5.1/TR03151 4.5.1. The interface for DSFinV-K export contains additional cash register-specific information and can therefore only be implemented by the cash register software.

The TSE module is delivered as a final product in microSD format. Using an adapter, the TSE module can also be used for USB and SD card connections.

If each cash register or accounting device has a dedicated TSE module, this ensures that each business transaction is recorded according to specifications.

If several individual electronic recording systems are connected to a cash register system, it is possible for the required digital records to be protected with a single TSE module shared by all electronic recording systems in the network.

To request the current documentation and software for our TSE module, please send an e-mail to: support-tse@d-trust.net.

The data logged by the TSE are basic digital records. This data must be protected against loss. ‘Best practice’ requires that regular backups of the TSE log data be made at the end of the day together with the necessary backup of the cash register data. For heavily used recording systems or when large amounts are recorded, intraday backups may also be necessary. After exporting the data to a secure archiving system, the TSE can delete the log data.

TSE log data is kept in TAR format. This is an easy-to-read, non-compressed and non-encrypted archive format that is generated when the TSE data is exported.

The data logged by the TSE are basic digital records. The required retention period is at least ten years and may be extended due to audits, etc.

The TSE log data can be stored in a digital archive, for instance, and must be presented when an audit takes place. Provided that the TSE log data is stored in a secure long-term archive, the TSE does not have to be stored after its period of use has expired.

The Fiskal Cloud is made up of the following basic components:

• a central web service to which the cash registers and recording systems must be connected and
• a local SMAERS (Security Module Application for Electronic Record-keeping Systems) component, which is a mandatory BSI requirement. The local component must be used directly on the cash register or the back office of the business premises and manages secure communication with the web service in the cloud.

The local security component implements the BSI requirements and ensures legally compliant operation even if the online connection fails. The TSE therefore operates in compliance with the law even if the cash register has offline functionality, thus enabling the operator to continue using the cash function.

Generally speaking, all cash register solutions with online capability can be connected.

Yes, Fiskal Cloud is an online fiscalization solution. In the event that the online connection fails, it is ensured that the cash registers can continue to operate.

If no permanent online connection to the system is possible, an offline and a hybrid variant are available to ensure use in compliance with legal requirements.

The central task of cash register providers is to connect the technical security device (TSE) to their systems in accordance with the uniform digital interface (EDS). The basis for the uniform digital interface is the ‘Secure Element API’ [BSI TR-03151]. The following three stand-alone EDS areas must be implemented:

• Integration interface: this enables integration of the TSE into the electronic recording system.
• Export interface: this is used to export the saved, secured log messages. Integrity as well as the timely recording can be checked with this data.
• Digital interface of the tax authorities for cash register systems (DSFinV-K): for the purpose of carrying out external tax audits or cash register inspections, the individual data recorded must be exported in this additional third EDS interface format.

It is also mandatory for providers to implement TSE management, i.e., processes that ensure, for instance, TSE initialization, reading of the TSE serial number for registration with the financial authorities, possible replacement of the protection device after five years and certificate renewal.

The provider of the TSE must ensure its overall certification by the Federal Office for Information Security (BSI). After five years, the TSE manufacturer must have the TSE recertified. These certificates are currently valid for five years.

The cash register operator has no obligations with regard to certification. The only task which the cash register operator has – if this has not already taken place – is to contact their cash register provider and obtain a cash register system with a TSE.

No, only the technical security device (TSE) must be certified. Certification of the recording system (for instance, the cash register system) is not required.