Technical security mechanism for electronic record-keeping systems

In the course of digitisation, electronic cash register systems or cash registers (electronic record-keeping systems) are generally used today for the sale of goods and services. As a result, the technical environment for taxation procedures has changed considerably. Subsequent tampering with electronic cash register system record-keeping (digital primary accounting records) without appropriate protective measures can only be detected with a great deal of effort.

The Gesetz zum Schutz vor Manipulationen an digitalen Grundaufzeichnungen [Act to prevent tampering with digital primary accounting records] therefore aims to make tampering with such records significantly more difficult. The central technical component for implementing the draft law is the introduction of a technical security mechanism.

The point of contact and entity responsible for the Act is the Federal Ministry of Finance.

As of 2020, electronic record-keeping systems must have a certified technical security device consisting of three components:

• Security module:
  The security module ensures that cash register entries are logged at the beginning of the recording process and cannot be changed later without this being detected.
• Storage medium:
  Digital records are stored on the storage medium for the duration of the statutory retention period.
• Standardised digital interface:
  This interface should ensure seamless data transmission for verification purposes.

Instead of having to develop and certify a technical security mechanism of this kind themselves, manufacturers of cash registers or corresponding software can integrate one that is already available on the market into their systems. The standardised digital interface for such mechanisms is also intended to simplify this integration. In particular, no special requirements regarding physical interfaces are planned for the digital interface, which means that common standard interfaces such as USB, Ethernet, and SD cards can be used.

Certification requirements for the technical security mechanism

The certification obligations that apply in this context are limited to the technical security mechanism with which a cash register's records are to be secured at the beginning of the recording process. No provisions have been made to certify cash registers themselves (or corresponding software). This is meant to allow for as much flexibility as possible in integrating such mechanisms into existing cash register systems.

The detailed requirements pertaining to the security module, the storage medium, the digital interface, and electronic storage were developed by the BSI and published in Technical Guidelines and protection profiles.

There are also plans to define technology-agnostic requirements for the security module in a protection profile that corresponds to ISO/IEC 15408 (Common Criteria). To meet these security requirements, manufacturers will need to have their technical security mechanisms certified by the BSI.

For the storage medium and the digital interface, interoperability and availability requirements are planned that will be defined in a Technical Guideline and reviewed as part of a certification process based on other relevant Technical Guidelines.

Further information on this certification can be found here.

Overview of Technical Guidelines for the technical security mechanisms of electronic record-keeping systems

• BSI TR-03153: Technical Security Mechanisms of Electronic Record-keeping Systems
• BSI TR-03151: Secure Element API
• BSI TR-03116-5: Cryptographic Specifications for Projects of the German Federal Government -- Part 5, Applications of the Secure Element API

TSE simulator

As part of a practically oriented project, a student at Hochschule Bonn-Rhein-Sieg (University of Applied Sciences) created a TSE simulator in the Java programming language. It is available for download via GitHub.