According to new statutory regulations of the tax authorities, all new electronic and existing PC-based POS systems in Germany must be able to be equipped with a certified technical security device (TSE) from January 1, 2020 and a legally compliant conversion of their POS systems must be implemented by March 31, 2021.
Swissbit a complete provider of tamper-proof recording solutions for POS data in accordance with the German Cash Security Ordinance (KassenSichV). Whether single devices, networked POS systems in a LAN or online-capable POS systems with a cloud connection, Swissbit provides an easy-to-integrate, flexible and secure TSE connection for all scenarios.
Certificate for Swissbit TSE: BSI-K-TR-0362-2019, valid until 19.12.2027
Certificate for Swissbit Cloud-TSE (provided by D-Trust GmbH): BSI-K-TR-0474-2021 & BSI-K-TR-0448-2021, valid until 09.12.2029
Swissbit TSE Solutions
POS manufacturers receive convenient and standardized interfaces for local and cloud-based POS systems, which allows them to easily switch between the technologies as needed. Swissbit also offers businesses an interface to the DATEV fiscalization platform MeinFiskal, which amongst other great benefits, offers an intuitive POS-data archiving and checking feature and provides businesses with access to an ideal fiscal services package.
Standalone and LAN Solution
Swissbit was the first manufacturer to receive TSE certification for storage solutions in Germany. With USB sticks, SD and microSD cards from Swissbit, almost every modern POS system can be retrofitted to meet the requirements of the German Cash Security Ordinance.
An optional LAN solution enables the efficient retrofitting of networked POS systems. In this way, devices in different locations, such as PC cash registers or tablets, can be easily retrofitted to be legally compliant without any further hardware intervention at the individual cash registers. In addition to the secure fiscal memory where the automatically signed transactions are stored, the Swissbit TSE memory solutions offer a user memory that can be freely used by POS equipment manufacturers.
The core of the certified Swissbit TSE is a durable, industrial flash memory with signature certificate in accordance with TR-03145 and the Common Criteria (CC) certified security modules BSI-PP-SMAERS and BSI-PP-CSP.
Swissbit TSE in Detail
- TSE (according to BSI TR-03153) in three variants with 8 GB flash memory - without adapters for maximum reliability: microSD, SD and USB
- Encryption: 384 bit - more than specified by the BSI and therefore future-proof
- Validity of the signature certificate: 5 or 7 years + 6 months for warehouse / logistics
- Processing time (signature and storage): less than 250 ms
- Lifetime: guaranteed 20 million signatures
- Data retention (with non-powered storage): 10 years
- Optional: secure remote connection to fiscalization platform from Datev & T-Systems possible
LAN Solution in Detail
- TSE package for LAN solution in connection with the purchase of USB TSE through our sales partners Gastro-MIS, Jarltech or Partner Tech
- LAN Connector Software (.exe) for provider of cash systems with a one-time fee per location
- Suitable for up to 5 POS systems per USB TSE (factor 5: 1 and free assignment of the POS systems to USB TSE possible)
- Easy connection of additional cash registers possible (only limited by the number of USB ports in the server)
- Multiple TSE products can run in parallel
Swissbit Cloud-TSE: Simple, Flexible and Secure
The Swissbit Cloud TSE is particularly suitable for companies wishing to connect their POS systems to the cloud now or in the future. With the use of cloud cash registers supported for the first time, companies with a centralized infrastructure and numerous cash registers or branches, such as large retail chains, supermarkets, pharmacies and businesses in the catering & hospitality sector, can also benefit significantly from this cloud-connected proposition.
The certified Swissbit Cloud TSE uses in addition to the “Swissbit Cloud TSE Connector”, including the local SMAERS component (Security Module Application for Electronic Record-keeping Systems), also a central web service with a signature service including key management, certified as a Cryptographic Service Provider (CSP), on which configuration and monitoring is carried out. The local component does not require any hardware and runs either directly on the cash register or from the branch back-office. The local component also handles secure communication with the web service in the cloud.
The Swissbit Cloud-TSE Connector can be installed in different environments and systems. It is available certified for a large number of operating systems and operating system variants.
Swissbit Cloud-TSE Connector
Desktop, Server or LAN device
Client's Data Center or Cloud
- Easy to integrate into existing and new POS systems
- Flexible and scalable: available as a single device, LAN solution and cloud solution and easily scalable. Easy switching between technologies possible.
- Secure: reliable and 100% secure certified Swissbit TSE as microSD, SD and USB for the best protection of fiscal data as well as a cloud solution with the highest security standards.
- Fiscal services: connection to the fiscalization platform MeinFiskal of DATEV with further additional services
Where to Buy
If you would like to order the Swissbit TSE or have technical questions about your Swissbit TSE, then contact our sales and support partners. If you would like to know more about how we can help you with our Swissbit TSE for the legally compliant solution for the fiscal market in Germany, then just contact us: oder firstname.lastname@example.org or by phone: +49 (30) 936 954 400 .
Frequently Asked Questions (FAQ)
What does fiscalization mean?
Fiscalization is the legally compliant implementation of the extensive requirements of the German tax authorities for tamper-proof cash register systems.
What are the legal framework conditions?
The law for the protection against manipulation of digital basic records according to the Kassen-Sicherheitverordnung (KassenSichV) regulates that from 1.1.2020 electronic cash register systems via a TSE (technical security device) certified by the Federal Office for Information Security (BSI) with a security module, a storage device and have a uniform digital interface so that cash register operators can use legally compliant devices.
In addition, the notification of the Federal Ministry of Finance (BMF) of November 6, 2019 applies: Non-objection regulation when using electronic recording systems within the meaning of § 146a AO without certified technical security device after December 31, 2019. This non-complaint regulation means that new cash registers that are sold between 1.1 and 30.9.2020 must be "TSE-capable", i.e. the design in the TSE must have already taken place, and be retrofitted with a TSE by 30.9.2020, i.e. be plugged into this cash register. New cash registers that cannot be upgraded in this way do not comply with the law and may not be placed on the market.
Which POS systems are affected?
New cash register systems (cash registers and PC cash register systems) as well as existing PC cash register systems must be equipped with a certified TSE by January 1st, 2020. Cash registers that are already in the field and cannot be retrofitted must be operated with a certified TSE by December 31, 2022 at the latest.
What are the components of the Swissbit TSE?
The Swissbit TSE, certified according to TR-03153, consists of an 8 GB memory module including fiscal and freely usable user data memory, a certified security module application (SMAERS) and a certified "Secure Element" from a cryptography service provider (CSP), as well as a certificate according to TR 3145 for the registration of the CSP with the tax authorities.
How is a transaction recorded?
The Swissbit TSE offers secure and fast transaction recording (secure storage, assignment of transaction numbers, digital signature with time stamp and signature counter) of the process data (process start, type of process, payment type, process end, TSE serial number, test value) and the document data (issuer, issue time, goods including quantity and type, transaction number, fee, tax amount, TSE serial number).
The number of transactions per booking (receipt) depends on the application (gastronomy, retail, ...) and the implementation of the till. A booking in the catering sector can, for example, consist of 4 transactions: process and receipt data at the beginning of the order process, as well as process and receipt data at the end of the process.
What is the signature counter?
Each signature of the “Secure Element” (CSP) leads to a step-by-step increase in the signature counter. Resetting the fiscal memory, e.g. after successfully exporting the fiscal data, has no effect on the signature counter.
How many TSEs can be connected to the server or the master cash register in a LAN solution?
With the LAN solution, USB TSE modules must be plugged into a server in the shop itself or in a master cash register. Swissbit supports up to five POS systems at the same time for each inserted USB TSE. In principle, an unlimited number of POS systems can easily be made tamper-proof with the LAN solution and other USB TSEs.
Can the fiscal data be deleted after the export?
Yes, according to the specification of the BSI, the fiscal data can be deleted after a successful export. Resetting the fiscal data memory does not affect the signature and transaction counter. The Swissbit TSE is "worn out" after approx. 20 million signatures.
Who is responsible for the TSE?
The taxpayer is responsible for operating a legally compliant TSE in his cash register. When the certificate in the TSE expires, the TSE solution can no longer be accessed and the cash register goes out of service. This is a mandatory requirement of the BSI.
Can the user continue to use his existing cash register equipment?
Mostly yes, because the Swissbit TSE is an ideal retrofit solution. The user should approach the cash register manufacturer or system partner in this regard.
How many transactions can be done on the TSE card?
The Swissbit TSE products can securely manage around 20 million signatures.
The Swissbit TSE products are made up of a fiscal data store and a freely manageable user data store. How big are they?
The 8 GB TSE products consist of 6.5 GB of reusable fiscal data storage and 1 GB of free storage for other usage data, such as a price list, analysis reports or GOBD data.
What is the transaction speed?
The Swissbit TSE offers a fast transaction speed of less than 250 ms (milliseconds). This refers to future-proof 384-bit ECDSA signatures, which exceeds the current minimum requirements of BSI.
How long is the data available?
Swissbit TSE allows data availability for at least 10 years.
Are certain service models available?
Yes, future security services that Swissbit can provide to cash register manufacturers are possible, such as securing fiscal data, reporting the TSE to the tax office, lifetime monitoring of the TSE or "TSE as a Service" as a subscription service. Swissbit was the first TSE supplier to offer a interface to DATEV's open fiscalization platform in the Swissbit SDK.
Is the Swissbit TSE certified?
The Swissbit TSE modules (technical security device according to BSI TR-03153), which are available in three versions, received approval as part of the certification process at the BSI (Federal Office for Information Security) on December 20, 2019. The Swissbit TSE is officially certified (BSI-K-TR-0362-2019) and manufacturers of POS systems can now deliver a legally compliant solution for the tamper-proof recording of POS data.
For how long can a TSE remain in the field?
Such a TSE may remain in the field for the period of its individual signature certificate, usually 5 years.
What is the maximum possible service life with which a TSE can be operated in the field?
The maximum life span of a TSE is 8 years and is limited by its individual signature certificate term.
The Swissbit TSE also includes a certificate? Who offers this certificate?
The certificate (according to TR-3145 for registering the CSP with the tax authorities) is already included in the Swissbit TSE ex works.
Can this certificate (according to TR-3145) be renewed?
The Swissbit TSE comes with a certificate that cannot be renewed. After the certificate has expired, the TSE must be exchanged.
What is the duration of the certificate (according to TR-3145)?
The duration of the certificate is up to 7 years plus 6 months for logistics and storage. Swissbit TSEs have a standard term of 5 years, depending on the project, 3 years or 7 years are also offered (plus 6 months for logistics / storage). After the certificate has expired, the TSE must be exchanged.
Does the cash register manufacturer have to carry out own certification?
No. As soon as the cash register manufacturer has integrated a certified TSE in accordance with TR-03153 into the cash register system, a separate POS certification is not necessary.
What exactly does the customer / cash register manufacturer need in order to be able to offer a Swissbit LAN TSE?
The TSE as a LAN solution is only available in conjunction with the purchase of USB TSEs from the distribution partners Gastro-MIS, Jarltech or Partner Tech. The associated LAN connector software (.exe) is available at low cost with a one-time fee per location.
The LAN solution is suitable for up to 5 POS systems per inserted USB-TSE (factor 5: 1 and free allocation of the POS systems to USB-TSE possible). With 15 registers, the end customer needs at least 3 TSEs.
Swissbit offers OEM versions of the LAN connector software for cash register manufacturers on request. If you are a cash register manufacturer and are interested, please contact our sales team.
Can the secondary cash register use the TSE module at the main cash register (with TSE) via the API?
Yes, as long as (1) the assignment of the cash register to a specific TSE is static and (2) the connection is local and secured / authenticated (e.g. SSL or similar).
Does the local network connection via LAN cable or WLAN from the cash register to the TSE in the LAN solution also need to be secured? For example, is WLAN encryption sufficient for a WLAN connection?
The communication between the cash register and the TSE in the LAN solution must have an independent fuse. WLAN encryption itself is not enough. The Swissbit API uses end-to-end security between the cash register and LAN connector software of sufficient quality (HTTPS, SSL / TLS).
How is it measured whether the permitted number of POS systems is used per inserted USB TSEs?
Active access registers are measured (i.e. client ID starts a transaction on the TSE). The "measurement interval" is 10 minutes.
What happens if the permitted number of USB TSEs connected to POS systems is exceeded?
If the allowed factor of 5: 1 of POS systems per inserted USB-TSE is exceeded (i.e. 6 or more instead of 5 registers are used within the time interval with 1 USB-TSE), all transactions last 1 second for 10 minutes from the time exceeded (instead of 250ms).
What is the Swissbit Cloud TSE - which applications are supported?
The Swissbit Cloud-TSE is a cloud-based technical security device (TSE) to meet the legal requirements of fiscalization. In principle, all network-compatible POS solutions can be connected. Operation does not require the use of hardware at the cash register. This makes the solution ideal for cloud-based POS systems.
Are my data safe in the Swissbit Cloud TSE?
Your data is secured in two ways. On the one hand, the transmission of content between the local SMAERS component and the Cryptographic Service Provider (CSP) in the cloud is secured in a BSI-compliant manner using asymmetrical encryption. The TAR files are generated locally and encrypted before they are synchronized in the cloud. The key for decryption is only available to the taxpayer. On the other hand, communication between the local connector and the cloud is encrypted for transport in accordance with BSI specifications.
In this context, twofold security means: access to the data in the cloud firstly requires a login to the cloud and secondly the private key for decryption. Both are under the control of the taxpayer. The public key is on the cash register, the private key with the taxpayer.
Where can I order the Swissbit Cloud-TSE solution?
Please contact us at email@example.com to find out more about the sales channels.
For which industries (e.g. retail / gastronomy / hotel) is the Swissbit Cloud TSE suitable?
The solution can be integrated into all online-capable cash register and recording systems, regardless of the industry. If you are interested, ask your POS provider whether they have already connected the Swissbit Cloud TSE!
How does the connection of the Swissbit Cloud-TSE work in my POS system or my POS software?
Swissbit provides local cloud TSE connector software that is operated on the cash register and connects the cash register to the web service. The TSE and the cash register are managed via the customer portal. We provide technical details in the course of "onboarding".
What are the requirements for operating the Swissbit Cloud TSE?
An online connection in the recording system is required. The local connector is available for many current Windows and Linux versions. We provide technical details in the course of "onboarding".
What happens if the online connection fails?
If the online connection occurs due to a technical fault, this is handled and documented in accordance with the law by the Swissbit Cloud TSE.
What are the costs?
One-time activation fee per cash register and annual subscription per cash register with a minimum term of 12 months. Details are provided through sales.
Is there a limit on the number of signatures?
No. Unlimited during subscription.