TR-03153 - discovered, explain
KassenSichV: Certified technical security equipment (TSE) is mandatory
In order to protect electronic cash register systems from such unauthorised tampering, the integrity, authenticity and completeness of the corresponding data must be guaranteed. This is made possible by the use of a technical security device (TSE), which protects and stores the data to be recorded. This must be certified in accordance with BSI TR-03153.
The TSE is the central technical component for protecting basic records against subsequent manipulation. TR-03153 specifies which requirements it must fulfil, for example with regard to logging, storage or system functions.
The TSE basically consists of three components:
The electronic recording system transmits the data to be secured to the TSE step by step via the input interface. The security module then assigns a unique consecutive transaction number, records the start, additions and end of the transaction and generates check values (signatures) with consecutive signature counters. The transaction data obtained in this way is ultimately stored on the storage medium. The saved data can be retrieved in a standardised format via the (export) interface for archiving or a cash register audit.
The technical security device (TSE) is the central technical component for protecting the basic records of cash register systems against subsequent manipulation.
The TSE has three basic components:
The KassenSichV applies to all electronic or computerised cash register systems or cash registers that are used for the sale of goods or the provision of services, as well as electronic recording systems that specialise in their billing and have a "cash register function".
Electronic recording systems have a cash register function if they can be used to record and process at least partially cash payment transactions. This also applies to comparable electronic forms of payment used on site (e.g. cash cards, virtual accounts or bonus point systems from third-party providers) as well as vouchers, credit cards, receipts and the like accepted instead of cash.
It is not necessary to have a storage facility for the managed cash stock (e.g. cash drawer).
From January 2020, there is a general obligation to use an electronic recording system with certified technical security equipment. If companies have already started to make the necessary technical adjustments and upgrades before 31 December 2019, the non-objection rule also applies.
An exception applies to cash registers that were purchased after 25 November 2010 or before 1 January 2020 and meet the requirements of the Cash Register Directive. If these cannot be upgraded due to their design, they may continue to be used until 31 December 2022 at the latest.
For companies that began making the necessary technical adjustments and upgrades before 31 December 2019, the Federal Ministry of Finance's non-objection rule applies. In this case, no objections will be raised until 30 September 2020 if electronic recording systems do not yet have a certified technical security device.
Neither cash register systems or cash registers nor their software are certified. Only the installed or remotely connected TSE is certified.
Proof of the security requirements must be provided by means of security certifications in accordance with Common Criteria with the following protection profiles:
For cloud-based solutions, the CSP component can be operated centrally in a secure data centre. If a sufficiently high physical and organisational security level for the data centre is demonstrated, security certification can alternatively be carried out in accordance with the following protection profiles:
As part of the introductory phase, the BSI allows a limited transition phase for certification. During this transition phase, a CC certification of the security module that has not yet been completed in accordance with the PP-CSP protection profile can be replaced by a favourable opinion from the BSI.
Further information can be found on the website of the BSI.
The actual certification is carried out by the BSI as the certification body. However, the basic prerequisite for this certification is testing by a recognised testing body such as TÜViT. The test is supervised by the BSI and the certificate is issued accordingly if the result is positive.
An overview of other frequently asked questions and answers can be found on the BSI website.
The certificates for a TSE are usually limited to five years. They can be extended by means of a reassessment. If weaknesses are identified during the reassessment that can be rectified by a software update, recertification is necessary.