POS Systems

POS Systems

Electronic POS Systems: TR and CC Certification with TÜVIT

From 2020 on, every electronic recording system must have a certified technical security system (CTSS) that meets the requirements of the Federal Office for Information Security (BSI) and the Kassensicherungsverordnung (KassenSichV). From then on, a corresponding certificate will be required to prove that the CTSS complies with the requirements of Technical Guideline BSI TR-03153. In addition, the security module of the CTSS must also be certified according to the Common Criteria. TÜVIT is recognized by the BSI as an evaluation body for TR-03153 / TR-03151 and as an evaluation body for IT security according to the international Common Criteria standard. We can therefore offer you both services from a single source.

KassenSichV: Compulsory certification from 2020

As part of the fiscalisation process, electronic or computerized POS systems and cash registers must have a certified technical security system (CTSS) from January 2020. The requirements to be fulfilled are laid down in TR-03153 "Technical Security Device for Electronic Recording Systems".

At the same time, the security module of the CTSS must be evaluated and certified according to the Common Criteria (CC). Within the scope of the required CC certifications, conformity with the protection profiles [BSI PP-CSP] and [BSI PP-SMAERS] must be demonstrated.

The aim is to protect the systems against unauthorised interventions and manipulation and thereby guarantee the integrity, authenticity and completeness of the corresponding data.
 

Our Services in the Field of Electronic Recording Systems

Online: Orientation Webinar "POS Systems"

Within the framework of an individual webinar – exclusively for your company – our experienced speakers illuminate the topic of POS systems. In addition to information on the current legal situation, the associated requirements and a market overview of CTSS solutions that have already been certified, the procedure for an evaluation, test or certification of self-developed CTSS solutions is also examined.


 

Specific Information and Preparation Workshop

Our one to two-day information and preparation workshop will prepare you optimally and effectively for an upcoming evaluation according to TR-03153 or an evaluation according to the Common Criteria. At the heart of the workshop is a gap analysis which is intended to show you, the manufacturer, where you currently stand and what precautions you still have to take to ensure successful certification.

Common Criteria: Evaluation of the Security Module

 

As one of the world's leading testing services providers for Common Criteria, we evaluate your security module and support you on your way to successful CC certifications with the protection profiles BSI PP-SMAERS and BSI PP-CSP.
 

Evaluation according to BSI TR-03153 and Preparation for Certification

We accompany you along the entire TR certification process: Our experienced IT security experts test your technical security device with respect to the requirements of TR-03153. Our test report serves as the basis for the issuance of the required TR certificate by the BSI.


 

Useful Information about BSI TR-03153

Frequently Asked Questions (FAQ):

What is a CTSS?

The certified technical security system (CTSS) represents the central technical component for protecting the fundamental recordings of POS systems against subsequent manipulation.

As a matter of principle, the CTSS has three components:

  • A security module for signature creation: This ensures that cash register entries are logged and electronically signed at the beginning of the recording process. As a result, they cannot be manipulated unnoticed at a later point in time.

  • A non-volatile storage medium: The individual records are stored on this medium temporarily or for the period of the legal storage obligation.

  • A uniform digital interface (API): A distinction must be made here between an optional uniform input interface and a mandatory uniform export interface for archiving or a cash audit.
Who is affected by the KassenSichV?

The KassenSichV applies to all electronic or computer-aided POS systems or cash registers which are used for the sale of goods or the provision of services and to electronic recording systems which have been specifically adapted to their accounting and which have a "cash register function".

Electronic recording systems have a cash register function if they can be used for recording and processing cash payment transactions at least partially. This also applies to comparable electronic forms of payment which are used locally (e.g. cash cards, virtual accounts or bonus point systems of third parties), as well as vouchers, prepaid cards, tokens and the like which are accepted instead of money.

It is not necessary to have a storage option for the administered cash on hand (e.g. cash drawer).

What are the transitional arrangements?

As of January 2020, there is a general obligation to use an electronic recording system with a certified technical security system. If companies have already begun with the technically required adjustments and upgrades before 31 December 2019 the non-objection rule also applies.

An exception applies to cash registers that were purchased after 25 November 2010 and before 1 January 2020 and which meet the requirements of the Cash Directive. If they cannot be upgraded due to their design, they may continue to be used until 31 December 2022 at the latest.

What is the non-objection rule?

In the case of companies that began making the technically required adjustments and upgrades before 31 December 2019 the non-objection rule of the Federal Ministry of Finance applies. In this case, there will be no objection until 30 September 2020 if electronic recording systems do not yet have a certified technical security system.

Does every cash register have to be certified?

No POS systems, cash registers or their software are certified. Only the installed or remotely connected CTSS is certified.


Are there any further questions on your part? We will be pleased to answer them in a personal discussion or by e-mail.

 


 

Further Information on the CC Certifications of the CTSS

 

Frequently Asked Questions (FAQ):

According to which protection profiles must the security module be certified?

Proof of the security requirements must be provided by security certifications in accordance with the Common Criteria with the following protection profiles:

With cloud-based solutions, the CSP component can be centrally operated in a secure data center. If a sufficiently high physical and organizational security level for the data center is demonstrated, security certification according to the following protection profiles can be carried out as an alternative:

  • CC certification according to the BSI-CC-PP-0105-yyyy (SMAERS) protection profile
  • CC certification according to the BSI-CC-PP-0111-2019 (CSP Light) protection profile
What are the transitional arrangements?

As part of the introductory phase, the BSI allows a temporary transition phase for certification. Within this transition phase, an incomplete CC certification process for the security module according to the PP-CSP protection profile can be replaced by a positive BSI expert opinion.

Who certifies the TSD security module?

The actual certification is carried out by the BSI as the certification body. The basic prerequisite for this certification, however, is the evaluation by a recognized evaluation body such as TÜViT. The evaluation is accompanied by the BSI and the certificate issued accordingly if the result is positive.

How long is the certification valid?

The certificates for a CTSS are usually limited to five years. They may be extended by means of a reassessment. If vulnerabilities become known during the course of the reassessment which can be remedied by a software update, recertification is required.


Are there any further questions on your part? We will be pleased to answer them in a personal discussion or by e-mail.