TSS Cer­ti­fi­ca­ti­on pro­cess

Here is how the eva­lua­ti­on pro­cess of the BSI looks like

We show how the TSS cer­ti­fi­ca­ti­on pro­cess runs and exp­lain why the time is cur­r­ent­ly the big­gest chal­len­ge of the Kas­sen­SichV in this con­text.

Simon Tragatschnig

Simon Tra­gatsch­nig

Unter­neh­mer, Finanz & Tech­nik-Exper­te

The new regu­la­ti­ons invol­ved by the Kas­sen­SichV are a chal­len­ge for many com­pa­nies. Howe­ver, the cru­ci­al pro­blem right now is time pres­su­re. The law now pro­vi­des that all record­ing sys­tems must comply with the Kas­sen­SichV as of 1.1.2020. This means in theory that alrea­dy cer­ti­fied tech­ni­cal secu­ri­ty sys­tems must be used. We exp­lain what the cer­ti­fi­ca­ti­on pro­cess looks like and what the “pro­vi­sio­nal release” of the BSI is all about.

Pro­cess and dura­ti­on of the TSS cer­ti­fi­ca­ti­on

The BSI (Federal Office for Infor­ma­ti­on Secu­ri­ty) spe­ci­fies which tech­ni­cal requi­re­ments have to be met in order to achie­ve the goal of the Kas­sen­SichV. First­ly, through the tech­ni­cal gui­de­li­nes for the TSS and second­ly through the pro­tec­tion pro­files for SMA (Secure Module App­li­ca­ti­on) and CSP (Crypto Ser­vice Pro­vi­der).

The BSI spe­ci­fies the requi­re­ments to be met by the TSS manu­fac­tu­rer. A com­pa­ny accredi­ted by the BSI (eva­lua­tor) vali­da­tes the imple­men­ta­ti­on of the pro­duct.

Eva­lua­tors are the cer­ti­fied test cen­tres for eva­lua­ti­on accord­ing to the Common Cri­te­ria spe­ci­fi­ca­ti­ons. In Ger­ma­ny, there are seven eva­lua­ti­on bodies that have been accredi­ted by the BSI and are allo­wed to carry out this exami­na­ti­on:

  • atsec infor­ma­ti­on secu­ri­ty GmbH
  • Deut­sches For­schungs­zen­trum für Künst­li­che Intel­li­genz (DFKI) GmbH
  • MTG AG
  • secu­ve­ra GmbH
  • SRC Secu­ri­ty Rese­arch & Con­sul­ting GmbH
  • T‑Systems Inter­na­tio­nal GmbH
  • TÜV Infor­ma­ti­ons­tech­nik GmbH

The BSI cer­ti­fi­ca­ti­on comes into play only after the eva­lua­ti­on is com­ple­ted. Here, the BSI con­firms that the system of the tech­ni­cal secu­ri­ty system has been cor­rec­t­ly imple­men­ted in accordance with the app­li­ca­ble regu­la­ti­ons.

How is the cer­ti­fi­ca­ti­on of the Tech­ni­cal Secu­ri­ty System achie­ved?

The solu­ti­on approach is descri­bed by the manu­fac­tu­rer in a so-called Secu­ri­ty Target. Sub­se­quent­ly, an app­li­ca­ti­on for eva­lua­ti­on is sub­mit­ted to the BSI. From now on there will be a lively exchan­ge bet­ween BSI, Eva­lua­tor and the manu­fac­tu­rer. If requested by the manu­fac­tu­rer, the BSI publishes the sub­mit­ted system on its web­site with the note “In eva­lua­ti­on”.

The eva­lua­ti­on is car­ri­ed out by the eva­lua­ti­on part­ner and takes six to nine months. The result of the eva­lua­ti­on is pre­sen­ted to the BSI. The BSI reviews the results and issues the cer­ti­fi­ca­ti­on. The cer­ti­fi­ca­ti­on is valid for 5 years.

 

Tran­si­tio­nal period: Pro­vi­sio­nal release of the TSS by the BSI

The Kas­sen­SichV sti­pu­la­tes that the tech­ni­cal safety equip­ment must be cer­ti­fied by 01.01.2020. Howe­ver, this time frame cannot be met by TSS manu­fac­tu­rers due to the long dura­ti­on of the eva­lua­ti­on pro­cess. The­re­fo­re, the BSI can announ­ce a pro­vi­sio­nal release for those sys­tems under eva­lua­ti­on within a tran­si­tio­nal period. This means that the sys­tems under eva­lua­ti­on may actual­ly be put into ope­ra­ti­on accord­ing to the Kas­sen­SichV.

A CSP (Crypto Ser­vice Pro­vi­der) is requi­red for the TSS to func­tion. The spe­ci­fi­ca­ti­ons for CSP are cur­r­ent­ly being revi­sed.

 

Test Kas­sen­SichV API now!

What can now be done by the entre­pre­neurs to pre­pa­re them­sel­ves for the Kas­sen­SichV as well as as pos­si­ble?

  • Keep an eye on which pro­vi­ders are eva­lua­ted by the BSI and test the inte­gra­ti­on of TSS into your system now.
  • Find out which chan­ges need to be made to your exis­ting system.
  • Imple­ment the necessa­ry chan­ges accord­in­gly. You can expect this to take weeks or even months, depen­ding on the system.

Our tip: Ide­al­ly, every manu­fac­tu­rer of a record­ing system or cash regis­ter should alrea­dy be working on how to inte­gra­te a TSS into their system. If you haven’t done any work in this direc­tion yet, it’s high time!

You might also be inte­rested in this:

Part­nership of fis­ka­ly GmbH with EFSTA

Part­nership of fis­ka­ly GmbH with EFSTA: effi­ci­ent and cost-effec­­­ti­­ve imple­men­ta­ti­on of Kas­sen­si­che­rungs­ver­ord­nung From Octo­ber 2020, cash regis­ter sys­tems must be adap­ted in accordance with the

Read more»