TSS Cer­ti­fi­ca­ti­on process

Here is how the eva­lua­ti­on pro­cess of the BSI looks like

We show how the TSS cer­ti­fi­ca­ti­on pro­cess runs and exp­lain why the time is cur­r­ent­ly the big­gest chal­len­ge of the Kas­sen­SichV in this context.

Simon Tragatschnig

Simon Tra­gatsch­nig

Unter­neh­mer, Finanz & Technik-Experte

The new regu­la­ti­ons invol­ved by the Kas­sen­SichV are a chal­len­ge for many com­pa­nies. Howe­ver, the cru­cial pro­blem right now is time pres­su­re. The law now pro­vi­des that all record­ing sys­tems must comply with the Kas­sen­SichV as of 1.1.2020. This means in theory that alrea­dy cer­ti­fied tech­ni­cal secu­ri­ty sys­tems must be used. We exp­lain what the cer­ti­fi­ca­ti­on pro­cess looks like and what the “pro­vi­sio­nal release” of the BSI is all about.

Pro­cess and dura­ti­on of the TSS certification

The BSI (Federal Office for Infor­ma­ti­on Secu­ri­ty) spe­ci­fies which tech­ni­cal requi­re­ments have to be met in order to achie­ve the goal of the Kas­sen­SichV. First­ly, through the tech­ni­cal gui­de­li­nes for the TSS and second­ly through the pro­tec­tion pro­files for SMA (Secure Module App­li­ca­ti­on) and CSP (Crypto Ser­vice Provider).

The BSI spe­ci­fies the requi­re­ments to be met by the TSS manu­fac­tu­rer. A com­pa­ny accredi­ted by the BSI (eva­lua­tor) vali­da­tes the imple­men­ta­ti­on of the product.

Eva­lua­tors are the cer­ti­fied test cen­tres for eva­lua­ti­on accord­ing to the Common Cri­te­ria spe­ci­fi­ca­ti­ons. In Ger­ma­ny, there are seven eva­lua­ti­on bodies that have been accredi­ted by the BSI and are allo­wed to carry out this examination:

  • atsec infor­ma­ti­on secu­ri­ty GmbH
  • Deut­sches For­schungs­zen­trum für Künst­li­che Intel­li­genz (DFKI) GmbH
  • MTG AG
  • secu­ve­ra GmbH
  • SRC Secu­ri­ty Rese­arch & Con­sul­ting GmbH
  • T‑Systems Inter­na­tio­nal GmbH
  • TÜV Infor­ma­ti­ons­tech­nik GmbH

The BSI cer­ti­fi­ca­ti­on comes into play only after the eva­lua­ti­on is com­ple­ted. Here, the BSI con­firms that the system of the tech­ni­cal secu­ri­ty system has been cor­rect­ly imple­men­ted in accordance with the app­li­ca­ble regulations.

How is the cer­ti­fi­ca­ti­on of the Tech­ni­cal Secu­ri­ty System achieved? 

The solu­ti­on approach is descri­bed by the manu­fac­tu­rer in a so-called Secu­ri­ty Target. Sub­se­quent­ly, an app­li­ca­ti­on for eva­lua­ti­on is sub­mit­ted to the BSI. From now on there will be a lively exchan­ge bet­ween BSI, Eva­lua­tor and the manu­fac­tu­rer. If reques­ted by the manu­fac­tu­rer, the BSI publis­hes the sub­mit­ted system on its web­site with the note “In evaluation”.

The eva­lua­ti­on is car­ri­ed out by the eva­lua­ti­on part­ner and takes six to nine months. The result of the eva­lua­ti­on is pre­sen­ted to the BSI. The BSI reviews the results and issues the cer­ti­fi­ca­ti­on. The cer­ti­fi­ca­ti­on is valid for 5 years.

 

Tran­si­tio­nal period: Pro­vi­sio­nal release of the TSS by the BSI

The Kas­sen­SichV sti­pu­la­tes that the tech­ni­cal safety equip­ment must be cer­ti­fied by 01.01.2020. Howe­ver, this time frame cannot be met by TSS manu­fac­tu­rers due to the long dura­ti­on of the eva­lua­ti­on pro­cess. The­re­fo­re, the BSI can announ­ce a pro­vi­sio­nal release for those sys­tems under eva­lua­ti­on within a tran­si­tio­nal period. This means that the sys­tems under eva­lua­ti­on may actual­ly be put into ope­ra­ti­on accord­ing to the KassenSichV.

A CSP (Crypto Ser­vice Pro­vi­der) is requi­red for the TSS to func­tion. The spe­ci­fi­ca­ti­ons for CSP are cur­r­ent­ly being revised.

 

Test Kas­sen­SichV API now!

What can now be done by the entre­pre­neurs to pre­pa­re them­sel­ves for the Kas­sen­SichV as well as as possible?

  • Keep an eye on which pro­vi­ders are eva­lua­ted by the BSI and test the inte­gra­ti­on of TSS into your system now.
  • Find out which chan­ges need to be made to your exis­ting system.
  • Imple­ment the necessa­ry chan­ges accord­in­gly. You can expect this to take weeks or even months, depen­ding on the system.

Our tip: Ide­al­ly, every manu­fac­tu­rer of a record­ing system or cash regis­ter should alrea­dy be working on how to inte­gra­te a TSS into their system. If you haven’t done any work in this direc­tion yet, it’s high time!

You might also be inte­res­ted in this:

Cer­ti­fi­ca­ti­on of the TSS

How is the Tech­ni­cal Secu­ri­ty System (TSS) Cer­ti­fied? The requi­re­ments for the com­pon­ents SMAERS (Secu­ri­ty Module App­li­ca­ti­on for Elec­tro­nic Record Kee­ping System) and CSP (Cryp­to­gra­phic

Read more» 

Con­ver­si­on of cash regis­ters with TSS

In the letter dated August 21, 2020, the Federal Minis­try of Finan­ce pro­vi­des infor­ma­ti­on on the costs to be trea­ted for tax pur­po­ses as a result of the first-time imple­men­ta­ti­on of a tech­ni­cal safety device (TSS).

Read more»