TSS Certification process.
Here is what the evaluation process of the BSI looks like - we show how the TSS certification process runs and explain why the time is currently the biggest challenge of the KassenSichV in this context.
The regulations surrounding the German KassenSichV are a challenge for many companies. Since 1.1.2020, all recording systems must comply with the KassenSichV. This means that certified technical security systems must be used. We explain what the BSI certification process looks like.
Procedure and duration of the TSS evaluation
The BSI (German Federal Office for Information Security) specifies which technical requirements must be met in order to achieve the objective of the KassenSichV. Firstly, through the technical guidelines for TSS, and secondly through the protection profiles for SMA (Secure Module Application) and CSP (Crypto Service Provider). The BSI specifies the requirements to be met by the TSS manufacturer. A BSI-accredited company (evaluator) validates the implementation of the product. The evaluators are certified test centers for evaluation according to Common Criteria specifications. In Germany, there are seven evaluators that have been accredited by the BSI and are allowed to perform this testing, these are:
- atsec information security GmbH
- German Research Center for Artificial Intelligence (DFKI) GmbH
- MTG AG
- secuvera GmbH
- SRC Security Research & Consulting GmbH
- T-Systems International GmbH
- TÜV Information Technology GmbH
Only after the evaluation has been completed does the BSI certification come into play. This is where the BSI confirms that the technical security system has been implemented correctly in accordance with the applicable requirements.
How is the certification of the technical security system achieved?
The solution approach is described by the manufacturer in a so-called security target. Then an application for evaluation is submitted to the BSI. From now on, there is a lively exchange between the BSI, the evaluator, and the manufacturer. If requested by the manufacturer, the BSI publishes the submitted system on its website with the note "In Evaluation".
The evaluation is handled by the evaluation partner, with a duration of six to nine months. The result of the evaluation is submitted to the BSI. The BSI reviews the results and issues the certification. The certification is valid for 5 years.
Transitional period: The preliminary approval of the TSS by the BSI
The KassenSichV stipulated that the technical security system must be certified by 1.1.2020. However, this timeframe was not feasible for TSS manufacturers due to the long duration of the evaluation process. Therefore, the BSI was able to issue a provisional clearance during a transition period for those systems that were under evaluation. This meant that the systems under evaluation could actually be put into operation according to the KassenSichV.
Test KassenSichV API now
What can business owners do to best equip themselves for the German KassenSichV? Keep an eye on which providers have been certified by the BSI and test the integration of the TSS into your system. Find out what changes need to be made to your existing system. Implement the necessary changes in a timely manner. fiskaly SIGN DE can be tested free of charge and integrated quickly.
Our tip: Ideally, every manufacturer of a recording system or cash register should already be working on how to integrate a TSS into their system. If you haven’t done any work in this direction yet, it’s high time!