A couple of the EU member states have adopted the new online fiscalization model – Croatia, Slovenia, and the Czech Republic being the first three to adopt this concept. They will be joined by Montenegro very soon, and Slovakia has just recently joined; or to be more precise, it joined only last year.
The country transformed its long-term system which was based on fiscal memory into a new online model called “eKasa.” This was already announced in one of the SDC articles, and it was praised as something that would bring a lot of useful security benefits to taxpayers and the tax authority.
This new online model got its name from the way it works. Every single receipt is digitally signed (ID Code 2) on the tax authority’s server in real-time. This digital signature returns the receipt back into the POS or cash register so that the signed receipt can be issued to the customer. Although seemingly perfect, this model comes with a flaw that allows for easy unauthorized access into it.
The problem appears if Internet connection breaks. The digitally signed receipt is returned by the server in real-time to the cash register or POS and immediately handed over to the customer. The receipt issued to the customer is actually not digitally signed by the tax authority itself, but by the ID Code 1, created by a POS or cash register. This means that an online receipt has both identification codes, while the one created without the Internet connection has only one(ID Code 1).
In case this happens, the taxpayer must send the receipt with the ID Code 1 to the tax authority’s server so it can be additionally signed and archived. Once this is complete, the customer can check the receipt via the verification process as it is now located on the server.
Unfortunately, this is a flaw that Croatia’s new fiscal system is facing as well. At the moment where there is no Internet connectivity, a huge security loophole in the system appears.
This time, a Czech IT company, called Nethemb, decided to prove the flaw in the Slovakian system, and bring awareness to it. They created a software image of the repository (so-called emulator) and replaced it with a state-certified box. This way, both customer and tax authority have been tricked. The customer receives a fake receipt, and the tax authority doesn’t receive any information about this receipt being issued or even existing. Moreover, it will never be received in the protected data storage. Also, it replaces the POS or cash register identification data with random characters, which makes it no longer identifiable.
Is there a solution to this problem? Most definitely, yes. You can contact us for more info on this topic.
Countries such as Germany, Austria, Belgium, and many others use a different model. In their scenario, a tax authority must digitally sign every single receipt in the moment of its creation. This can be done by providing a taxpayer with a secure element that must be at the same location where the receipts are digitally signed. Customers can verify the received receipts as well.
There are many models implemented by different tax authorities, each different in their own way, but some countries definitely managed to stand out by using the latest technology as their ally in fighting the grey economy.