Nowadays it should not be necessary to talk about password security. It goes without saying to have a secure password (sufficiently long, with upper, lower case letters, special characters and numbers). Also, changing the password regularly has already become second nature to us. But what about a cash register, how secure does it have to be?
Security through certification or attestation?
This is like the password: what level or security level do I want to use.
In France, cash register systems are secure as soon as they comply with ISCA rules. Compliance with these rules can be difficult in itself and requires the cash register manufacturer, in the software architecture, the processes during software development, in quality management and also in the update process.
Once all these requirements are met, the cash register is compliant, or as they say, it’s safe! The last small step can now be the confirmation by a self-attestation. A simple template which is filled in and handed over to the cashier.
Or the more complex way of certification is chosen. In this case, compliance with the ISCA rules is checked by an independent certification body and a certificate of security is issued at the end. The cash register operator also receives this certificate as proof that the cash register complies with the law.
Staying safe with a certificate or a test?
Here, too, there is a parallel to the password: the older the password, the less secure it becomes.
It is the same with testing! Small changes to the user interface of the cash register or even new features that do not affect the fiscalization are made quickly. The cash register operator gets an update and everyone is happy. But months or weeks or even days later, a deeper change is made to the POS software. For example, a data field for the POS receipt is introduced or the creation of the archives changes. And already the issued confirmation is invalid. Every PosOperator must now receive a new confirmation for the current software, just as you change a password again.
It is similar with the certification. Only here the POS manufacturer is forced to update. Every year he has to put his POS system on the test bench of the certification body again and get a new certificate. This is also made available to the PosOperator. If the PosCreator does not make an annual audit, the POS system will become unsafe after 12 months at the latest. It no longer complies with the law.
One thing is important in both ways: the software and the certificate must be as up-to-date as the password. Because in the event of an audit by the tax authorities, the certificate must be present.
Simply stay compliant !
Is the data in a compliant cash register secure?
We also have the next level of cash register security. Just as they can forget their password, it is possible for cash register data to disappear.
The tax authorities require a fiscal archive of cash register data. Every POS manufacturer offers it, otherwise the POS system would not be compliant. But what about the storage? The POS operator dutifully stores the data on the USB stick, there is enough space. Years go by and all of a sudden the USB stick has disappeared and the tax authorities are standing in the door! Now the PosOperator really has a problem, because the data was not stored safely.
And it is even worse if the cash register is surprisingly defective or even stolen. Where is now all the data of the last hours, days, weeks or even months? Gone! Because a backup is usually forgotten in the hectic of daily work. Then it would be good if these data are mirrored on an external storage and ideally automatically and without user intervention.