2

2.1. Accredited POS

An accredited POS is responsible for submitting transaction data on receipts to E-SDC for fiscalisation and for printing fiscal invoices received from the SDC.

When the E-SDC is restarted, the user is required to enter the PIN code to authorise E-SDC to access the secure element.

2.2. E-SDC

High-Level Requirements are:

• 1.An E-SDC will sign a receipt only if the previous receipt is signed by the same digital certificate unless—
  • •the last operation was local or remote audit; or
  • •the E-SDC memory is empty — no receipts have been signed by this device since the beginning of an audit operation.
• 2.The E-SDC will submit proof of audit that will be generated by the Service’s system to the secure element to reset maximum invoice amount counter to zero as soon as the E-SDC receives that piece of information as web response in case of remote audit or from a SD card in case of a local audit.
• 3.The E-SDC will process all commands received from the Service’s system in a consecutive order. These commands might include time synchronisation, locking of the device and so forth.
• 4.The E-SDC does not have to keep audit data that is submitted and successfully stored on the Service’s system.
• 5.The E-SDC encrypts audit data and stores it locally in an encrypted form.
• 6.The E-SDC is required to keep audit data locally until proof of audit has been received from the Service’s system that the audit data has been securely stored on the Service’s system.
• 7.The E-SDC should not store the secure element’s PIN Code except in the working memory. Once the E-SDC is restarted, the cashier will be required to enter the PIN Code again.

2.3. Fiscalisation of Normal Receipt

Processes are:

• 1.the accredited POS generates a receipt;
• 2.the accredited POS sends the receipt and journal template to E-SDC;
• 3.the E-SDC verifies the format of the receipt;
• 4.the E-SDC verifies if tax calculation is correct based on applied tax rates;
• 5.the E-SDC sends the receipt to the secure element for fiscalisation providing current date and time and PIN code/password for digital certificate;
• 6.the secure element verifies if all amounts are positive numbers;
• 7.the secure element calculates internal data and encrypts it with the Service’s system public key;
• 8.the secure element signs the receipt;
• 9.the E-SDC produces a journal file;
• 10.the E-SDC stores the receipt with signature and journal in one package, generates one-time key and encrypts a package using symmetric algorithm. The E-SDC encrypts one-time symmetric key using the Service’s system public key and adds it to the package so that the Service’s system can decrypt symmetric key and access package content once it arrives on the Service’s system.

2.4. Dump Audit Data Kept on E-SDC when Secure Element is Damaged

If the secure element is damaged and data cannot be restored from the card, but the E-SDC is operational, the Service will be able to dump data from E-SDC device and upload audit data using the same application used to upload audit data submitted by a taxpayer.

2.5. E-SDC Process Commands Sent from Service’s Systems

Commands are means of communication between the Service’s system and occasionally connected E-SDC. Commands are stacked in the queue list on the server for specific E-SDC and submitted to the E-SDC as part of the response once it reports to the Service’s system using remote or local audit.

2.5.1. Synchronisation of E-SDC Clock Online

The E-SDC will check the time server specified in configuration and keep internal clock in sync.

2.5.2. Lock/Unlock Card

• 1.Lock/Unlock command is issued by the Service’s system in case the CEO suspects that illegal activities are carried out by the taxpayer or in case the secure element has to be disabled due to the outstanding debt to supplier.
• 2.Content of command is verified by the secure element and the state is changed accordingly.
• 3.If the secure element is locked, no new receipts of any type may be signed by the secure element.

2.5.3. Update Maximum Allowed Sum of Fiscal Invoice Amounts

• 1.Maximum allowed sum of fiscal invoice amounts limit is set by the Service’s system on the secure element during personalisation for a particular taxpayer or during exploitation if for any reason that limit has to be increased or decreased by the Service.
• 2.Content of command is verified by the secure element and the limit is changed to the new value. Once new value is applied, all new fiscal invoices are verified against the new limit. Changing this value on the fly has the same technical implications.

2.5.4. Apply New Tax Rates

The E-SDC has to prevent fiscalisation of receipts with invalid tax rates.

The E-SDC will keep current and all new tax rates (with effective dates) in memory.

2.6. E-SDC

This paragraph describes specifics of an E-SDC.

An E-SDC can work in the following modes:

2.6.1 Offline

In the offline mode, the secure element signs a receipt and the E-SDC device stores it locally in a secure manner.

2.6.2 Semi-offline

In the semi-offline mode, the secure element signs a receipt and the E-SDC device will immediately try to contact the Service’s system and perform remote audit. If the Service’s system is not accessible, the E-SDC will switch to offline mode.

2.7. Authentication

Authentication against the Service’s system is performed using taxpayer digital certificate.