Skip to content
v26.3

TSE & Tax Office

Since January 1, 2020, a Technische Sicherheitseinrichtung (TSE) (Technical Security Device) has been mandatory for POS systems in Germany (KassenSichV, §146a AO). DiKAS is fully TSE-compliant and signs all fiscally relevant transactions in accordance with AEAO on §146a AO.

For tax auditors:TSE Compliance — Documentation for tax auditors (detailed technical description)

For users:TSE Guide in the User Manual (setup and operation)

What is a TSE?

A TSE is a certified security module that digitally signs every POS transaction. The tax office (Finanzamt) can use it to verify whether POS data has been tampered with after the fact.

TSE in DiKAS

DiKAS signs all fiscally relevant transactions — not just invoices:

Transaction ProcessType Entity Description
Receipts Kassenbeleg-V1 Receipt Every payment (direct sale, table payment)
Voids Kassenbeleg-V1 Receipt Every receipt void
Orders Bestellung-V1 OpenBon Every order in table service
Batch orders Bestellung-V1 OpenBon Batch orders (signature on lead receipt)
Shift opening SonstigerVorgang Exchange Every shift opening
Shift closing SonstigerVorgang Exchange Every shift closing
End-of-day reports SonstigerVorgang DayClose Every Z-report
Expenses SonstigerVorgang Spending Every cash withdrawal

Architecture

Signing Flow

Handler (e.g. ProcessDirectSaleCommand)
    → TseSigningHelper.SignReceiptAsync()
        → Load BackendConfig (TSE enabled?)
        → Check ITseService.IsAvailable
        → Build ProcessData
        → Resolve ClientId (CashPointSerial → BonIdServer → "1")
        → ITseService.SignReceiptAsync() [5s Timeout]
        → Save TSE fields on Entity
        → HandleOutageLogAsync() (Outage log)

Expenses (Spendings): Signed as SonstigerVorgang; the transaction type depends on the AccountMode:

AccountMode TSE Transaction Type
1 (Expense) AVSonstAusgabe
2 (POS→Bank) AVTransfer
3 (Bank→POS) AVSonstEinlage
4 (Bank transfer) AVSonstAusgabe

Components

Component Description
TseSigningHelper Central static class for all TSE signing operations
ITseService Interface for TSE access (IsAvailable, Sign, Export)
TseServiceRouter Routing: proxy preferred, fallback to hardware
SwissbitTseService Local Swissbit USB TSE
TseProxyService Network TSE via HTTP proxy
TseInitializationService TSE initial setup
ITseDataHolder Interface with 9 TSE fields on all signed entities
TseOutageLog Outage log entity
TseConfig TSE configuration (PublicKey, Serial, SigAlg, PINs)

ProcessData Formats

Kassenbeleg-V1: 

Beleg^{GrossTotal}_{VatRate1}:{VatAmount1}_{VatRate2}:{VatAmount2}
Example: Beleg^50.00_19.00:5.00_7.00:2.00

Bestellung-V1: 

{Quantity}^{ArticleText}^{GrossAmount};{Quantity}^{ArticleText}^{GrossAmount}
Example: 2.00^Cola^7.00;1.00^Pizza^11.50

SonstigerVorgang: 

{TransactionType}^{TransactionData}
Example: AVKassenschnitt^Tagesabschluss^1500.00

QR Code Format (DSFinV-K Appendix I)

V0;{CashRegisterSerial};{ProcessType};{ProcessData};{TransNo};{SigCounter};{Start};{End};{SigAlg};{LogFormat};{Signature};{PublicKey}

Setup

Hardware TSE (Swissbit)

USB stick on the server:

  1. Plug in the Swissbit TSE
  2. Admin → Settings → TSE
  3. TSE type: Hardware
  4. Enter the local path to the TSE
  5. Enter the POS serial number (Kassen-Seriennummer)
  6. "Initialize" — sets PINs and registers the client

TSE Proxy (Network)

For distributed systems with multiple POS terminals:

  1. Set up the TSE proxy server
  2. Admin → Settings → TSE
  3. TSE type: Proxy
  4. Enter the proxy server URL
  5. "Activate"

API Endpoints

Method Endpoint Description
GET /api/v1/tse/info TSE status information (capacity, certificate, signatures)
GET /api/v1/tse/config Read TSE configuration
PUT /api/v1/tse/config Update TSE configuration
POST /api/v1/tse/initialize Initialize TSE
GET /api/v1/tse/export/tar Export TSE log data as TAR (optional ?startDate=&endDate=)

TSE Data on the Receipt

Every receipt contains the TSE data:

══════════════════════════════════
  BON Nr. 20260313-0042
──────────────────────────────────
  ...Artikel...
──────────────────────────────────
  TSE-Information:
  Signatur:   a8f3c2d1e5...
  Trans.-Nr:  12345
  Sign.-Zäh:  67890
  Start:      2026-03-13T18:30:00
  Ende:       2026-03-13T18:30:01
  Seriennr:   ABCDEF1234567890

  [QR-Code]
══════════════════════════════════

The QR code contains all TSE data in DSFinV-K format (Appendix I) and can be scanned by the tax office (Finanzamt).

DSFinV-K Export

For tax audits, DiKAS exports data in DSFinV-K format:

  1. Admin → Settings → Export → DSFinV-K
  2. Select time period
  3. "Create Export"
  4. ZIP file with all required CSV files

GDPdU Export

For digital tax audits (digitale Betriebsprüfung):

  1. Admin → Settings → Export → GDPdU
  2. Select time period
  3. "Create Export"
  4. GDPdU-compliant export file

TSE Outage

If the TSE fails (defect, network issue):

  1. DiKAS automatically logs the outage (TseOutageLog with StartTime, Reason, AffectedTransactions)
  2. Processing payments is not blocked — operations continue
  3. The TseError field on the affected document is set
  4. When the TSE becomes available again, open outage entries are closed (EndTime is set)
  5. The outage logs are retained for the tax office (Finanzamt)

Important: In the event of a TSE outage, you are required to document the outage and resolve it promptly. DiKAS handles the documentation automatically.

Tests

17 dedicated TSE tests in TseSigningTests.cs:

  • ProcessData format for Kassenbeleg-V1 (single/multiple tax rates, zero receipt)
  • ProcessData format for Bestellung-V1 (single, multiple items)
  • QR code generation (V0 format, null cases)
  • Signing flow (TSE active, disabled, unavailable)
  • ClientId fallback chain (CashRegisterId → BonIdServer → "1")
  • Amount formatting (InvariantCulture)
  • ProcessType constants

Frequently Asked Questions about TSE

Do I need a TSE? Yes, mandatory in Germany since January 1, 2020.

Which TSE does DiKAS support? Hardware TSE (Swissbit USB) and network-based TSE proxies.

How much does a TSE cost? Hardware TSE: approximately 250–300 EUR one-time.

Can the tax office audit my data? Yes, via DSFinV-K, GDPdU, and TSE TAR export. DiKAS is prepared for this.

Does a TSE outage block the POS? No. DiKAS logs the outage and continues operating. The outage must be resolved promptly.

Further Documentation

TSE Compliance for Tax Auditors — Detailed technical documentation for tax audits → TSE Guide for Users — Setup and operation → Cash Register Notification to Tax Authority — Register POS via Mein ELSTER (§ 146a para. 4 AO) → Plugin Development — Create custom modules