quebec’s sales recording module (srm): fighting the zapper ... · pdf filecanadian tax...

canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4, 715 - 61

715

Quebec’s Sales Recording Module (SRM): Fighting the Zapper, Phantomware, and Tax Fraud with Technology

Richard Thompson Ainsworth and Urs Hengartner*

P r é c i s

Le 28 janvier 2008, Jean-Marc Fournier, le ministre du revenu du Québec, a annoncé que d’ici la fin de 2009, Revenu Québec allait tester un nouvel appareil anti-fraude — le « module d’enregistrement des ventes » (Mev) — dans le secteur de la restauration. Le Mev est conçu pour détecter les enregistrements numériques des ventes qui ont été effacés ou supprimés dans les caisses enregistreuses électroniques et les systèmes au point de vente — un type de fraude qui contribue à plus de 425 millions $ par année de recettes fiscales non perçues uniquement dans le secteur de la restauration. Les études menées par le Québec indiquent que les restaurateurs recourent de plus en plus à la technologie pour modifier les enregistrements numériques dans le but de soustraire des revenus du fisc et d’éviter de déclarer et de verser les taxes qu’ils ont perçues. Le Mev aidera les vérificateurs de la province à mettre au jour ces activités frauduleuses.

Les autorités fiscales du monde entier ont adopté deux approches pour s’assurer de l’intégrité des enregistrements des ventes dans les secteurs à forte utilisation de l’argent en espèces : une approche axée sur les caisses enregistreuses, et une autre approche qui mise plutôt sur les principes de conformité et de coercition dans la promotion de bonnes pratiques commerciales. Avec la mise en place du Mev, le Québec prend les moyens pour devenir une administration fiscale axée sur les caisses enregistreuses.

L’article présente le Mev dans le cadre d’une analyse comparative. Les approches technologiques de l’Allemagne et de la Grèce (deux administrations axées sur les caisses enregistreuses) sont comparées avec celle des Pays-Bas (une administration fiscale qui mise sur les principes) qui prend appui sur d’intenses vérifications axées sur les technologies pour vérifier l’exactitude des enregistrements numériques.

Dans sa conclusion, l’auteur suggère qu’il y aurait lieu de s’inspirer du projet de rationalisation de la taxe de vente des États-Unis qui recourt à la certification par l’administration des technologies fiscales en vue d’assurer l’exactitude des déterminations des taxes sur les opérations.

* RichardThompsonAinsworthisoftheSchoolofLaw,GraduateTaxProgram,BostonUniversity(e-mail:[email protected]).UrsHengartnerisoftheDavidR.CheritonSchoolofComputerScience,UniversityofWaterloo(e-mail:[email protected]).

716 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4

A b s t r A c t

On January 28, 2008, Quebec’s minister of revenue, Jean-Marc Fournier, announced that by late 2009 Revenu Québec would begin testing an anti-fraud device—the “sales recording module” (SRM)—in the restaurant sector. The SRM is designed to detect the erasure of digital sales records in electronic cash registers and point-of-sale systems—a type of fraud that contributes to more than $425 million annually in lost tax revenues in the restaurant sector alone. Quebec studies indicate that restaurateurs are increasingly employing technology to alter digital records in order to conceal income from the business and avoid reporting and remitting taxes due. The SRM will assist provincial auditors in detecting such fraudulent activities.

Revenue authorities around the globe have taken two approaches to assuring the integrity of business records in cash-intensive industries: one approach secures the till; the other relies on principles of compliance and enforcement to encourage good business practices. With the introduction of the SRM, Quebec is taking steps to become a “fiscal till” jurisdiction.

This article considers the SRM in a comparative context. The technological approaches of Germany and Greece (both of which are fiscal till jurisdictions) are contrasted with the approach adopted in the Netherlands (a principles-based jurisdiction), which relies on intensive technology-based audits to assure digital record accuracy.

The article concludes with a suggestion that there may be something to learn from the US streamlined sales tax initiative, which employs government certification of tax technology to ensure the accuracy of transaction tax determinations.

Keywords: Fraud n tax evasion n restaurants n anti-avoidance n technology n srM

c o n t e n t s

Introduction 717Structure of Our Argument 723Schematic of Skimming with Zappers 724Fiscal Tills: Greece, Quebec, and Germany 728

Greece: Fiscal electronic Devices (FeCRs, AFeD Printers, and FeSDs) 728FeCRs and AFeD Printers 729FeSDs 732How FeCRs with AFeD Printers and FeSDs Defeat Zappers and Phantomware 733

Quebec: SRMs 735Germany: Smart Cards embedded in eCRs 741The Role of Audits in Fiscal Till Jurisdictions 746

Comprehensive Audit: The Netherlands 748Blending Rules and Principles: Certification of Third-Party Service Providers 751

1. How Does a CSP Get eCR and POS System Data? 7522. How Can a CSP Be Sure That the Data It Has Are Accurate

(Free from Manipulation)? 7543. What Standards Should the Government Use To Certify a CSP’s

Automated System? 7544. What Is the Most efficient and Cost-effective Way for a CSP

To Satisfy the Government’s Standards? 755Conclusion: Assessing Quebec’s SRM 757Appendix Comparison of Solutions in the Five Jurisdictions—A Graphic Summary 759

quebec’s sales recording module (srm) n 717

intro duc tio n

OnJanuary28,2008, theQuebecministerof revenue, Jean-MarcFournier, an-nounced1thatbylate2009RevenuQuébecwouldbegintestingadevice,the“salesrecordingmodule”(SRM),whichisprojectedtosubstantiallyreducetaxfraudintherestaurantsector.2OnNovember30,2009,thepilotprogramwasunderwaywith46restaurantsinsevencitiesinvolved.By2010or2011,SRMswillbemandatoryinallQuebecrestaurants,wheretheywillassureaccuracyandretentionofbusinessrecordswithinelectroniccashregisters(eCRs).TheQuebecgovernmenthasprom-isedtoprovidethenecessarynumberofSRMstorestaurantsatnocost.ThecosttotheQuebectreasuryforthewholeprogramisestimatedtobe$55million.3

TheproblemthattheSRMaddressesistheerasureofsalesrecordsfromtheeCRthroughaback-officeoreCR-embeddedprogram.TheeCR’srecordsarethecentral(insomecases,theonly)repositoryofbusinessdata.Asaresult,theeCR’sdataarerelieduponbytaxauthoritiestoverifysalesandincome.Thetargetisalwayscash.Credit,debit,cheque,orbanktransfertransactionsleaveotheraudittrails,butcashtransactionsarefoundonlyintheeCR.

InQuebec,asintherestoftheworld,restaurantsarethemostvulnerabletothisfraud.TheSRMtargetsthissector,althoughsimilarfraudscouldoccuringrocerystoresoranyotherbusinessmakingcashsalesdirectlytoconsumers.Business-to-businesstransactionsarenotcoveredbytheSRM.

ItiscleartoQuebec’srevenueministerthatnotonlyarelargevolumesofcashbeingskimmed(removedfromthesalesandprofitsrecordsofrestaurantsbytheirowners),butthisfraudagainstthepublicfiscisincreasing.Itisfacilitatedandaccel-eratedbytechnology.ThedigitalmanipulationofbusinessrecordskeptbymoderneCRsisalltooprevalent.Add-onsoftware(zappers),factory-ordistributor-installedsoftware,andold-fashionedmanualreprogrammingofeCRs (phantomware)arethemechanismsthroughwhichthemanipulationsarise.Twoexamplesofzappersareshowninfigures1and2.RevenuQuébechaspursuedthesedevices (knowngenerallyas“camoufleurdeventes,”orsaleszappers)overthepastdecade,andisconvincedthatsomethingmorethanatraditionalauditisneededtocounteractthemanipulations.

1 RevenuQuébec,“Pourplusd’équitédanslarestauration:ilfautqueçasepasseau-dessusdelatable”[“ForMoreequityintheRestaurantSectorItIsRequiredThat[BusinessIsConducted]AbovetheTable”],Communiqué de presse,January28,2008(online:http://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/autres/2008/28jan.asp)(translationonfilewithRichardT.Ainsworth,referredtoinsubsequentnotesasR.T.A.).

2 RevenuQuébec,“L’évasionfiscaleauQuébec:Facturationobligatoiredanslesecteurdelarestauration—Sous-déclarationdesrevenusdanslesecteurdelarestauration”[“TaxevasioninQuebec:ObligatoryBillingintheRestaurantSector—Under-DeclarationofRevenuesintheRestaurantSector”],January28,2008(PowerPointpresentationandtranslationonfilewithR.T.A.).TheFrenchtermforthedeviceis“moduled’enregistrementdesventes”(MeV).

3 CarolineRodgers,“Québecvadel’avantpourstopperlafraudefiscale,”January28,2008,atHôtels, Restaurants & Institutions(online:http://www.hrimag.com/spip.php?article2771)(translationonfilewithR.T.A.).


Relyingonmorethan230casessince1997,andsurveysofskimmingactivityintherestaurantsector,theministerofrevenuesummarizedthesituationasfollows:

Althoughthemajorityofrestaurateurscomplywiththeirtaxobligations,therestau-rantsectorremainsanareaoftheQuebececonomywheretaxevasionisrampant,bothintermsofincometaxandsalestaxes.Taxlossesinthissectorareimportant.QuebecRevenueestimatesthattheyare$425millionforthe2007-2008fiscalyear.4

Thezappers(andphantomwareapplications)thatarethemajorfacilitatorsofthis fraud are not confined to Quebec. Zappers and phantomware have spreadthroughoutCanada5andaroundtheworld. It isnotsurprising, therefore, thatanumberofjurisdictionshavelookedatautomatedsalessuppressionandhaveadopt-edtechnologicalcountermeasures,someofwhicharestrikinglysimilartotheSRM.Otherjurisdictionslooktotechnologyforanswers,butdifferwithrespecttothesophisticationofthetechnologythattheywoulddeploy.Inyetotherjurisdictions,traditionalauditratherthantechnologyispreferred;however,themostsuccessfulof these “audit-only” jurisdictions are adopting comprehensive (multitax) auditstrategies,withteamsofauditorssupportedbycomputerspecialists—ineffect,a“supersized”traditionalaudit.

Areviewofapproachesindicatesthattwopolicyorientationsguideenforcementactions in this area: one approach is rules-based; the other is principles-based.6Theyarenotmutuallyexclusive—degreesofblendingarecommon.Rules-based

4 Supranote2.Thebasisfortheminister’sestimatesisarigorousempiricalstudyperformedbyQuebec’sMinistèredesFinances,“TaxevasioninQuebec:ItsSourcesandextent”(2005)vol.1,no.1Economic Fiscal and Budget Studies1-6(online:http://www.finances.gouv.qc.ca/documents/eeFB/en/eef b_vol1_no1a.pdf ).Inapersonale-mailcommunication,June23,2009(onfilewithR.T.A.),GillesBernard,directeurgénéraladjointdelarecherchefiscale,RevenuQuébec,respondedtoaquestiononthe$425millionfigureusedbytheminister.Indicatingancillarylossesof$8millioninother(unspecified)taxes,Bernardstated,“Thetaxlossesare417M$(QST+IncomeTax).TheQST[Quebecsalestax]represents133M$andtheIncometaxlossesare284M$.Thislastamountcanbedoubledtotakeintoaccountthefederalincometax.”

5 CanadaRevenueAgency,“BusinessesWarnedAgainstUsingTaxCheatingSoftware,”Tax Alert,December9,2008:“TheCanadaRevenueAgency(CRA)isawarethatelectronicsalessuppressionsoftwareiscurrentlybeingmarketedandsoldtoCanadianbusinesses.Businessownersareremindedthathidingincometoevadetaxesisagainstthelaw.Usingthissoftwareisnotworththerisk....Businessesthathaveusedelectronicsalessuppressionsoftwarearesuspectedofhavinghiddenthousandsoftransactionsandmillionsofdollarsinsales”(online:http://www.cra-arc.gc.ca/nwsrm/lrts/2008/l081210-eng.html).SeealsoDarahHansen,“CookingtheBooks,”Vancouver Sun,December11,2008:followingallegationsbytheCRAthatfourChineserestaurantsinBritishColumbiahadparticipatedinahigh-techschemethatusedzapperstoevadetaxonmillionsofdollarsofreceipts,fivepeoplewerefacing25chargesaspartofanationwideinvestigation(online:http://www.canada.com/vancouversun/story.html?id=6c945ca6-f84a-43f6-86ad-221814731593&p=2).Alsoseeinfranote8.

6 europeanCommission,Directorate-GeneralTaxationandCustomsUnion,FiscalisCommitteeProjectGroup12,CashRegisterProjectGroup,“CashRegisterGoodPracticeGuide,”December2006,5-6(unpublishedreportonfilewithR.T.A.).


Fig

ur

e 1

Old

-Sty

le Z

appe

r, H

ard-

Wir

ed in

to E

lect

roni

c Ca

sh R

egis

ter

Thi

sis

an

old-

styl

eza

pper

,whi

chh

asb

een

hard

-wir

edin

toth

eel

ectr

onic

cas

hre

gist

er(e

CR

)and

isth

eref

ore

easy

tod

etec

t.T

hep

ictu

res

how

sth

eto

pof

the

eC

Rr

emov

ed;t

hela

rge

whi

tea

rrow

poi

nts

toth

ede

vice

.(R

epro

duce

dby

per

mis

sion

oft

heg

over

nmen

tofQ

uebe

c.)

720 n canadian tax journal / revue fiscale canadienne (2009) vol. 57, no 4Fi

gu

re

2 M

oder

n Za

pper

Usi

ng M

emor

y S

tick

Thi

sis

am

ore

mod

ern

zapp

er,w

hich

isa

mem

ory

stic

k(“

dong

le”)

that

isin

sert

edin

toth

eba

ck-o

ffice

com

pute

rsy

stem

that

co

llect

sda

tafr

omth

ebu

sine

ss’s

elec

tron

icc

ash

regi

ster

s.(R

epro

duce

dby

per

mis

sion

oft

heg

over

nmen

tofS

wed

en.)


jurisdictions adopt comprehensive and mandatory legislation regulating and/orcertifying cash registers. Jurisdictions taking this approach include Greece andGermany.WiththeadoptionoftheSRM,Quebecwillalsofallwithinthisgroup.Thesejurisdictionsareclassifiedgenerallyas“fiscaltill”(alsocalled“fiscalmemory”)jurisdictions.

Principles-based jurisdictionsrelyoncompliant taxpayers followingtherules.Complianceisenforcedwithanenhancedauditregime.Comprehensivemultitaxaudits (the simultaneous examinationof income, consumption, andemploymentreturns)areperformedbyteamsthatincludecomputerauditspecialists.Auditsarefrequently unannounced and preceded by undercover investigations that collectdatatobeverified.7JurisdictionstakingthisapproachincludetheUnitedKingdom,Canada, and theNetherlands.Francehas implementedaprogramofpreventiveauditsthattargettechnologyproviders.8AsimilareffortcanbefoundinQuebec,wherethecustomerlistsofauditedtechnologyprovidershavebeenusedtomaplaterauditsofbusinessessuspectedoftechnology-assistedskimming.9PriortotheadoptionoftheSRM,Quebecfellsquarelywithinaprinciples-basedclassification.Movingforward,Quebecwillmergebothapproaches,eventhoughitappearsthattheCanadaRevenueAgency(CRA)willcontinuetopursueonlyprinciples-basedenforcementtechniques.10

7 Forexample,therecentCanadianinvestigationinBritishColumbiaintotheallegeddistributionofsalessuppressionsoftwarebyInfoSpecSystemsInc.involvedaneight-monthundercoverinvestigationbytheRoyalCanadianMountedPolice(RCMP).Duringthisphaseoftheoperation,undercoverRCMPofficersposedaspotentialbuyersofsalessuppressionsoftware.ThisevidencesupportedallegationsthatInfoSpecSystemsInc.knowinglyprovidedrestaurantswithzappers.CanadaRevenueAgency,“ChargesLaidinLarge-ScaleTaxFraudInvestigation,”News Release,December10,2008(online:http://www.cra-arc.gc.ca/nwsrm/rlss/2008/m12/nr081210-eng.html).

8 “CashRegisterGoodPracticeGuide,”supranote6,at6.ThisistheapproachthattheCRAtookintheInfoSpecSystemsinvestigation.Targetingthesoftwareprogram(Profitek)“documents,CDs,computerfiles,salesnotebooks,anelectroniccalendar,e-mailandotherclientlists,”theCRAwasabletoconductanationwideinvestigation,which(accordingtotheVancouver Sun)is“continuingand[CRAofficials]expectmorechargestobelaid.”Hansen,supranote5.

9 Forexample,seetheinvestigationofAudioLabLP:RevenuQuébec,“RevenuQuébecenquêtesurunconcepteurdelogicieldepointdeventesoupçonnéd’avoirconçuetdistribuéuncamoufleurdeventes”[“RevenuQuébecInvestigationofaSoftwareDesignerOutletSuspectedofHavingDevelopedandDistributedZappers”],Communiqué de presse,October14,2005(online:http://www.revenu.gouv.qc.ca/en/ministere/centre_information/communiques/ev-fisc/2005/14oct.aspx)(translationonfilewithR.T.A.);andtheinvestigationofMichaelRoyreportedinRevenuQuébec,“FinesofMorethanOneMillionDollars—AFatherandHisTwoSonsConvictedforTaxevasioninConnectionwiththeZapper,”News Release,May2,2003(online:http://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/ev-fisc/2003/02mai.asp)(onfilewithR.T.A.).

10 InitsrecentTax Alertdealingwithsalessuppressionsoftware,theCRAemphasizedthatithas“over5,000employeesdedicatedtofindingunreportedbusinessincomeandensuringthattheproperamountoftaxesispaid,evenwhensalesrecordsaremissing.”Tax Alert,supranote5.


Itwouldbeveryhelpfulifacomparativecross-methodologyanalysisofthevari-ousapproachescouldbepresented(rules-basedwithandwithouttechnologyversusprinciples-basedwithandwithoutacomprehensiveaudit).Weneedtoquantifythecomplianceimprovementagainstthecostofgettingthatcompliance.Unfortunately,mostofthetechnologysolutionsareinprototype.PerhapsQuebec(asitmeasurestheeffectivenessofmovingfromtraditionalauditalonetotechnologyandaudit)willhavegoodmeasuresinafewyears.

Amidalltheinternationalconcern,itisnotablethattheUnitedStatesdoesnothaveacoordinatedzapperenforcementeffort.Infact,theUnitedStateshasuncov-ered only two zappers, one at Stew Leonard’s Dairy in Norwalk, Connecticut,where$17millionincashwasskimmed,11andtheotherattheLaShishrestaurantchaininDetroit,Michigan,wherecashsalestotalling$20millionwerezappedandallegedlysenttoHezbollahinLebanon.12ThereasonforthislowenforcementrateisthattheUSauthoritiesarehamperedintheirapproachtozappers.Federalincometaxauditsarenotcoordinatedwithstateandlocalretailsalestaxaudits,sotheauditsarenotcomprehensiveintheDutchsense.Inaddition,federalcomputerauditspe-cialistsarenotnormallyassignedtoauditsofsmallandmedium-sizedenterprises(SMes),andthisiswherethezappersare.

Nevertheless,iftheUnitedStatesbecameseriousaboutthisproblem,itmighthaveauniqueblendofrules-andprinciples-basedsolutionsinanextensionoftheStreamlinedSalesandUseTaxAgreement13(SSUTA).UndertheSSUTA,certifiedthird-partysoftwareproviders(CSPs)14couldbetaskedwithassuringeCRaccuracy.NotonlyistheSSUTAlegalframeworkoperational,butatpresentlevelsoftech-nology,aCSPcouldreadilyassurestatesthatthecorrectretailsalestaxwasbeingcollectedandremitted.At thesametime, itcouldassure federalauthorities thatzappers were not being used to underreport income. CSPs indemnify both sides

11 TheLeonardcasecameaboutwhenaUScustomsofficerinspectedasuitcasecarriedbyMr.LeonardononeofhistripstoSt.Martin:United States v. Leonard,37F.3d32,at35(2dCir.1994);aff ’d.67F.3d460(2dCir.1995).Detailsofthetaxfraudarepreservedintheappealsofthesentence.

12 UnitedStates,DepartmentofJustice,easternDistrictofMichigan,“LaShishFinancialManagerSentencedto18MonthsinPrisonforTaxevasion,”Press Release,May15,2007(online:http://nefafoundation.org/miscellaneous/FeaturedDocs/U.S._v_Aouar_DOJPR_Sent.pdf ).TheLaShishfraudapparentlycametolightasaresultoftheowner’sfailuretofileataxreturn.“Authoritiesdeclinedtocommentonhowthereportedcrimewasdiscovered,butaccordingtocourtrecords,Mr.Chahinefailedtofileataxreturnin2003”:RoyFurchgott,“WithSoftware,TillTamperingIsHardToFind,”New York Times,August20,2008(online:http://www.nytimes.com/2008/08/30/technology/30zapper.html).

13 StreamlinedSalesTaxGoverningBoard,StreamlinedSalesandUseTaxAgreement,adoptedNovember12,2002,amendedNovember19,2003,andfurtheramendedNovember16,2004(hereinreferredtoas“theSSUTA”).

14 SeeSSUTAsection230,definingacertifiedsoftwareprovideras“[a]nagentcertifiedundertheAgreementtoperformalltheseller’ssalesandusetaxfunctions,otherthantheseller’sobligationtoremittaxonitsownpurchases”(online:http://www.streamlinedsalestax.org/uploads/downloads/Archive/SSUTA/SSUTA%20As%20Amended%2009-30-09.pdf ).


(governmentandtaxpayer)againstloss.15CertificationoftheCSPwouldneedtobeundertakenjointly(bystateandfederalagencies),aswouldoversightoftheiroper-ation.QuebechasnotconsideredanSSUTA/CSPsolution,butitmightneedtolookatthisoptionifitplanstoextendtheSRMoutsidetherestaurantsector.

s truc t ure o F o ur A rgument

Thisarticlemovesbeyondadiscussionofthevarietyofsalessuppressionprogramsinuse—zappersandphantomware.16Itgoesbeyondadiscussionoftheeconomicimpactthatthiskindoffraudhasonlocalbusinesses,17andsidestepsaspeculativeinquiryintowherethemoneyfromthisfraudultimatelygoes—intothebusinessorinto the owner’s pockets.18 Those matters have been considered elsewhere. Ourconcernhereisonenforcementefforts,particularlytheSRM.Theintentistoassess

15 UndertheSSUTA,aCSPneedstoprovideasuretybondtoreceiveacontractfromthegoverningboard.Someenterpriseswillalsotakeoutaninsurancepolicy.

16 Fordiscussionoftheseprogramsandpossiblecountermeasures,seeRichardT.Ainsworth,“ZappersandPhantomware:TheNeedforFraudPreventionTechnology”(2008)vol.50,no.12Tax Notes International1017-29;RichardThompsonAinsworth,“ZappersandPhantomware:AreStateTaxAdministratorsListeningNow?”( July14,2008)vol.49State Tax Notes103-15;RichardThompsonAinsworth,“Zappers:Technology-AssistedTaxFraud,SSUTA,andtheencryptionSolutions”(2008)vol.61,no.4The Tax Lawyer1075-1110;andRichardT.AinsworthandHirokiAkioka,“electronicTaxFraud—AreThere‘SalesZappers’inJapan?”(2009)vol.11Kansai University Review of Economics1-34.

17 Thereisevidencethatthepresenceofazapperinthelocaleconomyhasadirectcompetitiveimpactonotherbusinessesinthearea,aswellasanimpactonenterprisesthatselleCRstoretailingbusinesses.Inapersonale-mailcommunication,February11,2008(onfilewithR.T.A.),MichaelO’Sullivan(ahearingofficerintheStateofConnecticutDepartmentofRevenue)indicated,“Myonlyrecentinstancethatinvolveda‘zapper’likeproductwasananonymouscallmyofficereceivedfromsomeoneinthecashregisterbusinesslookingforinformationonfilingacomplaintagainstacompetitor.Apparentlythecallerwasattemptingtomakeasaleatarestaurantandwasinformedthatanothercompanyattemptingtosecurethesamesalehadofferedtoinstallsuchaprogramintheregisterifhe/shewasgiventhesale.Thecallerdidnotelaborateastowhotheothersalespersonwasemployedbyoranyspecificsabouttheworkingsoftheprogram.Wedirectedtheindividualtoourspecialinvestigationsection.”ThesameobservationhasbeenmadebyGermaninvestigators:“Tillmanufacturersconfirmthatcustomersenquireaboutsuch[salessuppression]functions[ineCRs],andthattheyinfluencecustomerpurchasingdecisions.”SeetheGermanWorkingGrouponCashRegisters,Interim Report,March16,2005,citingBRHcomments2003,no.54,FederalParliamentcircular15/2020,November24,2003(original,inGerman,andtranslationonfilewithR.T.A.).

18 Theeconomicsofwherethemoneyfromskimminggoesisdifficulttoassess.Itmostlikelydependsonthepersonalmotivationsofthefraudster.Forexample,intheskimmingfraudatAleefGaragenewsstand/conveniencestoresintheUnitedKingdom,theskimmedfundswenttounder-the-tablepaymentstomorethan250workers.Becauseregularwageswereverylow,allowingemployeestoqualifyforwelfare,cashfromskimmingbecameanecessarysupplementforworkerretention.HMRevenue&Customs,“CompanyDirectorsJailedfor£5millionFraud,”News Release,November13,2007(online:http://nds.coi.gov.uk/clientmicrosite/Content/Detail.aspx?ClientId=257&NewsAreaId=2&ReleaseID=330199&SubjectId=36).Then


theanticipatedworkabilityandeffectivenessoftheSRMsolutionbycontrastingitwithsolutionsadoptedorunderdevelopmentinotherjurisdictions.

Wewillfirstpresentaroughschematicofhowazapperfacilitatesaskimmingfraud.Thenwewillconsiderthreerules-basedenforcementapproaches—theGreek“fiscalelectronicdevices”(FeDs),theQuebecSRMs,andtheGerman“smartcards.”NextwewillexaminetheDutchprinciples-basedapproach,whichisalsofavouredbytheUnitedKingdom.Finally,wewillconsiderhowCSPsinanSSUTAframeworkcouldbeusedtoachievesimilaroutcomesunderablendedrules-based/principles-basedapproach.Comparisonswillbemadethroughout.

schem Atic o F sK imming with Z A PPer s

TherearesixbasicstepsthatoccurinasalestransactionwhenacustomermakesacashpurchasefromabusinessusinganeCR:

1. Aconsumeridentifiesgoodsorservicesforpurchase. 2. Acashier,waiter,orothersalesassociatecreatesaproformabill19andpres-

entsittotheconsumerforapproval.20(Thisstepisnotalwayspresent.) 3. Theconsumerapprovesandofferstopayincash,21andtheproformabillis

finalized(agreedupon). 4. Thecashier“ringsup”thesaleintheeCR,whichgeneratesanitemizedrecord

ofeachgoodorservicesold.

again,asnotedabove,intheLaShishfraudinDetroit,azapperwasusedtoskimcashand(allegedly)sendittofundHezbollahterroristsinLebanon.UnitedStates,DepartmentofJustice,easternDistrictofMichigan,“SupersedingIndictmentReturnedAgainstLaShishOwner,”Press Release,May30,2007(online:http://www.justice.gov/tax/usaopress/2007/txdv072007_5_30_chahine.pdf ).Inyetanotherinstance,thistimeintheAustraliancaseRegina v. Ronen and Ors,2005NSWSC991,thezappersinstalledinaused-clothingstoreprovidedfundsthatwerewiredtotheowner’spersonaloverseasbankaccounts.

19 Thismayoccurbyscanningabarcode,directlyenteringaPLU(pricelookup)number,orenteringthenameofanitem(perhapsbypressingatouchscreen).

20 Inarestaurant,ifacustomerordersdirectly(andonly)fromthemenupresentedbythewaiter,theproformabillmaybefirstdraftedinpencilandthentransferredtoadigitalorderingsystemassociatedwiththeeCR.Inotherinstances,acustomermayinitiallyorderadrinkandanappetizerandthenplaceadditionalordersforfoodanddrinkthroughouttheevening.Thewaiterwillkeeparunningtallyofthebill.Itwouldbecommoninthiscasetopresentoneormoreproformabillsatvarioustimestokeepthecustomerawareofthetotalamountdue.

Inagrocerystorecontext,anitemizedproformabillingisfrequentlyvisibleonanLCDscreenthatthecashierandthecustomercanseeasitemsarerunthroughascanner.Somesupermarketstodayequiptheirshopperswithahandscannertopre-scanallpurchasesbeforearrivingatthecheckout.AllmoderneCRshavethecapabilitytopresentthisproformabillbothformallyandinformally.Theimportantpointisthattheproformabillcanbechangedbeforethesaleis“rungup.”Changesoccurasaresultofthecustomerandtheoperatoractinginconcert.

21 Zapperstargetcashsalesbecausecredit,debit,cheque,orbanktransfertransactionsleaveanaudittrail.


5. TheeCRthendirectstheprintertoissueapaperreceipt(invoice)forthecustomer.UndertheSRM(andotherfiscaltillsystems),thisistobeaverydetailedreceipt,whichwillincludea. alistoftheitemspurchased;b. apriceforeachitem;c. ataxabilitydeterminationforeachitem;d. asegregatedtaxamountforeachofthetaxeditems(ininstanceswhereall

itemsatanestablishmentaretaxed,andtaxedatthesamerate—astheywouldbeatarestaurant,forexample—thisfunctionwillbeperformedinaggregate);

e. theamountofcashtendered;f. thenetamountreturnedtothecustomerinchange;g. thedateandtimeofpurchase;h. thename,address,andidentificationnumberofthevendor;andi. thereceipt(invoice)numberofthetransaction.

6. Attheendoftheday,aseriesofelectronicreportsisgenerated,basedontransactionssentthroughtheeCR.22Thesereportsarereliedonbycompli-anceauditors.Thereportsarea. thedailyZreport(withresetfunctionality);23

b. thexreport;24andc. theelectronicjournal.25

22 Itisimportanttonotethatthefraudweareaddressingisa“backroom”issue.Wearenotsomuchconcernedwiththefalsificationofimmediatereal-timerecordsaswiththealterationofrecordsattheendoftheday.Seeinfranote26andtherelatedtextforfurtherdetailsofthispractice.

23 Oneofthemostimportantfunctionsofacashregisteristorecordthedetailsofdailytransactions—sales,taxescollected,mediatotals,discounts,voids,andmore.Thereportprintedattheendofthedayorshiftthatcontainsthisinformation,andresetstherecordforthenextdayorshift,isknownasthe“Z”report.TheZreportfunctionprintsthesalesonthecashregistertapewhileerasingthedatafromthememory.AZreportisaonce-onlyreportforasetperiodoftime.ManycashregistershaveaZ2featurethatallowsZreportstobeaddedtogether.Whenanoperator“Z2’sthemout,”thesereportsareerasedforalongerperiodoftime.Anexampleofa“Z2”reportisamonthlyreportthatwillbeusedtodateandrecordmonthlycashregistersales.everytimetheregisteris“Z’dout”(Reporttaken),thattotaliserasedfromthedailysalesfilesandaddedtothe“Z2”file.

24 xreportsareidenticalininformationandtimespantoZreports.xreportsonlyprovidereports;theydonotresetorclearthememory.xreportscanbetakenasoftenasneededwithnoeffectonsalesdatarecorded.

25 See“CashRegisterGoodPracticeGuide,”supranote6,appendixG,atparagraph1.2:“TheelectronicJournalusuallycontainsALLtransactionskeyedintothemorecomplextypesoftillsystemsandisthereforethedefinitiverecordtoobtainforauditpurposes.(Thereareexceptions,whereelectronicJournalscanbeprogrammed‘not-to-store’certainkeyingtransactionse.g.‘TrainingMode.’)”TheelectronicjournalshouldnotbeconfusedwiththeZreport—itisnotarecapoftheday’ssales.Theelectronicjournaltapeissupposedtobeacontinuous,step-by-steprecordofeverytransactionmade.Itismostusefulforgoingbackduringadaytolookformistakesthatweremade.Thisjournalhasbeenastapleintheelectroniccashregisterindustrysincethebeginning.ItcanbeusedtochecktheZreport.


If,afterstep6,azapperisinsertedintheeCR,orinthepoint-of-sale(POS)system,aseventhstepisaddedtothesequence.ThezapperallowstheusertoeliminatefromtheeCRandtheenterprise’sbusinessrecordsalltracesof(someorall)cashsaleswithoutfearofleavingadigitalrecordofthemanipulation(assumingtheab-senceofananti-frauddevice).Phantomwareapplicationswoulddothesamething,exceptthattheirprogrammingisembeddedintheeCR’soperatingsystem,nottem-porarilyaddedandthenremovedfromtheeCR.

Atthispoint,thecustomerhasinhishandsanaccuratereceipt(fromstep5),but(attheendoftheday)thezapperwillrewritetheinternalmemoryofthisreceiptinthe eCR—including the records in the Zreport, the xreport, and theelectronicjournal.This rewritingcreatesanewsalesprofilewithin theeCR.Selectedcashsalesareomitted.Forexample,inticketfiles(thedigitalrecordofspecificinvoicesissuedinsequence),thefilewouldberenumberedifanentireticketwereelimina-ted.Ifonlysomeitemsareremovedfromsometickets,orifthepriceofanitemischangedonaspecificticket,theamountsduewillberecalculated(andanewtaxduedetermined).ThealteredticketfileswillnowconfirmthealteredZreport,xreport,andelectronicjournal.TheeCR’srecordswillnotmatchcustomerreceipts,buttherecordsoftheeCRwillbeinternallyconsistent.26

Thus,oneofthecommon(traditionalaudit)approachestodetectingazapperisforanauditteamtovisitanestablishmentsuspectedofusingasalessuppressionde-vice(inadvanceoftheaudit),makecashpurchases,savethereceipts,andthentrytomatchthereceiptswiththedigitalfilesintheeCR.ThisisinfacthowRevenuQuébecuncovereditsfirstzapperin1996.27

Thenextthingtonoticeisthatitiseasytoskimsaleswithoutzapping.Thiscanbedoneatstep2,butitrequirescollusionbetweenthevendorandthecustomer.Aconsumertenderingcashcouldbeorallyofferedalowerprice(perhapsatax-free

26 Anti-fraudtechnologysuchasQuebec’sSRMandGermany’ssmartcards(discussedbelow)isnotdesignedtoeliminateallskimmingbutonlytopreservetherecordsofthetransactionsthatmakeittostep5.Theproblemofthezapperhasnotbeenthereal-timeskimmingfraudthatoccursatthecashregisterasthecustomerpays,butthefraudthatoccursinthebackroomaftertherestauranthasclosedfortheevening.Atthispoint,thezappergoesinandmanipulatestherecordstoallowthefraudstertomakethemlook“good.”Thereiscommonlysomestrategythatthefraudsterusestomakereceiptsnormal.Thus,azapperwouldbeusedonanightwhenanexceptionallylargeamountofcashhadbeentakenin.Iftheaveragedailycashtakewas,say,1,000eurosordollars,andinoneday10,000wasreceived,thenitwouldbeagoodtargetdayforazapper.However,adaywhencashreceivedwaslow(500,forexample)wouldnotbeagoodtargetday.Informationprovidedinpersonale-mailcommunicationswithMarcSimard,September15,2009andNorbertZisky,November18,2008(bothonfilewithR.T.A.).MarcSimardisthedirecteurdelarechercheentechnologiesliéesaucontrôlefiscal,RevenuQuébec;NorbertZiskyiswithGermany’sNationalMetrologyInstitute,orPTB(Physikalisch-TechnischeBundesanstalt).

27 Ainsworth,“ZappersandPhantomware:AreStateTaxAdministratorsListeningNow?,”supranote16,at104,note5.


price)whentheproformainvoiceisdrafted.Ifthecustomeragrees,thesaleissimplynot“rungup.”Asaresult,norecordoftheactual(finalized)transactionwillappearinthedailyZreportorthexreport.

Itispossiblethattheelectronicjournalmightpreservea“trace”oftheoriginaltransaction(iftheproformawasdraftedwiththeassistanceoftheeCR).Thetrans-actionwouldappearasanabortedsale.Itwouldlooktotheauditorasifthecustomerhaddeclinedthepurchasewhenshesawtheproformainvoice.Inarestaurantcon-text,multipleabortedsalesmightraisesuspicions,becausenormallythemealwouldalreadyhavebeenconsumed.However,inagroceryorconveniencestore,ahair-dresser’s,orabutcher’sshop,wherethecustommightbetodiscussatransactionbasedonaproformainvoice,abortedsalesmightnotsuggestthatanythingisamiss.

Somefiscaltilljurisdictionstrytoblockfraudsatstep2bypreservingeachkey-strokeintheelectronicjournal.ThesejurisdictionscertifyeacheCR.Tamper-proofelectronicjournalsaremadearequirementofcertification.

Anotherthingtonoticeisthatthereisaperiodoftime(afterthesaleiscomplet-edatstep3andbeforethezapperisinserted)whentherecordswithintheeCRarecompleteandaccurate.Thisperiodlastsatleastuptostep5—thepointwheretheeCRdirectstheprintertoissueaninvoiceforthecustomer.Theserecordsneedtobeaccuratebecausethecustomerwilldemandanaccurateinvoice.

Asaresult,manyfiscaltilljurisdictionsfocusonpreservingtamper-proofinvoices,andthesequencingofthoseinvoicesatstep5.ThisiswhattheSRMdoes.TheSRMmakeseveryreceiptusefulforcheckingtheeCR.Forexample,evenacreditcardtransaction(whichwasnottamperedwith)canprovideevidenceofmanipulation,ifan auditor can tell that the receiptwas renumbered.The SRMwill indicate thatsomeotherreceiptfurtherupthechainismissing,andanauditorwouldthenbeginthesearchforthemissingcashtransactions.

Principles-basedjurisdictionsfocusonthissamepoint,step5,buttheyneedtodirectlyfindanalteredreceipt.WithoutanSRM(orsimilardevicethatusesselectdataonthereceipttoderiveasignaturethatisprintedonthereceipt),itisdifficulttotellifasequenceofreceiptshasbeenmanipulated.Thismakespre-auditcashpurchasesand savedreceiptsacritical componentofaprinciples-basedauditor’sworkplan.TracesofazappercanalsobefoundbycomputerspecialistsexaminingtheelectronicjournalaswellasthexandZreportsproducedatstep6.

Afinalthingtonoticeisthatallcriticalelementsofthetaxreturn(atleastallele-mentsthatwouldbederivedfromaspecificeCR)areavailableatstep5.Theitemspurchased (step5a), the price charged (step5b), the taxability determination(step5c),andthetaxcollectedperitemorperinvoice(step5d)areallavailable.Inaddition,thecustomerhaspaidthetax.

Thus,itisentirelypossiblethatfiscaltill jurisdictionscouldrequirereal-timeproformareturnsbasedonthesefigures.Theycouldalsorequirereal-timeremissionofthetax.Inaretailsalestaxjurisdiction,thevendormightberequiredtoremittheentirereturnandpayment.Inavalue-addedtax(VAT)jurisdiction,theremittancewouldrepresentonlytheoutputportionofthereturn.TheinputVATcredits(de-ductions)wouldneedtobegatheredfromotherfiles.


Fisc A l till s: greece , Quebec , A nd ger m A n y

InadditiontoGreece,Quebec,andGermany,fiscaltilljurisdictionsincludeArgentina,Brazil,Bulgaria,Italy,Latvia,Lithuania,Poland,Russia,Turkey,andVenezuela.28ThediscussionthatfollowssetstheGreekandGermanregimesalongsideQuebec’sSRMinordertoilluminatetheattributesofthisnewanti-fraudtechnology.

Greece: Fiscal Electronic Devices (FECRs, AFED Printers, and FESDs)

Greecehashadcomprehensive,rules-basedfiscaltilllegislationinplaceforover20years.Technicalspecificationsforfiscalelectronicdevices,orFeDs,werepublishedwidelyin2004.29Whenconsideredasawhole,theserulesattempttoprovidedatasecurityatbothstep2andstep5ofthetransactionsequence.Inotherwords,theGreekapproachistosecuredatawhentheproformareceiptisbeinggenerated,andwhentheprinterisbeingdirectedtoissuethefinalreceipt.

UnderGreekrules,FeDsaredividedintotwocategories:(1)fiscalelectroniccashregisters (FeCRs),whichareaccompaniedbyautonomousfiscalelectronicdeviceprinters(AFeDprinters);and(2)fiscalelectronicsigningdevices(FeSDs).ThefirstareusedonlyinB2Ctransactions;thesecondmaybeusedineitherB2CorB2Btrans-actions.Bothpreservedigital“fingerprints”30ofdatafromtax-relateddocuments.

28 See“CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraph1.

29 Aeuropeandirective(98/34/eCofJune22,2998)requiresthatwheneveramemberstateadoptsnewtechnicalrules,specifications,orlegalrequirements,thatstateisobligedtoannouncethistotheeuropeanUnionbeforetherulestakeeffect.Accordingtothisdirective,thereisaminimumstandstillperiodofthreemonths.Duringthisperiod,anymemberstate(ortheeuropeanCommission)hastherighttoexpressa“detailedopinion.”Theissuanceofadetailedopinionextendsthestandstillperiodforanotherthreemonths,allowingforfurtherconsiderationoftherulesbyallparties.GreecemadethetechnicalspecificationsforFeDspublicin2004.Asaresult,theGreekrulesarewellknownnotonlywithintheeuropeanUnionbutalsoamongthelargercommunityofeCRmanufacturersanddistributors.TherulesareavailableinGreekandinofficialtranslationsinenglish,French,andGerman,andcanbeaccessedontheInternet:“Codificationof/AddendatoTechnicalSpecificationsforInland-RevenueApprovedRegistersandSystems(OperatingProcedures)”(online:http://ec.europa.eu/enterprise/tris/pisa/app/search/index.cfm?fuseaction=pisa_notif_overview&iYear=2004&inum=135&lang=eN&sNLang=eN).

30 Atthispoint,itisnecessarytodefinetwokeytermsinthelanguageofcryptography:“digitalfingerprint”and“digitalsignature.”Adigitalfingerprintisastringofcharacterscomputedwithacryptographic(oropenmathematicalone-way)functionappliedtoaparticularsetofdata.Itisofconstantsize(20bytesiscommon)andcollusion-resistant(thatis,itisveryunlikelythattwodatasetswiththeidenticalfingerprintcanbefound).Adigitalsignatureisdifferent.Itiscomputedbyacryptographicfunctionthatisappliedtothedigitalfingerprint;thus,itisastepremovedfromtheoriginaldata.Inaddition,adigitalsignaturemakesuseofaprivatekey(knownonlytotheentitycomputingthesignature)andapublickey(availabletoanyone).Anyonecantakethepublickeyanduseittodeterminewhethertheentityusedthecorrespondingprivatekeytocreatethedigitalsignature.

ItisimportanttorecognizethisdistinctionbecausetheGreeksystem(informaldocuments,namesofequipment,andpublicpresentations)frequentlyusestheterm“signature”inreference


FECRs and AFED Printers“Fiscalelectroniccashregister”isatermthatincludesordinarystand-alonecashregistersandcashregistersequippedwithadvancedconnectioncapabilities (net-workorPC-operatedmachines).“Autonomousfiscalelectronicdeviceprinters”arefiscalprintersthatoperateonlyviaaconnectedcomputer.Theyhavenokeyboardordisplayterminal.Theydomorethanjustprintreceipts,however.AFeDprintersstoreandsecureintheirfiscalmemorythedatathathavepassedthroughthem(rev-enuefromsales,taxescollected,etc.).31

totheproductionandstorageofdigitalfingerprints.Thus,theFeSD(fiscalelectronicsigningdevice)producesandstoresdigitalfingerprints,notdigitalsignatures,althoughthenameofthedevicemightsuggestotherwise.Greece’scontributiontothe“CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraph4.2.15,usesbothtermsinterchangeably:

TheFeSDreceivesthisdata,processesitwithaspecialsecurityalgorithm(SHA-1)thatcreatesahashvalue(sign)andsendstheresultofthisprocessingbacktotheconnectedcomputer.Thehashvalue,whichrepresentsasequenceofcharactersanddigitsistheuniqueelectronicdigital “fingerprint”ofthedataoftheslipbeingissued.FurthermoretheFeSDsavesthishashvalueinto[its]ownworkingdailymemoryandissuesarelevantslip....ThesupportingsoftwareoftheFeSDwhichislocatedintheconnectedcomputerreceivesthis“uniquesummary—signature”i.e.hashvalueandprintsitalongwiththeotherdataoftheissuedslip....[At]theendofthedaytheFeSDprocessesallthestoredhashvaluesoftheworkingdailymemory,producesageneraldailyhashvalueofall“summaries—signatures”oftheday,issuesa“Z”dayreportslip,onwhichthegeneraldayhashvalueiswritten....Thecomputersoftwarereceivesthisuniquegeneral“daysummary—signature”hashvalueandsavesitinaspecialelectronicfile....[Thereisalso]aDailyFiscalSigningRecordReportSlip—“Z”(DFSRRS)[and]DailySummary—SignatureSlip—(DSSS)[emphasisadded].

SeealsothePowerPointpresentationofPanosZafiropoulosattheNovember2007eUFiscalisexchangeProgram,“SafeguardingelectronicTaxData:DataLocking,‘Fiscal’electronicSigningDevices,”3,7,8,and10(onfilewithR.T.A.)(discussingthe“e-sign”process,“previousdaywholesignature,”“daywholesignature,”“formationofthesignaturestring,”“signaturestring(trace),”and“safeguardinge-signaturetraces,”whereineachinstancethediscussionisaboutdigitalfingerprints,notdigitalsignatures);and“Codificationof /AddendatoTechnicalSpecifications,”supranote29,paragraphs5.5and5.8(statutorydiscussionof“signing”process,butmeaning“fingerprinting”)inthesamecontextasabove.PanosZafiropoulosrepresentstheGreekrevenueauthorityontheFiscalisCommittee’sCashRegisterProjectGroup.Seeinfranote32andtherelatedtextforfurtherexplanationofthesecurehashalgorithm(SHA-1).

31 TheFeCRandAFeDprintermustbeequippedwitheitheratwo-rollpaperprintingstation,oraone-rollpaperslipprinterstationaswellasadailyelectronicjournal(eJmemory).eJmemoryisdifferentfromfiscalmemory.eJmemorystoresallinformationslipsandtickets(“legalreceipts”)fromtheissuanceofthepreviousZreportuntiltheissuanceofthenextZreport.Itissometimescalledthetemporarydailyslipstoragememory(TDSSM).“Fiscalmemory,”ontheotherhand,isthebasicsecureelementintheGreeksystem.ItisbasedonaprogrammableROM—readonlymemory—(ePROMorPROM)chipthatissecurelyplacedwithinthefiscalcashregister.Itisinthismemorythatallimportantfiscaldataarestored.eJmemoryiseitherpluggable/unpluggableorfixed.Itresidesinthefiscaldeviceandisalwaysaflashmemory.See“Codificationof/AddendatoTechnicalSpecifications,”supranote29,atparagraph2.11.Inapersonale-mailcommunication,August10,2009(onfilewithR.T.A.),


Adigitalfingerprintofthedatafromtheelectronicjournalmemory(eJmemory)iscomputedwithasecurehashalgorithm(SHA-1).32Thishashvalueispermanentlysafeguarded33 and stored in the fiscal memory. Daily sums (receipts and VATamounts)aresavedintothefiscalmemory,cumulativelyandonadailybasis.Thisfunction essentially preserves the x and the Z reports along with the electronicjournalwithdigitalfingerprints.34DisconnectinganyGreekdevice(inanefforttopreventatransactionfrombeingrecorded,ortoswitchdevices)willsealthedevice

PanosZafiropoulosconfirmed,“ThetypeoffiscalmemoryisROMbased,butwhatit[sic]isusedis[a]One-TimeProgrammable(OTP)ROMorUVerasableProgrammable(eP)ROMchip.Thisiswhythischipshallbeprotectedandcoveredbyspecialepoxyglue,insuchmannerthat[it]isimpossibletotakeitout(orreplaceit)withoutbreaking/destroyingthecasecover(theenclosure)oftheFiscalelectronicDevice.”

Securityforthefiscalmemoryisprovidedbyplacingthecircuitsinaspecialboxthatisplacedinaspeciallymodulatedreceptacle;theboxisanintegralpartofthemachine.AsdescribedbyZafiropoulos,thisfiscalmemoryboxisclampedandsealedwithanepoxyresininsuchawaythatremovalofthetaxmemoryboxisimpossiblewithoutdestroyingthecover.Thepreservationofdataisindependentofanypowersource.“CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraphs4.1,4.2.14,and4.3.6;and“Codificationof /AddendatoTechnicalSpecifications,”supranote29,atparagraphs2.11.4(includingatechnicaldiagramofthesealedbox)and2.17(specifyingthecasing,casingelements,andcasingseals).

32 Thesecurehashalgorithm(SHA-1)wasdevelopedbytheUSNationalInstituteofStandardsandTechnology.SHA-1isawidelyacceptedcryptographichashfunction.Itproducesa40-characterstringbyhexadecimalsymbols(20bytes),andthestring(orthe“hashvalue”)uniquelydefinestheprocesseddata(inthecaseofaneCRissuingreceiptsinB2Ctransactions,thesedataarethevaluesontheprintedreceipt).SHA-1isdescribedindetailintheFederal Information Processing Standards Publication180-2,“AnnouncingtheSecureHASHStandard,”August1,2002(online:http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf ).

33 “CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraphs4.3.1and4.3.2,specifiesthephysicalsecurityprecautionstaken:

4.3.1. Special security screwAccesstotheinsideoftheFCR[fiscalcashregister]isprotectedbyaspecialsecurityscrewconnectingtheupperpartoftheFCRwiththelowerpart.Thisscrewisfittedina...partofthemechanismcover[thatisvisibletotheclient].AccesstotheinsideoftheFCRisimpossiblewithouttheremovaloftheprotectivescrew.Forthesealingadesignatedmaterialisused(ex.Leadseal),whichdoesnottoleratescrapingsanditiscarriedoutinsuchawayastomake[it]impossibletoremoveitwithoutdestroyingit.

4.3.2. Authorized technicians - Access control codeOpeningandre-sealingcanbecarriedoutonlybyanauthorizedtechnicianofthesuitabilitylicenseholder,employedfortherepairingofmalfunctions.TheFeDfirmwarecontrols,throughaspecial algorithm—access code-password,theaccessofauthorizedtechnicianstoit[emphasisinoriginal].

34 Seeibid.,appendixD,atparagraph4.2.15,discussingthedailyfiscalsigningrecordreportslip—“Z”(DFSRRS)andthedailysummary—signatureslip(DSSS).Seealso,ibid.,adiscussionoftheperiodicalsummaryofmemoryreadingslip(PSMRS),whichisalsopreserved:“Note:Thekeepingofthestoredfiledofrequireddataofthesigningprocessisregulatedbythesameconditionsasthekeepingoftheelectronicjournal,mentionedearlier.”Notethatthereferenceto“thesigningprocess”shouldinsteadread“digitalfingerprintingprocess.”


inlessthan30seconds;anillegalreceiptmessagewillprintandwillberecordedonthetaxdataZregister;andafter10disconnect/reconnectefforts, thedevicewillautomaticallyshutdown.35Thisprocesstiesincloselywithapenaltyregime(ap-pliedagainstmanufacturers/distributorsofeCRsandretailers)thataimstodeterthesaleoruseofuncertifieddevices.36Anauthorizedtechnicianwithanaccesscontrolcodewillbeneededtorestorethedevice.37

ThecostofFeCRsvariesfrom�200-250to�800-1,000,dependingonthemanu-facturer.38everymanufacturer,developer,orimporterofaneCRintoGreecemustseekapprovalforeachspecificmodelthatitintendstosellintheGreekmarket.39AlicencetosellaspecificeCRisissuedbyaspecialtechnical(interparty)40body(com-mittee)andwillbeissuedonlywhentheeCRconformstoallstatutorytechnicalspecifications.41ApplicationsaremadetotheDepartmentofFiscalelectronicCashRegistersandSystemsoftheMinistryofFinanceandmustbeaccompaniedbyaworkingmodelofthesystemforwhichalicenceissought.Thecommitteehastheauthoritytoexamineanyadditionaldata(includingexperienceinthefield,businesssolvency,creditworthiness,andthetechnicalcapacityofpersonnel),andtheauthor-itytorecallandcancellicencesincaseswherematerialchangeshavebeenmadeinsystemsorintheconditionsunderwhichthelicencewasgranted.

Onceamodelhassuccessfullypassedalltests,thecommitteegivestotheinter-estedcompanyauniquelicencenumberforthespecificmodel.ThelicencenumberisrecordedbytheNation-WideInformationCenteroftheMinistryofFinanceandisprintedoneachreceipt(“legalreceipt”)issuedineachretailtransaction.Inaddition,thisnumberisrequiredtobeplacedonalabelthatisvisiblyfixedtoeachmachine.Asaresult,thecertificationofaspecificeCRcanbecheckedboththrough

35 “Codificationof/AddendatoTechnicalSpecifications,”supranote29,chapter3,atparagraph7.10,disconnection(discussingblockingofthedevice[7.10.2];recordsofthedisconnectionretained[7.10.3];theless-than-30-secondsrule[7.10.4];whathappenstoatransactionthatisinprocesswhenthedisconnectionoccurs[7.10.5];andrecordskeptintheZregister[7.10.6]).

36 “CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraph4.2.1.

37 Seesupranote33,paragraph4.3.2.

38 PanosZafiropoulos,personale-mailcommunication,February24,2008(onfilewithR.T.A.).

39 Thereareroughly300,000to350,000FeCRsandPOSsystemswithsecurerecordingdevices(FeSDs)inGreece.Theturnoverofthesedevicesisbetween30,000and40,000machinesannually.Thereareover300differentmodelsofeCRscertifiedforuseintheGreekmarket,representingapproximately50differentmanufacturers,importers,anddistributors:“CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraph4.1.

40 AninterpartybodyunderGreekrulesisacommittee,eachmemberofwhichisassignedbyoneofthepoliticalpartiesintheGreekParliament.Althoughthetermofofficeisfortwoyears,thecompositionofthecommitteewillchangeaspoliticalpowershiftsinGreekelections.

41 Technicalspecificationschangewithadvancingtechnology,andrevisionstothelawaremadeeverytwotofouryears.GuidanceonthesematterscomesprimarilyfromspecializedlaboratoriesoftheNationalTechnicalUniversityofAthens(NTUA).TheNTUAisalsoassignedbythecommitteetoperformallthenecessaryevaluationtestsoncarriedsamplesofFeCRs.


avisualinspectionofthemachineandbymatchingthelicencenumberonthema-chinewithagivenreceipt.

FESDsUnderGreekrules,abusinessownercanchoosetouseeitheranFeCR(anordinary,inexpensivecertifiedcashregister)oranFeSD.IfanFeSDisselected,itprobablymeansthattheownerhasthecapabilities,thetechnologyskills,orabudgetalloca-tionthatwouldallowtheuseofasophisticatedcomputersystem.

FeSDsaredesignedforB2Bapplications.Theyareusedprimarilytocomputeadigitalfingerprint42ofcriticaltaxdatathatisthenprintedontheinvoice.FeSDscanbeusedforanytaxdocument,includingafinalretailreceipt.TheFeSDisconnectedto thebusiness’s computer systemvia adedicatedport (RS-232;ethernet RJ-45;USB).AdrivermustbeinstalledtoallowthecomputersystemtointerfacewiththeFeSD.essentially,theFeSDfunctionsasavirtualprinter,allowingtheback-officesoftware(eRPsystemoraccountingsoftwarepackage)tofunctionnormally.How-ever,everytaxdocumentrequiredtoberecordedisdivertedthroughtheinterfacetotheFeSD,whereadigitalfingerprintiscreated(theSHA-1algorithmisapplied)andafingerprintistransmittedto(andprintedon)eachdocument.Thewhole-dayfingerprintispermanentlysavedintheFeSD’sfiscalmemory.43Thispreservesalldataonthedocumentindetail.44

Currently,thecostofanFeSDisbetween�450and�650;thus,anFeSDalonecancostmorethananFeCR.Forthisreason,smallerbusinessesdonotnormallyuseFeSDstoissuelegalreceipts.45economiesofscalealsocomeintothepicture,be-causeasingleFeSDcansupportmanycashregisterslinkedonanetwork.Itcanbeinstalledremotely(eveninanothercity),andneednotbedirectlyconnectedtothePOSterminal.

AnFeSDownerisobligatedtopreservefingerprinteddocumentsandtostorethemonasafedigitalmedium(opticalormagnetic).Thus,auditorscanchecktheintegrityofthesefilesbyrunningthesamealgorithm(SHA-1)andcomparinganewfingerprintagainsttheexistingonessecuredwithintheFeSD’sfiscalmemory.

42 “CashRegisterGoodPracticeGuide,”supranote6,appendixD,atparagraph4.2.15,discussingthisprocessas“signing”thereceipt,bywhichitmeansthatthefingerprintisbeingattachedtotheinvoice.ThePowerPointpresentationbyZafiropoulos,“SafeguardingelectronicTaxData,”supranote30,at2,3,7,and10,describesthisasane-signingprocess.

43 Fromahardwareandasecurityperspective,thereisverylittledifferencebetweenanAFeDprinter(withanelectronicjournal)andanFeSD.

44 PanosZafiropoulos,personale-mailcommunication,February24,2008,itemD(onfilewithR.T.A.).

45 InanefforttomitigatethecostofFeSDs,thetaxlawallowsownerstodepreciatethesedevicesasfixedassetsoverthreeyears.ThereisalsoagovernmentloanprogramtoassistinthepurchaseofallFeDs(FeCRs,AFeDprinters,andFeSDs).Theinterestontheseloansissubsidizedat3percent.


How FECRs with AFED Printers and FESDs Defeat Zappers and PhantomwareBecauseFeCRsarecertifiedforcompliancewithalltechnicalspecificationssetoutinGreeklaw—alawthatissupportedandupdatedregularlybytheresearchlabora-toriesoftheNationalTechnicalUniversityofAthens—itisaverysimplemattertodeterminewhetheraspecificeCRhasbeentamperedwith.

Factory-installedphantomwaremustberemovedbeforecertification.Ifaself-helpversionofphantomware46isontheeCR,eitheritwillbeblocked,ortherewillbearecordofthemanipulationsothatitsimpactonrevenueswillbeneutralized.OnlytruedatafromrealtransactionswillbepreservedandfingerprintedwithSHA-1inthefiscalmemory.Useofanadd-onzapperwillbeaviolationofthelicensingregulations.Itwillbedetectedinthesamemannerasself-helpphantomware.Se-verepenaltiesapply,butdetectiondoesrequireanaudit.

Throughthecertificationprocess,47theMinistryofFinancepreservesacopyofallapprovedfirmware.Accordingtotheministry,48itisasimplemattertocalculateachecksumvalue(CRC-3249orSHA-1)fortheobjectcodeofthefirmware.AnyauditorcanthenreadthecontentsoftheprogrammemoryofacertifiedeCRand

46 Foradiscussionofself-helpphantomware,seeAinsworth,“ZappersandPhantomware:TheNeedforFraudPreventionTechnology,”supranote16.

47 Over400differenttypesofeCRsandPOSsystemshavebeencertifiedtodate:PanosZafiropoulos,personale-mailcommunication,May28,2008(onfilewithR.T.A.).Thecertificationprocessmeansthat

afiscalcashregisteranditsfunctionalityiscompliantwiththegivensetoftechnicalrequirements,[andthatithasbeen]testedandfinallyapproved.Acopyofitsfirmware(theobjectcode)islaiddownduringtheapprovalprocess.Achecksumvalue(CRC-32orSHA-1)isalsocalculatedfortheobjectfileofthatfirmware.

Anyonewheneverhewants(let’ssayanauditorforauditpurposes)canreadthecontentoftheprogrammemoryofatestedmachineandeasilyunderstandifthereareanychangescomparingitwiththeobjectfilewhichisoriginallykeptinthecompetentdepartment.Thisisaprocessthatofcoursecanbedone,butrequiresalittlebitmore[effort]andmorequalifiedstaff.

PanosZafiropoulos,personale-mailcommunication,July22,2008(onfilewithR.T.A.).Therequirementsforthetestingaresetoutinthe“Codificationof/AddendatoTechnicalSpecifications,”supranote29.

48 PanosZafiropoulos,personale-mailcommunication,July22,2008(onfilewithR.T.A.).

49 CRC-32,orcycleredundancycheck,takesasinputadatastreamofanylength,andproducesasoutputavalueofacertainspace,commonlya32-bitinteger.Theterm“CRC”isoftenusedtodenoteeitherthefunctionorthefunction’soutput.ACRCcanbeusedasachecksumtodetectalterationofdataduringtransmissionorstorage.CRCsarepopularbecausetheyaresimpletoimplementinbinaryhardware,areeasytoanalyzemathematically,andareparticularlygoodatdetectingcommonerrorscausedbynoiseintransmissionchannels.TheCRCwasinventedbyW.WesleyPeterson:W.WesleyPetersonandD.T.Brown,“CyclicCodesforerrorDetection,”(1961)vol.49,no.1Proceedings of the Institute of Radio Engineers228-35.AlthoughCRC-32maynotbefullysecure,becausethesamehashvaluecouldbegeneratedwithdifferentdata,circumventingtheCRCisprobably(1)beyondthetechnicalskillofmost


determinewhetherchangeshavebeenmadeinthefirmware(throughphantomwareorzappers)bycomparinghisreadingwiththatofthefilekeptintheMinistryofFinance.

FeSDsaccomplishthesameresultasFeCRs.NeitherphantomwareapplicationsnorzapperinstallationsareeffectivewhenanFeSDisinstalled.TheFeSDwillfinger-printeachdocumentandpreserveatraceinthefiscalmemoryofthedevice.Deletionormanipulationoftherecordsassociatedwithcashreceiptsisnolongerpossiblewithoutdetection.

Thus,ifaGreekvendorproducesaproformareceiptthroughaneCR,thedetailsofthereceiptwillberecordedintheelectronicjournal.IftheeCRisanFeCR,thesedataentertheelectronicjournal,andwhentheAFeDprinterissetuptocapturethedata,theywillbefingerprintedwithasecurehashalgorithm(SHA-1).Thisfea-turemakesitpossibletoidentifyenterprisesthathaveroutinelyofferedcustomerslowerpricesinexchangeforvoidingtheproformainvoiceatstep2.ThiswouldnotbepossiblewithFeSDs.FeSDsarevirtualprinters,andifdataarenotbeingsenttoaprinter,anFeSDwillhavenoneedtoe-signit.

BothoftheGreeksolutionsareveryeffectiveatstep5enforcement.Ifareceiptisprinted,boththeFeCRwithanAFeDprintersolutionandtheFeSDsolutionwillassuretaxauthoritiesthatthetaxcollectedoncashtransactionshasbeenrecorded.Itisimportanttonote,however,thatalloftheseeffortsaredirectedonlyataccuraterecordretention.Returnsmuststillbepreparedandfiled,andpaymentsremittedforthetaxesdueorcollected,andtherevenueauthoritystillneedstoaudittoen-surecompliance.Admittedly,thisauditshouldbeeasier,butitisstillneeded.50

SMes,and(2)veryhighriskforthemanufacturer,whowouldfindthatallmachinesalreadysoldandinstalledinGreecewouldlosetheircertification.

exclusiverelianceontheCRC-32maynotbewellplacedtoday.TheCRC-32wasdesignedtodealwithnoiseintransmissionchannels.Itwasnotdesignedtodealwithmaliciouspeople(see,forexample,AxelleApvrille,“TrashCRC32,”June9,2009,Fortiguard Blog(online:http://blog.fortinet.com/tag/crc32/ ).GiventheCRC-32valueofaparticularfirmware,itiseasytoproducesomeother(maybemalicious)firmwarewiththesameCRC-32value.Forexample,theWebsiteforCRC32 Compensation Tools/Library(online:http://www.cr0.org/progs/crctools/ )offersatoolthattakesafile(forexample,maliciousfirmware),anoffsetinthefile,andatargetCRC-32value(forexample,CRC-32valueofcertifiedfirmware).Ifwetakethevaluereturnedbythetoolandinsertitintothefileatthegivenoffset,theCRC-32ofthefilewillnowequalthetargetCRC-32value.

Consideringtheavailabilityofthesetools,theMinistryofFinanceshouldnotbelievethatanattackisbeyondtheskillofmostSMeowners.evenifthiswerethecase,theownerwouldnothavetoperformthisattackhimself;therecouldbeathird-partysupplierwiththetechnicalexpertisetomakeandinstallthemaliciousfirmware.Thus,usingonlytheCRC-32forensuringtheintegrityofthefirmwareisnotsecure.However,theMinistryofFinancealsohasacopyoftheactualfirmware,notjustitsCRC-32value,onfile.Theministryshouldalwayscomparethefirmwareitself.ForSHA-1,comparingthefingerprintsissufficient.Inaddition,physicalanti-tamperingmechanismsusedbytheGreekministrymakeitdifficultforathirdpartytoreplacethefirmware.

50 SeeZafiropoulos,“SafeguardingelectronicTaxData,”supranote30,at12.


Quebec: SRMs

QuebecisrespondingtosalessuppressionfraudmuchasGreecehasresponded,butonbothamorelimitedandatechnologicallymoresophisticatedscale.51WheretheGreeksolutionisbasedondigitalfingerprints,Quebecgoesfurtherandprovidesdatasecuritythroughdigitalsignatures.Quebechasdeterminedthattechnologicalassistanceisnecessarybecausetherearenotsufficientauditresourcestohandletheestimated500newcaseseachyear,involvingcloseto10,000delinquentvendors.52

ComparedwiththeGreekapproach,theQuebecsolution(settobefullyrolledoutbetween2010and2011)islimitedintworespects:(1)itsscopeislimitedtotherestaurantsector,and(2)itsrangeislimitedtoanFeSD-likesolution.Quebechasspecificallyrejectedthe“FeCRwithanAFeDprinter”typeofsolution.53LikeGreece,Quebecapproaches the sales suppressionproblemfromanadequacyofbusinessrecordsperspective.Butalsoliketheprinciples-basedjurisdictions(theUnitedKing-domand theNetherlands),Quebec supplements technology solutionswith veryaggressivetraditionalaudits.

Thefirstmajor legislativeresponsetozappers inQuebeccameinJune2000,whenbookkeepingandrecord-keepingrequirementswereenactedspecifyingthatelectronicallystoreddata,togetherwiththemeanstoreadsuchdata,formedpartofaQuebecbusiness’sregularbookkeepingobligations.54Becausezappersmakedigitalrecordsunreliable,itwastheneasytospecificallyprohibitthedesign,manufacture,installation,sale,orleaseofzappersintheprovince.55Thelatterisapresumption-of-userule:itprovidesthatwheneverRevenuQuébecfindsazapper,itisallowedtopresumethatthezapperwasusedtosuppresssales.56

ThebusinessrecordsthatQuebecwasprimarilyconcernedaboutweretheZandxreportsandtheelectronicjournal,aswellasallofthedigitalsupportingfilesthat

51 Quebecperformedtwoempiricalstudiesofthezapperproblem.ThefirstwasconductedsoonaftertheJune2000legislativereformscameintoeffect.Itwasa“bookkeepingandrecords”auditconductedon70enterprises.Ituncovered41zappers.Soonthereafter,thesecond,morescientificstudy(“TaxevasioninQuebec,”supranote4)wasconducted.Theuseofstatisticalsamplingtechniquesmadethissecondstudymoreaccurateandauthoritative.DaveBergeron,personale-mailcommunication,June6,2008(onfilewithR.T.A.).DaveBergeronisanITspecialistwho,since2000,hasbeenworkingonzappersaspartofaspecializedauditunitatRevenuQuébec.

52 GillesBernard,“SolutionfortheUnder-ReportingofIncomeintheRestaurantSector,2,”PowerPointpresentationattheFederationofTaxAdministratorsAnnualConferenceheldinDenver,ColoradoonJune2,2009(onfilewithR.T.A.).

53 ThealternativeofcertifyingeCRsandmandatingtheuseofadevicesimilartoanAFeDprinterwasconsideredandexpresslyrejectedforcost(aswellasothertechnologicalandenforcement-based)reasons.Personale-mailcommunicationsfromDaveBergeron,November18,2008andMarcSimard,September15,2009(bothonfilewithR.T.A.).

54 ActRespectingtheMinistryofRevenue,RSQ,c.M-31,sections34and35.

55 Ibid.,section34.2.

56 Ibid.,section34.1.


werekeptinaneCRorPOSsystem.ThesearetherecordsthatresidewithinaneCRatstep5.Theyarepresumedaccuratebecausetheserecordsarethebasisofthedatasenttotheprintertoproducethecustomer’sreceipt.

ThisbringsQuebectotheplacewhereallfiscaltill jurisdictionsendup—thelegislativelydefined“legal receipt.”The legal receipt is thecentral enforcementdocumentinallfiscaltilljurisdictions.Quebecisnoexception;itrequiresthatallrestaurantsalesmustbeaccompaniedbyareceipt,andthenfurtherspecifiesthatthisreceiptmustpassthroughtheSRM,whereitise-signed.57

Penaltiesfornotissuingalegalreceiptareserious.Quebec’s2006-7budgetsum-marizedthepenaltiesasfollows:

Restaurantoperatorswhofailtoremitaninvoicetoacustomerwillincurapenaltyof$100asaresultofthisomissionandwillcommitanoffenceforwhichtheywillbeliabletoafineofnolessthan$300andnomorethan$5000.Forasecondoffencecommit-tedwithinfiveyears,thefinewillbenolessthan$1000andnomorethan$10000,andforanysubsequentoffencewithinthatperiod,nolessthan$5000andnomorethan$50000.58

Thelegalreceiptcanbeaveryeffectivetoolagainstskimmingbycollusionwiththecustomer(step2skimming).Ifanestablishmentconspireswithitscustomerstochargealesseramountinexchangeforengagingincashtransactionsunaccompan-iedbyaformalreceipt,therestaurantoperatorisinviolationofthelegalreceiptrule.Ifsurveillancedetectsthefraud,penaltieswillapply.Thereisavariantofthisfraudthatistroubling,becauseitdoesnotinvolvedirectcollusionwiththecustomer;instead,theoperatororownerproducesxeroxed,scanned,orotherwiseduplicatedvalidreceipts.59Theseremainamongthefraudsthatcanonlybedetected(atpres-ent)bytraditionalaudits,andtheyarethereasonforthehighmonetarypenaltiesattachedtothefailuretoprovidealegalreceipt.

Forexample,ifapizzashop’smostcommonorderisasinglelargepepperonipizza,itwouldbepossibletoissueonereceiptforthispizzaearlyintheday(theeCRwouldprinttheorder,price, tax,date, time,andnameoftheestablishmentcorrectly).Ifthisreceiptwasreproducedandgiventoeverycustomerwhoorderedthesamepizzathatday(withoutringingeachsubsequentsalethroughtheeCR),thecashreceivedcouldbeskimmedandthecustomerwouldhaveanapparentlyvalid

57 RSQ,c.T-0.1,section425.Therequirementforlegalreceiptsisfoundinseveralotherfiscaltilljurisdictions,includingHungary,Greece,Finland,Portugal,Denmark,andLatvia.See“CashRegisterGoodPracticeGuide,”supranote6,appendixA,atparagraphs1.3.1.1to1.3.1.5,andappendixD,atparagraphs3.2.1and4.2.6.

58 Québec,MinistèredesFinances,2006-2007Budget,AdditionalInformationontheBudgetaryMeasures,March23,2006,145.

59 Bernard,supranote52,indicatedthat“[i]fthesignedinvoiceisreturnedtothePOS,itispossibletodevelopaprogramthatre-usessignedinvoicesinspecificcircumstances.TheneteffectisequivalenttousingaZapper.”


receipt.Thetelltalesignofthisfraudisthetimecodeonthereceipt.Anauditorsuspectingthisfraudwouldneedtoorderapepperonipizzaat,say,5:00p.m.andnoticethatthereceiptindicatedasaleat8:00a.m.IfthereceiptpassedthroughtheSRM,itwouldalsohaveapparentlyaccuratebarcodes—althoughRevenuQuébecindicatesthatahand-heldscanner(discussedbelow)willbeabletocheckforthisfraudbycomparingtimestamps.

RevenuQuébecunveileditsplansfortheSRMpilotprojectinJanuary2008.AprototypewasdemonstratedattheannualconferenceoftheFederationofTaxAd-ministrators(FTA)inDenver,ColoradoonJune2,2009.60ThepilotprogrambeganinNovember2009.ParticipatingrestaurantsmustinstalltheSRMmicrocomputerbetweentheireCRorPOSsystemandreceiptprinter.61TheSRMwillreceivedata62fromspecifiedtransactions(thedraftingofguestchecks,registerreceipts,orcreditnotes).FromtheextracteddatatheSRMwillproduceadigitalfingerprintandadig-ital signatureof thefingerprint,whichwill thenbe transmitted to theprinter.63Hand-heldreaders(usedbyauditors)donotusepublickeyinfrastructure(PKI)64to

60 Physically,theprototypeSRMwasarelativelysmall(2×1×6-inch)metalbox,connectedtotheprinterandtheeCRbystandardcables.

61 Participationinthepilotprojectisvoluntary.Afterthepilotprojecthasended,mandatoryinstallationofthedeviceinrestaurantsthroughoutQuebecwilltakeplacegraduallyduring2010and2011.

62 RevenuQuébecwillnotdisclosethedataelementsthatareselectedforsigning.Thisinformationis“confidentialforsecurityreasons.”MarcSimard,personale-mailcommunication,August10,2009(onfilewithR.T.A.).

63 Inapersonale-mailcommunication,August7,2009(onfilewithR.T.A.),MarcSimardexplained:

Inadditiontoensuretheintegrityoftheinformationpresentedonthereceipt,thesolutiondesignedbyRevenuQuébecensuresthatthebar-codescannedbythe[hand-held]readerisproducedbythecertificatedeliveredby[RevenuQuébec]tothespecificMeV[SRM]whichgeneratesthissignature.ThesignatureisproducedbyacombinationofSHA-256andeCC-224.

ThismethodusesacertificatewhichincludesapublicandaprivatekeyissuedforeachMeV[SRM]withinformationthatidentifiestheMeV[SRM]andtherestaurant.

Wechoosetheellipticcurvealgorithm(eCC)toreducethelengthoftheresult(tobeconvertedtoabarcode)andtomaintainagoodstrength.TheefficiencyofeCCiswell-known,sinceitprovidessimilarcryptographicstrengthasRSAbutusesshorterkeys.Forourcase,eCCwitha224-bitkeysizeprovidessimilarstrengthtoRSAwitha2048-bitsize(seeNIST-800-57http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf ).

64 Publickeyinfrastructure(PKI)isasetofhardwareandsoftwareproceduresusedtocreate,manage,store,distribute,andrevokedigitalcertificates.Incryptography,aPKIisanarrangementthatbindspublickeyswithrespectiveuseridentitiesbymeansofacertificateauthority.Theuseridentitymustbeuniqueforeachcertificateauthority.Thebindingisestablishedthroughtheregistrationandissuanceprocess,which,dependingonthelevelofassurancethatthebindinghas,maybecarriedoutbysoftwareatthecentralauthority,orunderhumansupervision.


verifythatanyreceiptunderquestionwasactuallyproducedbyaspecificSRM(asdoestheGermansolution).65WiththeSRM,itisthe“SRMcertificate”thatperformsthisfunction.66

Thedigitalsignaturewillthenbeprintedonthereceiptfromwhichitwasde-rived.Thedigitalsignature,thedigitalfingerprint,andtherecordeddatawillallbepreservedwithinthefiscalmemoryoftheSRMforsevenyears.67Restaurantswillberequiredtosubmitsalessummaries,generatedbytheSRM,whentheysubmittheirtaxdeclarations.

TheQuebecgovernmentbelievesthattheSRMwill

n permitrestaurant[patrons]toverifythatthetaxestheypayareproperlyrecordedandassurethemthatthesefundswillberemittedtotheState;

n facilitatetheinterventionofRevenueQuebecincaseswhereareceiptisnotissuedorrecorded[step2skimming]orwhereattemptsaremadewithzappersorphantom-waretomanipulatethedataonthereceipt[step7skimming];

n allowRevenueQuebectoeasilyverifywhetherornotaspecificreceipthasbeenrecorded;

n preservesalesdataforthestatutorilyrequiredperiod;n makethedata-contentofeCRsmoreuniformandeasiertoaudit;n allowRevenueQuebectoquicklyidentifycaseswheresaleshavenotbeendeclared.68

AcriticaldifferencebetweentheGreekandtheQuebecapproachesisthatundertheGreeksystem,itisnotnecessarytohavemultipleFeSDsinanestablishmentthatnetworksmultipleeCRs—agrocerystoreoralargerestaurant,forexample.AlthoughasingleSRMmighthavebeenusedinasimilarmanner,toe-signreceiptsformultipleeCRs,thiswasdeemedtobeasecurityriskbyQuebecauthorities.Thus,anSRMhasaone-to-onerelationshipwith thereceiptprinter (butnotnecessarilywitheach

65 Thevalueofthehand-heldreadertoauditorscannotbeoverestimated.WhenQuebec’suseofabar-codescannerwasdemonstratedinJune2009attheFTA’sannualconference,theresponseoftheGermanrepresentatives,forexample,wasverypositive.SubsequentcorrespondencesuggestedthatGermanymayemulatethistechnique:

Inour[Germany’s]solutionweprintthedigitalsignature[on]thereceipt.Ifyouwanttoverifythereceiptyouhavetotypealldataofreceiptincludingthesignature[intoaPC].Ittakesalongtimebecauseyouwillmakeinputerrors.[If ]...youtestit,youwillfindoutthatthisisnotagoodpractice....I[haveused]apencilscanner....Itworks[well]andyouaremuchfaster.YoucanalsouseanormalscannerwithOCR.Wearetestingdifferentsolutions....Ifweusebarcodeswehavetohaveabarcodescanner.

NorbertZisky,personale-mailcommunication,August10,2009(onfilewithR.T.A.).

66 “The MEV [SRM] certificate[isused]toverifythatthereceiptwasproducedbyaspecificMeV[SRM]....[S]alessummariesaregeneratedandsignedbytheMeV[SRM].”MarcSimard,personale-mailcommunication,September15,2009(onfilewithR.T.A.).

67 Supranote2,slides6through8.

68 Ibid.,slide12.


eCR).69Thisdifferencehasasignificantfinancialimpactwhentheestimated$650costofeachSRMisfactoredintotheequation.

StepshavebeentakentopreventtamperingwiththeSRMonceitisinstalled.TheSRMisphysicallysecurewithinasealedmetalcasethatcannotbebrokenintowith-outleavingatrace.70TheSRMdoesnotcomewithabackuppowersource.UnlessrestaurateursalreadyhaveabackuppowersourcefortheireCRs,theSRMwillnotoperateincasesofpoweroutage,andtheoutagewillleavearecordofdisconnec-tionandreconnectionintheSRM.Thus,RevenuQuébecwillbealertedtoconductappropriate inspectionswheneverdisconnectionoftheSRMoccurs,regardlessofthecause.71

TheQuebecgovernmenthaspromisedtoshoulderthe$55millioncostofprovid-ingSRMstorestaurants,72butthereisnodiscussioninQuebecaboutextendingSRMapplicationsoutsidetherestaurantsector.Thisisthecaseeventhoughautomatedsalessuppressiontechnologyisnotconfinedtorestaurantfraud.73ItalsoappearsthatverysmallrestaurantsmaynotberequiredtouseSRMs.74

69 InformationpresentedwhentheSRMwasannounced(supranote2,slide7),showingoneSRMconnectedtoeitherasingleeCRoraPOSsystem,wasambiguousinthisregard,anddidnotreflecttheintendedone-to-onerelationship.ApersonalconversationwithDaveBergerononAugust11,2008clarifiedthispoint.

70 WewonderedhoweasyitwouldbeforanauditortodetectaphysicalinvasionoftheSRM.Therearenopubliclyavailable(detailed)responsesonthispointfromRevenuQuébec.Thisquestionmaybetooclosetothegovernment’ssecurityconcernstobeansweredingreatdetail,butcorrespondencewiththeministryonthispointstatesthat“safetyseals[willbeused]todetectattemptstophysicallybreakintotheMeV[SRM].”MarcSimard,personale-mailcommunication,September15,2009(onfilewithR.T.A.).Inaddition,fromappearances(aprototypewasmadeavailableforinspectionattheJune2009FTAconference),theSRMappearstobeverysecure.AttheFTAconferenceandothervenues,RevenuQuébechasbeenveryclearthatanyattempttophysicallybreakintotheSRMwillbedetected.SimilarsafeguardshavebeenbuiltintotechnologicalsolutionsadoptedinGreece,Germany,andotherfiscaltilljurisdictions.

71 Withregardtoelectricaldisconnections,whathappensifarestaurantsimplydecidestodisconnecttheSRMfromitspowersourceandmakesomesaleswiththeprinterdirectlyconnectedtotheeCR(bypassingtheSRM)?RevenuQuébechasindicatedthatthisissuefallsintotheauditarea.WiththeSRM’sabilitytodetectdisconnections,ministryofficialsfeelconfidentthateffortstodefeatthedeviceinthismannerwillbeidentifiable;thesubsequentreconnectionwouldalsoberecorded.MarcSimard,personale-mailcommunication,September15,2009(onfilewithR.T.A.).UnliketheGreeksystem,whichwillautomaticallyshutdowntheeCRafteritregistersaspecifiednumberofattempteddisconnectionsandreconnections,theSRMdoesnotappeartodothesame.

72 Supranote3.

73 Forexample,zappershavebeenfoundingrocerystoresintheUnitedStatesandtheNetherlands,inclothingestablishmentsinAustralia,andinhairdressingsalonsinFrance.

74 Supranote58,at144-45,indicatingthattheobligationofarestauranttouseSRMswillbedependentonwhethertherestaurantisrequiredtoremitareceipttocustomers.Thatrequirementisnotexpectedtobeuniversal,butinsteadwilllikelybedefinedandlimitedbyregulation.


SRMs,however,arenottheendofthestory.Quebec’sviewisthatSRMswillnoteliminatetheneedfortraditionalauditenforcement;rather,theSRMwillsupplementorextendthetraditionalaudit.75SRMswillintegrateintotraditionalauditstrategiesinthreeways:

1. theywillbethebasisforpre-auditinvestigation; 2. they will provide for rapid, digitally efficient confirmation of compliance

withbusinessrecordrequirements;and 3. theywillbringefficienciestoformalauditsbystandardizingrecordformats.

Withrespecttothefirstitem,althoughimmediatelyaftertheMarch23,2006budgetspeech,inspectionofbooksandaccountscontinuedasbefore,oncetheSRMisinplaceRevenuQuébecwillacceleratetheuseof(non-audit)inspectionteams.76Theseinspectorsarechargedwithmakingunannouncedvisitstorestaurants,toin-spectbooksandrecordsandtotakebackupcopiesofeCRandPOSprogramsintheirsearchforzappersandotherfrauds.Theseteamsaremadeupofanauditorandacomputerspecialist.WithSRMs,theseinspectorswillbeabletomorequicklyiden-tify the irregularities that would warrant transferring a case for formal audit orcriminalinvestigation.77

Withrespecttotheseconditem,thedigitalfingerprintandsignatureenvisionedfortheSRMisnotthesameasthealphanumerichashvalue(SHA-1)thatisprintedonthelegalreceiptinGreece.78TheSRMprintsabarcodethatcanbereadbyapocketcomputerthroughanintegratedopticalscanner.Thebarcodewillimmedi-atelyverifythatareceiptisa“legalreceipt,”certifiedbyagovernment-issuedSRM,andthatbothincomeandconsumptiontaxamountshavebeenproperlyrecordedinthefirm’sbusinessrecords.79Thehand-heldscanner isacritical (andgloballyunique)toolinRevenuQuébec’sefforttoincreasetheeffectivenessofitsaudits.80

75 Supranote2,slide12.

76 InQuébec (Sous-ministre du Revenu) c. Paré,2004CanLII39110(Que.CA),RevenuQuébecinspectionteamshadusedwarrantstosearchforzapperswithintheSquirrelcomputerizedcashregistersystemtowhichthedefendantheldexclusivedistributionrights,eventhoughtheinspectiondidnotrisetothelevelofaformalaudit.

77 RichardT.AinsworthandDaveBergeron,“Zappers:AutomatedSalesSuppression,”NewYorkProsecutor’sTrainingInstitute,Syracuse,NY,July31,2008(PowerPointpresentation,onfilewithR.T.A.).

78 Forexample,Zafiropoulos,“SafeguardingelectronicTaxData,”supranote30,at7,presentedthefollowingsignaturestringasarepresentativeexampleofthee-signingscriptthatwouldbefoundonareceiptissuedbyaGreekFeSD:D5A63F82962AB37886F975820883A76415DB614e0459000835920410030925eZI03013095.

79 Supranote2,slide12.

80 CouldacompleteauditofanestablishmentbeperformedwithanSRMandahand-heldscanner?RevenuQuébecindicatesthatthehand-heldscannerisnotintendedtobeusedforthispurpose.MarcSimard,personale-mailcommunication,September15,2009(onfilewith


Withrespecttothethirditem,theSRMwillmaketraditionalauditsmoreeffi-cientbystandardizingthedataflowsfromeCRsandPOSsystemsinusethroughouttheprovince.ItwillnolongerbenecessarytohavesubspecialistsinparticulareCRsavailabletoassistRevenuQuébecauditors,becausetheSRMwillstandardizethedatathatanauditorwillneedtodownloadontoalaptopcomputerinordertoper-formanaudit.81

Germany: Smart Cards Embedded in ECRs

The German Working Group on Cash Registers, representing the highest-tiercentralandregionaltaxauthorities,hasbeenexaminingautomatedsalessuppres-siontechnology(bothphantomwareandzapperapplications)inuseinthecountry.Aninterimreporthasbeenreleased.82Theproblemisdeemedtobeserious,andatechnologicalsolutionisenteringthefinalstagesoftesting.

TheGermansolution involvesstoringcriticaldata fromsales transactionsonsmartcardssecurelyembeddedineCRs.TheGermanNationalMetrologyInstitute(Physikalisch-TechnischeBundesanstalt [PTB]) is thehomeof the INSIKAproject(Integrierte Sicherheitslösung für Kassensysteme—Integrated Security SolutionsforCashRegisters).INSIKAbeganworkonprototypesofthesmartcardsolutionin2008.

PapersondigitalsignaturesbyNorbertZiskyofthePTB83convincedtheworkinggroupthatsigningtechniqueshadbeensufficientlytestedinsecurecommunication

R.T.A.).SimardexplainsthattheSRM(andthescanner)ispartofafour-partfraudpreventionstrategy(basedinlargepartonthedeterminationthatthefraudproblemismuchlargerthanzappersalone,andthatamuchbroadereffortisneeded).Thefour-partstrategycomprisesthefollowingsteps:

(1) Therestaurateurisobligedtoremitapaperreceiptorinvoicetotheclient.Thisisthekeytoconfirmingthataneconomictransactionhasoccurredbetweenabusinessanditscustomers.Inmostcaseswhereincomeisnotdeclared,hiddentransactionswerenotrecordedintheelectroniccashregister(eCR).

(2) RestaurateursmustproduceinvoicesusinganMeV[SRM]approvedbyRevenuQuébec,whichforcesthemtokeeprecords.

(3) RevenuQuébecwillstepupitsinspectionactivitiestoensurethatthetwoabovemeasuresareadheredto.NotethattheMeV[SRM]willallowustoredesignandspeeduptheinspectionprocessanddeterminemoreefficientlywhetherornotarestaurantiscomplyingwiththelaw.Withoutsuchinspections,businessesseekingtomaskincomewouldsimplynot[record]transactionsinthecashregister,regardlessofthecontrolmechanismsinplace(GreekorGermansolution,MeV[SRM],etc.).

(4) Thegeneralpublicismadeawareofrestaurateurs’obligationtoremitaninvoicetotheircustomers,inordertore-establishfiscalequityandfaircompetition.

81 Bernard,supranote52.

82 GermanWorkingGrouponCashRegisters,Interim Report,supranote17.

83 NorbertZisky,“ManipulationsschutzelektronischerRegistrierkassenundKassensysteme”[“ManipulationProtection—electronicCashRegistersandPOSSystems”],GermanFederalStandardsLaboratory,BrunswickandBerlin(May2005)(unpublisheddraftonfilewithR.T.A.);


settingswithmeasuringinstruments84thattheycouldformthebasisofasolutiontozappers.

TheINSIKAprojectwaschargedwithcompletingthetechnicalspecificationsforasignaturesmartcardbythesummerof2008.85TheworkwascompletedinFebru-ary2009.Includedwiththetechnicalspecificationsforthesignaturesmartcardisadeterminationof thedata structuresand formats,communicationprotocols,andsecurityanalysisforthesystem.Thefinalresultsoftheprojectwerepublishedat

and(March15,2004)(unpublisheddraft,translationonfilewithR.T.A.).Sincetheseearlypapers,therehavebeenseveralmodificationstoZisky’sproposal.Thecriticalchangesincludethefollowing:

1 Thesignaturedevice(smartcards)distributedbythetaxauthoritieswillbepersonalizedtothetaxpayernottothecashregister(cashbox);

2 Thesignaturedevicewillhaveasetofdedicatedsumstorageswhichwillbecontrolledbythesignaturedeviceitself.It[will]generatetherelevantdatafromthesetofdatatobesigned.Inthe[casewheretheremaybe]alossofsigneddatathetaxauthorities[willbe]abletoreadthestoreddatafromthesmartcard.Thesumstorages[arerequired]to[be]readoutperiodicallyand[arerequired]tobestoredaftersigning.

3 Thereceipts[must]containallrelevantdatafortheverificationofthetransaction(includingthesignature).These[receiptswillbe]exactlythesame[asthose]inthememory(fromthepointofviewofdatamodeling).Withthehelpof[thememoryrecord]youareabletovalidateeachreceipt.Falsificationofreceipts[is]notpossible.Butthereisalittleproblem[currently]:Ifyouhavethepaperreceiptyou[willneed]totypeineverycharacterintoyourcomputerbyhand(oryoumayuseascanner).Themanualtestofreceiptswithouttechnicalsupportwillbetheexception,butit[willbe]possible.

NorbertZisky,personale-mailcommunication,February15,2008(onfilewithR.T.A.).

84 SeeLuigiLoIacono,ChristophRulans,andNorbertZisky,“SecureTransferofMeasurementDatainOpenSystems”(2006)vol.28,no.3Computer Standards & Interfaces311-26;andtheSecureelectronicMeasurementDataexchange(SeLMA)Project(online:http://www.selma-project.de/ )(inGerman).ForabriefdescriptionofSeLMA,seeinfranote128andtherelatedtext.

85 Regardingthetimelineforthecompletionandimplementationoftheproject,NorbertZiskyindicatedinmid-summer2008:

Withourtechnicalworkwe[have]madealotofprogress.Importantpartsofthetechnicaldescriptionarenearlyfinished.Th[ese]documentswillbemadeavailableforthepublicin[the]autumn[of2008].Butthegeneraltechnicalconceptwillbepublishedearlier.

InautumnthefirsteCRswillbeequippedwiththesmartcard.Ourcashregisterworkinggrouphasfinishedtheworkontheinternal,professionalconcept.Thisconceptcontainsallneededstepsandstructurestosetupthesmartcardsolution.

AsIsaidoneofthemostimportantstepswillbethesetupofthepublickeyinfrastructure.Buttheearliestdatefor[mandatory]usewillbeJanuary1st2012or2013.

Personale-mailcommunication,July10,2008(onfilewithR.T.A.).Furtherdelayswereencountered,butbymid-2009thetechnicalspecificationsforthe

smartcardwerecompletedandpostedontheInternetathttp://www.insika.de/(inGermanonly;anenglishtranslationisexpected).AtaboutthetimethatQuebec’sSRMwillbeundergoingapilottest(NovembertoDecember2009),sotoowilltheGermansmartcard.NorbertZisky,personale-mailcommunication,July22,2009(onfilewithR.T.A.).


theInformationSecuritySolutionseuropeconferenceinthefallof2009,andareavailableontheINSIKAWebsite.86

Onthebasisoftherecommendationsoftheworkinggroup,VectronSystemsAGdeveloped(andiscurrentlydemonstrating)aprivatelydevelopedprototypeoftheGermansolution.UndertheVectronprototype,everyrecordthatholdssalesdata(oranyotheractivityperformedonaneCR)issecuredthroughadigitalsummaryfingerprintofthemaindataelementsintheeCR.AsecureelectronicsignatureisissuedforthisdigitalfingerprintbasedonPKI.87

TheessenceoftheGermansolutionrevolvesaroundcryptographyandsmartcardaccesstocryptographicdatapreservedwithintheeCRorPOSsystem.Iftherevenueauthorityaudits,itcanaccesseCRrecordsusingakeytoreadthedataanddeterminewhethertherehasbeentampering.AsdescribedbyZisky,

[t]hefiscallyrelevantdatarecordscanbeexaminedbothlocallyandaftertheirtrans-missionovervariouscommunicationchannels[.Processeswillbe]fullyautomaticwithrespecttotheirintegrityandauthenticity.Fortheelectronicsignatureoftherevenue[office]specialsmartcardsareused,whichareintegratedintothePOSsystems....

Therevenueofficewillprovideasmartcardwithacryptoprocessorforeachcashregister.Ontheserevenueofficesmartcardsacryptographicpairofkeyswithasecretandpublickeyisproduced.Thepublickeyiskeptforlaterfiscalexaminationoftherespectivedata.Thecertificateforthepublickeyisalsostoredonthesmartcard[s]themselves....

Inthecaseofthemarkingprocedure[thesigningprocedure]overthedatarecord—itis“signed”whenahashvalueisformed,whichisinturncodedbythesecretkeyofthesmart card. The formation of the hash value is a mathematical one-way function,whichcomprisesasingle(unique)valuefromthedataset.Itisthehashvaluethatsealsthedatarecord(anelectronicseal).Theformationofthesignatureisusedtoassignthedatarecordtothecash(involvedinthetransaction)and/orthepairofkeys....

Fortheconclusionoftheverificationprocessthetwohashvaluesarecomparedwithoneanother.Iftheseagreetheintegrityoftheregistereddatarecordisauthenticated.88

TheGermansolutionisafiscaltillsolution,butitisfarmoreflexiblethantheGreeksolution.ItissubstantivelysimilartoQuebec’sSRM;89however,theGermanmandateisbroader.WhereQuebecisconcernedwithonlytherestaurantsector,theGermanproposalisforalleCRsandPOSsystemstobefitted(atthebusiness’s

86 MathiasNeuhaus,JörgWolff,andNorbertZisky,“ProposalforanITSecurityStandardforPreventingTaxFraudinCashRegisters,”paperpresentedattheInformationSecuritySolutionseuropeconferenceheldatTheHague,October6-8,2009(copyonfilewithR.T.A.).

87 TheGermansolutiondoesnotanticipatethatauditorswillusehand-heldreaders,norwillbarcodesappearonreceipts.Instead,auditorswilluselaptopcomputersandenterthealphanumericcodeprintedonthebottomofareceipttoconfirmtheintegrityandaccuracyofthereceipt.(Seesupranote64foradescriptionofPKI.)

88 NorbertZisky,“ManipulationProtection,”supranote83,atparagraphs5.2and5.3.

89 NorbertZisky,personale-mailcommunication,August10,2009(onfilewithR.T.A.):“Quebec’sdevicegeneratesrealdigitalsignatures....Theystorethesignaturesofeachtransactioninsidethebox.Sothegeneralapproachofbothsolutionsisverysimilar.”


expense)withasmartcardcontainingacryptoprocessorthate-signsdesignated“tax-relevantdata.”Withthisdevice,theentireelectronicjournalcouldbesignedonaregularbasis;90oreachtransaction,whetheropenorclosed(sale,refund,train-ingsession,voidedsale,ortemporaryrecord),couldbedesignatedastax-relevantandsignedwheneverenteredintotheeCR.ItwouldnotmatterundertheGermansystemifnoreceiptwasissued,butauditingindividualtransactionswouldbemoredifficult.91ItwouldmatteronlythateachtransactionberegisteredinaneCRorPOSsystemthatwasfittedwithasmartcard.

BecausetheGermansolutionisfullydigital,therevenueauthoritywillbeabletoconductitsauditsofbusinessesremotely.AdatafeedmaybetakendirectlyfromeCRs,ordatamaybetransmittedthroughane-mailattachment.TheGreeksolu-tionscandothis,buttheQuebecSRMcannot.TheSRMpresentsdataandsecurityindigitalformat,buttheexpansionofauditcapabilitytoincluderemoteauditshasbeenrejectedbyRevenuQuébeconpolicyandprivacygrounds.92

ThereisanaggingquestionaboutthepossibilitythatmalicioussoftwarecouldbeaddedtoaneCRthathasbeenfittedwithasmartcard.93Thesamequestionarises

90 WiththeSRM,theelectronicjournaloftransactionsissignedbythedevice.MarcSimard,personale-mailcommunication,September15,2009(onfilewithR.T.A.).

91 However,Germanlegislationispendingthatwillrequiretheissuanceofalegalreceipt,alongwithotherlegislationthatwillimplementthesmartcardsolution.Thislegislationhasnotbeenactedupon.

92 DaveBergeron,personale-mailcommunication,November20,2008(onfilewithR.T.A.),ontherejectionofremoteauditsperformedbylinkingtothetaxpayer’sSRM.ItisquestionablewhetherRevenuQuébecisdealingwitharealprivacyconcernhere,ormerelywiththeappearanceofanintrusiononaprotectedprivacyinterest.Thereshouldbelittlethatshouldbeconsideredconfidentialinthebulktransmissionofitemizedbusinessrecordssettingoutdailysalesofgoodsorservices,providedthatthosesalesarenotfurtherassociatedwithanindividual—thatis,anunsuspectingcustomer.Itistheretentionofacustomer’spersonallyidentifiableinformation(PII)inbusinessrecordsthatisaprivacyconcern.Ifnothandledproperly,thismayleadtoanunauthorizedgovernmentintrusionintoprivatelives.SeeNeilM.RichardsandDanielJ.Solove,“Privacy’sOtherPath:RecoveringtheLawofConfidentiality”(2007)vol.96,no.1Georgetown Law Journal123-82,discussingtheoriginsanddifferentdevelopmentpathsofprivacylawintheUnitedStatesandtheUnitedKingdom—theUnitedStateswithanindividualisticunderstandingandtheUnitedKingdomwitharelationalunderstanding—andindicatingthatunauthorizeddisclosureofPIIwithinbusinessrecordsiscentraltoboth.Nevertheless,itiscommoninthetransactiontaxcontexttoputprotectionsinplacewheneverthird-partyaccesstotaxdataiscontemplated.Forexample,section321oftheSSUTA,supranote13,restrictsretentionofPIIbyCSPsperformingtaxcalculations.

93 UndertheGermansolution,eachkeystrokeprovidingdatathataredestinedforthesmartcardisassignedanumberbythesmartcarditself.Missingdatacanbeidentifiedbylookingforabreakinthesequencing.This,however,doesnotanswertheconcern;itonlypushesthehypotheticalbackintime,sothatthemalicioussoftwareintervenesbeforetheassignmentofanumber.Inapersonale-mailcommunication,August6,2009(onfilewithR.T.A.),NorbertZiskyconfirmedtheassignmentofthenumbersundertheGermansolution:“eachsetofdatawhichwillbesenttothesmartcardforsigningwillbeaddedwithasequencenumbergeneratedbythesmartcarditself.Thisisthemostimportantpartofoursolution.Thereforewedevelopedanewsmartcardpackagewiththisfunctionality.”


withQuebec’sSRM.Ifsoftwareweredesignedtointerceptdata(enteredintotheeCR)thatwasdestinedforthesmartcard—forexample,anysalesofaparticularbeer,oranysalesofbeerinexcessofthenumberofpeopleatatable—wouldthisdefeatthesystem?Thisisastep2,notastep5,fraud.AvalidreceiptwillnotbeissuedundereithertheGermanortheQuebecsolution.TheGermanresponsetothishypothetical is similar tothatofQuebec:becausethis fraudhappens inrealtime(atthecashregister)andnotattheendofthedayinthebackroom,itisanac-tivitythatremainsintherealmoftraditionalaudit.94Brazilencounteredexactlythisproblemin2007inOperação Tesouro(OperationTreasure-Hunt).95

However,undertheGreeksolution,whereitistheeCRitselfthatiscertifiedandnotanadd-onmicroprocessor(Quebec)oranadd-onsmartcard(Germany),thisfraudwouldbeuncovered.TheGreekapproachdirectlycertifiestheprogrammingwithintheeCR,andprovidesamachine-specifictestingmechanism.96

TheGreek,Quebec,andGermansolutionscanalsobedistinguishedonthebasisofthe“per-unit”costofimplementation.TheGermansolutionisfarandawaytheleastexpensive.BothGreeceandQuebechaverespondedtothehighcostsoftheirsolutions.UndertheGreekregime,theentirecostisbornebybusiness,althoughthegovernmentdoesprovidetaxbreaks(accelerateddepreciation)andfinancialas-sistance(low-interestloans)toassistwithhardwarepurchases.Quebec,ontheotherhand,planstoprovidetheSRMtobusinessesfreeofcharge.

ZiskyidentifiedthelowcostoftheGermansolution,estimatedatabout�50pereCR,asoneofitskeyfeatures:

In...thisapproach...fortheprotectionofelectroniccashregistersandPOSsystemsagainstthemanipulationofstoreddata[t]helargeadvantage...consistsofthereach-ingofacomparativelyhighlevelofprotectionwithonlysmallhardwareandsoftwareexpendituresinthePOSsystembeingnecessary.97

Heitemizedthecomponentsofthe�50estimateasfollows:

TheadditionalcostspereCRaretheresultof[the]costforthesmartcard(signaturedevice),approx.7-8euros,andforintegrationofthesmartcardtotheeCR,approx.20euros(includinghardwareandsoftware).[An]additional20eurosIcalculate[areneeded]foradditionalcommoncosts(smartcarddistribution,administrativecosts).Governmentsubsid[ies]arenotplanned.Butonthe[part]oftaxauthoritiessome

94 NorbertZisky,personale-mailcommunication,August10,2009(onfilewithR.T.A.):“Anauditor[should]see[thisfraud]inrealtimebecausenovalidsignatureisprintedonthereceipt.Itisthesameproblem[when]thetaxpayerdoesnotusetheeCReverytimeandputsthemoneyinhistrouserpocketdirectly.”

95 Seeinfranote102andtherelatedtext.

96 Seesupranote47.

97 Zisky,“ManipulationProtection,”supranote83,atparagraph5.1,andparagraph5.7(estimating�50).


expenditureisneeded.Certificatemanagement,testtools,trainingofthestaffoftaxauthorities[needtobeincludedinafullcostestimate].

Thepriceofsmartcardsiscalculatedon[a]baseofmorethan100,000cardsbe-causetheywillbeorderedbyacentralauthority.98

Vectron’sprototypeoftheINSIKAsmartcardsolutionhasanevenlowercostes-timate—a“[s]ingle-unitend-userprice[of ]lessthan�25.”99

The Role of Audits in Fiscal Till Jurisdictions

Allfiscaltilljurisdictionscontinuetorelyonauditstodetectfraud.Thetechno-logicalsolutionsdiscussedabove—whetherFeCRs,AFeDprinters,FeSDs,SRMs,orsmartcards—donotreplaceauditing;theyonlymakeauditingeasier.Thus,Quebecannouncedanincreaseintheuseofinspectionteamsintandemwiththeannounce-mentthatSRMswouldsoonbedeployed.TheSRMitselfisdesignedwithanauditor’seye.ItharmonizesdatafeedsfromwidelydiverseeCRs,andittranslatesthedigitalsignaturesonreceiptsintobarcodessothattheycanbescannedwithhand-heldopticalreaders.

Germany’sassessmentofthesituationissimilartoQuebec’s.Germanybelievesthatfraudtechnologyhasadvancedsofarthatsuccesswithtraditionalauditsisvir-tuallyimpossiblewithoutasecuretechnologicalrecord.InacommentdirectedtotheFederalMinistryofFinanceonNovember24,2003,theGermanFederalAuditOffice(Bundesrechnungshof[BRH])warnedthat

[t]he latest generation of cash registers and cash register systems makes it impossible for tax au-thorities to detect fraudulent declarations of cash receipts. In these systems, data that have been entered, as well as system-generated register and control data can be secretly tampered with. This leads to a high risk of lost taxes that cannot be overestimated. This situation must change immediately. . . .

Theanalysisrevealsthatauditorsandtaxinvestigatorshaveconstantlydiscoveredfraudulentmanipulationsofcashregistersandthedatatheystore.However,suchma-nipulationscouldonlybediscoveredinoldergenerationsofelectroniccashregistersandcashregistersystems.

Verificationofdatahasbecomeextremelydifficultsincetheintroductionofnewcashregistersandcashregistersystems.100

Brazil’sexperiencewitheCRmanipulationreinforcestheGermanandQuebecassessments.Relianceontechnologyalonetoblockmanipulationisnotsufficient.Nomatterhowmuchsecurityisplacedoverdigitalrecords,anauditisnecessary.

98 NorbertZisky,personale-mailcommunication,February19,2008(onfilewithR.T.A.).

99 VectronSystemsAG,“Tamper-ProofPOSData:ProjectgroepOnderzoekAdministratieveSoftware,”October31,2007,30(online:http://www.gbned.nl/downloads/xmllogistiek/poas/20071031%20Vectron.pdf ).

100 BRHcomments2003,no.54,supranote17,at197-98(emphasisinoriginal).


Brazilrequiresthata“blackbox”beattachedtoeacheCR.Thedevicesecurestheelectronicjournalandcanonlybeaccessedbythetaxadministration.Butasthe2007criminalauditofallthesupermarketsinBelém(Operação Caixa 2—OperationSec-ondRegister)demonstrates,fraudstersintentonskimmingwillfindawaytogetintotheblackbox.101Similarly,in2007,Operação Tesouro(OperationTreasure-Hunt)demonstratedthatfraudstershavebeensuccessfulintamperingwiththeblackboxthroughmalicioussoftware.Thisoperation,conductedinthestateofBahia,uncov-eredover300foodserviceestablishmentsthatusedsoftwaretomanipulatedatabeforeitwassenttotheblackbox.102

101 “OperaçãoCaixa2”(OperationSecondRegister),conductedbytheBrazilianFederalRevenueservice,beganonOctober1,2007.Intheearlystages,itinvolved50fiscalauditors,20taxanalysts,and20supportpersonnel(policeunits)operatingin10teamsinthecityofBelém.Onthefirstdayoftheoperation,fivecompanies(supermarkets)wereraided,175recordingmachineswereconfiscated,and60werefoundtohaveirregularities.Inaddition,17suppliersweresearched.Onthesecondday,fourmoresupermarketswereraidedinCapanema,andtwomoreinBragançaweresearched.“Thefiscalauditorandcoordinatorofthisactivity,JoséRenatoGomes,affirmsthatyesterday’sworkisessentialforfindingoutwhetherthiskindoffraudisallcomingfromBelém,fromthecorporationssupplyingtheequipment,orifitisbeingsetupandcarriedoutoutsidetheState.”“ReceitaFederalfiscalizasupermarcadosemBelém”[“FederalRevenueServiceInvestigatesSupermarketsinBelém”],Plantao Online Edition,October1,2007;“ReceitaFederaldáprosseguimentoàOperaçãoCaixa2”[“FederalReserveGivestheGo-AheadtoOperationCaixa2”],Plantao Online Edition,October3,2007;and“OperaçãoCaixa2divulgabalancehoje”[“OperationCaixa2ToReleaseResultsToday”],Plantao Online Edition,October18,2007(online:http://www.orm.com.br/plantao/comentar.asp?id_noticia=290720)(inPortuguese—sequenceofpostingonthefederalgovernmentWebpage;translationsonfilewithR.T.A.).

102 “OperaçãoTesouro”(OperationTreasure-Hunt)inthestateofBahiaisdescribedasfollows:

[S]evenbusinessmenfromthebarandrestaurantsector,aswellastheownersoftwoinformationsectorbusinesses,namelyNetworksandStellaSystems,[havebeen]accusedofbeingresponsibleforthedevelopmentofataxevasionsoftwareprogram....[Theoperationinvolved]28searchwarrants...35teams...comprisedof264people,...thecivilpolice,civilianandmilitarypoliceofficers,taxauditors,revenueagents,prosecutingattorneysandintelligenceprofessionals....Accordingtothetechniciansinvolved...between2005and2007thefraudulentaccountancyperformedbythe“Colibri”[hummingbird]softwareprogrampermittedtheillegalwithholdingofalmostR$2million.Thenumberofestablishmentsinvolvedintheschememaybeashighas300inthefoodservicesectoralone....[T]hesebusinessmenhavebeenwithholdingnearly40%oftheircompanies’turnover....[T]heColibrisoftware,developedbyNetworks,isadatabaseprogramforcommercialautomation,commonlyusedbybars,restaurantsandluncheonettes.ThefraudconsistsintheuseoftheprogramwithacertainconfigurationpermittingthedeactivationoftheReceiptIssuingDevice(eCF),andthuskeepingthemachinefromissuingareceiptduringpaymentforsalesofproductsorservices.

“Technologicalfraud?..Bahia::Fraude:SonegaçãoFiscalLevaseteempresáriosparaaPrisãoTerça-feira”[“TechnologicalFraud?Bahia:Fraud:SevenBusinessmenImprisonedforIllegalWithholdingofTaxes”],Journal da Midia,October2,2007(online:http://www.jornaldamidia.com.br/noticias/2007/10/02/Bahia/Sonegacao_fiscal_leva_sete_empres.shtml)(translationonfilewithR.T.A.).


TheexperienceofGreece,however,appearstostandincontrasttotheBrazilianaswellastheGermanandQuebecassessments.eventhoughregularauditsofFeCRs,AFeDprinters,andFeCDsareconductedbyGreekauthorities,nosignificanten-forcementactionsinvolvingeCRshavereachedthecourts,orcanbereferencedbytaxofficials.103Inlightofthe20yearsofcertificationexperiencethatGreecehaswitheCRs,onemighthaveexpectedthingstobedifferent.Itisnotclearwhetherthisisacaseoffalseconfidenceintechnology,acaseofsuperiortechnology,oracaseofasuperiordeterrenceprofile,butinlightoftheBrazilianinvestigations,theGreekapproachneedstobeconsideredcarefully.IsthedirectcertificationofaneCR,withthewillingnessanddemonstratedabilitytogoinandcheckforprogram-maticmodifications,asignificantdeterrent?104

comPrehensi v e Audit: the ne therl A nds

TheNetherlandsisattheotherextremeofthetechnology/traditionalauditcon-tinuum.TheDutchareconvincedthatauditsalonearesufficient.Theyrejectfiscaltilltechnology.ThefundamentalemphasisintheNetherlandsisondetailed,com-prehensive, and technologically penetrating audits. Direct government intrusionintotherecord-keepingsystemsofallbusinessesjusttocatchfraudstersisavoidedatallcosts.Followingapureprinciples-basedapproachtoenforcement,theNether-landsbelievesthatitcanrelyongoodbusinesspracticesandcomplianttaxpayers.

However,Netherlandsofficialsspeakaboutperforming“deepaudits”—thatis,auditsthatarenotfocusedsolelyonthesalesrecordsintheeCR.Adeepauditcon-sidersbusinessescomprehensively;itlooksatincometaxes,consumptiontaxes,andemploymenttaxessimultaneously,andwithheavystressontheinterrelationshipsamongtaxes.BenB.G.A.M.vanderZwet,leadauditorfortechnologycompliance,hasdescribedtheDutchapproachasfollows:

TheDutchTaxAuthorityisconvincedthattheappropriateapproachistouseprinci-plebasedlawsinthisarea.Thismethodinvolvesmaintainingthelawbystimulatingthecomplianceoftaxpayers.Itispremisedonabeliefthatweshouldbeworkingfromastartingpointoftrusttogetcompliance,ortoprovideexplanations.

Withrespecttotheproblemofauditabilityandthecompletenessofsalesforen-terpriseswithsizableover-the-counterpayments,theDutchTaxAuthorityhasdecidedtoworktoimprovevoluntarycompliance.

TheDutchTaxAuthorityiscooperatingwithsoftwaredevelopers,suppliersandmanufacturersofcashregisters,branchorganizations,andlargercompanies.105

103 AccordingtoPanosZafiropoulos,“[b]ecauseoftheverystrictandquitedetailedtechnicalspecificationsthatexistinGreeklegislation,therearenoinfamousfraudcasesregardingcashregistersbeingusedsofar.”Personale-mailcommunication,May10,2008(onfilewithR.T.A.).

104 ThereisconsiderableinterestintheGreeksysteminothercountries.Kenyahasadoptedit,andatthetimeofwriting(August2009),theGreekapproachwasalsobeingadoptedinKosovo.PanosZafiropoulos,personale-mailcommunication,August10,2008(onfilewithR.T.A.).

105 BenB.G.A.M.vanderZwet,“Note:Draft20080201—FiscalObligationsforCashRegistersintheNetherlands,”February1,2008(unpublisheddraftonfilewithR.T.A.).


TheNetherlandshasbeensuccessfulwiththisapproach.Oneof thebestex-amplesofhowacomprehensivemultitaxauditcanuncoverdatamanipulationsisthecaféDudokcase.106TheDudokcasealsoillustratestheconnectionbetweensalessuppressionfraudandthesymbioticrelationshipthatdevelopsbetweenSMesandtheireCRproviders.ThecaseinvolvedaDutch“grandcafé”—astyleofcaféwithspaciousfacilities,whichwelcomesdrop-incustomersandhasalargecash-basedclientele.Thistypeofoperationisanidealbusinessforskimming.

Dudokskimmedcashreceiptswithaprimitivezapperandusedaportionofthecashtopayemployeesunderthetable.TheDutchrevenueauthorities(Belasting-dienst)were suspiciousof the lowwages reportedand thought thatadditional,unreportedcompensationmightbebeingdistributedtoemployees.107Testimonyinthecaseindicatedthatontheseconddayofthepayrollaudit,themanagingdirectorofStraightSystemsBV108 visitedDudok,wherehewas approachedby the café’sowner-manager.StraightSystemsBVsuppliedtheFinishingTouchPOScashregis-tersthatwereusedbyDudok.Theowner-managerexplainedthathewashavingdifficultyaccountingtotheBelastingdienstforthewagesthatwerebeingreported,inpartbecausetheauditorswerealsoquestioningtheturnoverthatwasreported.Thenumbersdidnot“seemright” to theauditors, and theywere requestingbackupdata.Theowner-managerwasworriedthatthiswouldleadthemtotheprimitivezapperhewasusing.

ThemanagingdirectorofStraightSystemsexplainedtheexistenceofamoresophisticatedzapper,a“hiddendelete”optionalreadyembeddedintheFinishingTouchcashregisters.essentially,theembeddeddevicewas“ahiddenmenuoptionthat,afterenabling...,allowedoperatorsofcateringestablishmentstodeletecashregisterreceiptsfromthesystem.”109Afterthisdiscussion,anemployeeofStraight

106 DistrictCourtofRotterdam,LJN:Ax6802( June2,2006)(online:http://zoeken.rechtspraak.nl/resultpage.aspx?snelzoeken=true&searchtype=ljn&ljn=Ax6802)(inDutch,translationonfilewithR.T.A.);appealedtotheDistrictCourtofTheHaguewherethejudgmentwasupheld,LJN:BC5500(February29,2008)(online:http://zoeken.rechtspraak.nl)(inDutch;translationonfilewithR.T.A.).

107 LJN:BC5500,supranote106,atF3.Priortousingthephantomwareinstalledonitssystem,Dudokwasskimmingsalesinaveryamateurfashion.TheentiresalesrecordsofthePOSsystemweredeletedandrecordswerereconstructedonexcelspreadsheets.TheexaminingagentsdidnottrustthespreadsheetsandaskedforthePOSrecordsasabackuptoconfirmwhattheywerebeingshownontheaudit.BenB.G.A.M.vanderZwet,personale-mailcorrespondence,May28,2008(onfilewithR.T.A.).

108 StraightSystemsBVisaNetherlandscompanythatspecializesinsingle-serviceeCRsystemswhereallhardwareandsoftwarearedeveloped“inhouse.”ThecompanyWebsiteoffersa24-hourhelpdeskwherethereis“onepointofcontactforallhardwareandsoftwareforcheckout’sfrontofficeandbackofficesystems”(online:http://www.straight.nl)(inDutch;translationonfilewithR.T.A.).

109 LJN:Ax6802,supranote106,at“Considerationoftheevidence”(inDutch;translationonfilewithR.T.A.).Thecasediscussesthreesoftwareprograms:Twenty/Twenty,FinishingTouch,andTickview.exe.Twenty/TwentywasaUStouch-screenprogramthatdidnothavea


SystemsvisitedDudok,andexplainedandenabledtheapplicationoftheeraserule(thehiddendeletefunction).110Subsequently,thecafé’sowner-managerdecidedtostartusingtheoption.111Nevertheless,asvanderZwetrecounts,thefraudwasun-coveredbytheBelastingdienstauditors:

Themostinterestingthingabout[Dudok]isthatthediscoveryofthefraudwascom-pletelythebenefitofagoodandthoroughtaxaudit.Basedonourprinciplebasedlaw,taxofficerswerenotsatisfiedgettingthetotalreportsandMSexcelwork-pageswithtotalsalesetc.Theywantedthe[detailed] informationof thePOS.Thetaxofficerspersistedintheireffortstogetthedetailedinformation.ThisforcedtheentrepreneurtoaskthePOSsuppliertohelphimout....[He]wasawarethatoncethePOSrecordswereauditedthefraudwouldinstantlybeclear.

StraightSystemswashelpfulbyinstallinganadditionalhiddenfeatureofthePOSsystem.RecordsinthePOScould[now]bedeletedandtherecordsrenumberedsothatnogapswouldappear.

Athoroughinvestigationofthetampereddatabasesrevealedthedeletingoftherecordsanyway.Sothiswasnotsimplebadluck[forthetaxpayer]butagoodauditjoboftheTaxadministration!112

ThecourtupheldcriminaltaxfrauddeterminationsintheDudokcaseinrespectofunreported income,value-added,andpayroll taxes.BoththerestaurantoperatorandtheeCR/softwareproviderwereconvicted.

Twoothersuccessfulaudit-intensivecasesintheNetherlandsarenotable,bothofwhichinvolvedsoftwareenablingfraud:

n MicrocraftSoftwaredevelopedAnalyse(alsoknownasCxAnalyseandRetail)asamanagementinformationsystemforgrocerystores,butchers,andbakers.ItworkedoffacombinationofeCRsandgroceryscales.Thezappercouldbestartedwithahiddencombinationofkeystrokes,andtheusercouldthenin-dicateapercentageofturnoverthatwouldbeskimmed.113

n B&FSoftwareandComputersB.V.developedBeleids Informatie Systeem(BIS)forhairdressersandanadd-onprogramforzappingcashsalesthroughPOSand

phantomwareapplication.StraightSystemsBVaddedthephantomwareapplicationtoTwenty/TwentyandrenamedtheprogramFinishingTouch.Usingjustthisprogram,youcanviewthesalesticketandchangedata.Withasecretcommand,theTickview.exeprogramwithinFinishingTouchcanbeactivated,andtheoperatorisaskedifhewouldliketodeletethewholeticket.Ifanaffirmativeresponseisgiven,thesystemrecordsa“nosale”andtheentireaudittrailtotheoriginaldataiseliminated.BenB.G.A.M.vanderZwet,personale-mailcommunication,May28,2008(onfilewithR.T.A.).

110 ThetrialcourtinRotterdamreferstothephantomwareapplicationasa“hiddendeletefunction,”whereastheappealscourtinTheHaguereferstothephantomwareas“theeraserule.”

111 LJN:BC5500,supranote106,atF3.

112 BenB.G.A.M.vanderZwet,personale-mailcommunication,April16,2008(onfilewithR.T.A.).

113 SeeCaseLJN:AT5876,DistrictCourtofArnhem,July27,2005(inDutch;translationonfilewithR.T.A.).


clientinformationsystems.Aftertheoperatorenteredthepercentagetobeskimmed,thesystemselectedthecategoriesoftransactionstobeeliminated(forexample,malewalk-incustomerspayingcashwithoutspecialservices).114

GiventhesuccessoftheDutchauthoritiesinprosecutingsuchcases,itisclearthatanintensiveandcomprehensiveauditapproachworksagainstautomatedsalessuppressiondevices.ThereareanumberofsizablecasesintheNetherlands,andamuchlargernumberofcasesinQuebec,thatdemonstratetheeffectivenessofthisapproach.Quebec,however,unliketheNetherlands,isconvincedthatmorethananauditisneeded.TheSRMisarules-basedsupplementtotheauditeffort.115

TheUnitedKingdomhasindicatedthatitsharestheNetherlands’opinion,116andwouldprefertoavoiduniversalfiscaltillsolutions.However,arecentnationalpilotstudyof941UKenterpriseshasuncoveredclearevidenceoftaxfraudinvolvingphantomware.Giventheapparentscopeofthisfraud(whichhasnotbeenfullyana-lyzedasofthiswriting),theUnitedKingdommaychangeitspositionontheuseoffiscaltilltechnology.117

blending rule s A nd PrinciPle s: certiFic Atio n o F third - PA rt y serv ice Prov ider s

Certificationisthecommonthreadamongallthezapperenforcementeffortscon-sideredabove.Thisisapparentifwestepbackfromthedetails.Ineachinstance—Greece,Quebec,Germany,andtheNetherlands—thetaxauthoritiesrespondedtothethreatofautomatedsalessuppressioninthesamemanner:theyalllookedforcer-tificationofdigitalrecords.Rules-basedjurisdictionsimposedexternalcertificationregimestoforcebusinessestokeeptrustworthyrecords;principles-basedjurisdic-tionsinducedbusinessestodeveloptheirowninternal(self-)certificationregime.Inallcases,however,itisthereliabilityofdigitalrecordsthatisthemainconcern—andinallcases,thequestioniswhetherthecertificationistrusted.Bothapproacheswork.Butneitherapproach(rules-basednorprinciples-based)comeswithoutcostsandproblems.

In rules-based jurisdictions, theprospectof forcing all businesses to accept agovernmentpresenceinsidetherecord-keepingfunctionofprivateenterprises—thefiscaltillsolution—isconsideredbysometobefartoointrusive.Theobservationisthatthisremedyisoverlybroad,andneedstobemorefocused.Whyshouldall

114 B&F Optics BV,DistrictCourtofAmsterdam,August11,2005(inDutch;translationonfilewithR.T.A.).

115 TheQuebecapproachistohavetheSRMtogetherwithspecializedinspectionteamsandasignificantpublicawarenessprogram.Supranote2,slide5.

116 See“CashRegisterGoodPracticeGuide,”supranote6,atparagraph1.4.4andappendixe.

117 JenniferMitchell(HMRevenue&Customs,LocalCompliance,SMeInterventions),personale-mailcommunication,November26,2008(onfilewithR.T.A.).


salesactivitybecertifiedthroughgovernmentoversight,justbecausesomerecordsare untrustworthy? In Quebec, the government’s SRM minicomputer must beplacedbetweeneveryeCRandprinterineveryrestaurant(exceptperhapssomesmallrestaurants).InGermany,everyeCRwillberequiredtoinstallatamper-resistant,government-issuedsmartcardthatcanbeconfiguredtorecord,sign,andtransmitalldataprocessedbytheeCR.InGreece,nobusinesscanbeconductedwithoutprocessingtransactionsthroughagovernment-certifiedFeCRorFeSD.

Principles-based jurisdictions prefer a “hands-off ” approach, at least initially.Moralfactorsandgoodbusinesspracticesarereliedupontomakedigitalrecordstrustworthy.Unfortunately,thissolutionrequiresoversight,andtheoversightthatworksisanauditprogramthatisbothcomprehensiveandtechnologicallyintensive.eventhoughitismorethaninconvenientforasmallbusinesstohavetorespondtothesekindsofaudits,therealproblemisnotthecomplaintsofthebusinessowners;itisthefiscaldemandsplacedontherevenueauthoritythatmustconducttheaudits.Fundingisrarelysufficienttosecurethenecessaryauditteamsandcomputerauditspecialists.

Fortunately, there isanotheroption—certificationof intermediaries.Thisap-proachisusedintheUnitedStateswithCSPs(certifiedserviceproviders)undertheSSUTA.118TheSSUTAcanbeausefultemplateforjurisdictionsseekingtodeveloplessintrusiveandlessexpensivemethodsforcombattingautomatedsalessuppression.Currently,CSPsperformallconsumption-taxcompliancefunctionsfortheirclients.Theydeterminetaxabilityandthecorrectrates.Theyprepareandfilereturns,maketaxpayments,andimmunizethetaxpayerfromliabilityforerrors(excepttaxpayerfraud).

extendingtheCSP’sobligationstoincludecertificationbytheCSPtothegovern-mentthatthetaxpayer’seCRsandPOSsystemsarefreefromzappersandphantomwarewouldcreateanewenforcementregime.Fourquestionsneedtobeaddressed:

1. HowdoesaCSPgeteCRandPOSsystemdata? 2. HowcanaCSPbesurethatthedataithasareaccurate? 3. WhatstandardsshouldthegovernmentusetocertifyaCSP’sautomatedsys-

tem?Inotherwords,whatdatadoesataxauthorityneedinordertobesurethatitcantrusttheCSP’sattestationtotheaccuracyofthetaxpayer’ssystem?

4. Whatisthemostefficientandcost-effectivewayforaCSPtosatisfythegov-ernment’sstandards?

Possibleresponsestothesequestionsareprovidedbelow.

1. How Does a CSP Get ECR and POS System Data?

CSPscurrentlypulldatadirectlyfromtheeCRorPOSsystemtodeterminetax-abilityatstep4ofthetransactionsequence.Thedataarestoredinanindependent

118 Seesupranotes13to15andtherelatedtext.


(tamper-proof )auditfilebeforetheyareusedbythetaxpayertodrafttheinvoice(receipt).TheCSPmaintainsthisfiletoprotectitselffromliability.

Unlikefiscaltillsolutions,whichpreservedatathataresenttotheprinterfromstep5(proceduresathroughd)orfromstep6(whenthedataarerecordedinthexorZreportsortheelectronicjournal),theCSPisactuallyinvolvedingeneratingthecriticaldatasets.Inrealtime,theCSPdeterminesthetaxabilityoftransactions,calculates thetax,andpasses this informationbacktotheeCR.Thiseventhasathree-waydatacheck:

1. Thecustomerisdemandinganaccuratereceipt,andtheCSPandthebusi-ness(thevendor-taxpayer)mustproduceit.

2. Thebusiness(whichhastheprimaryobligationtocollectandcorrectlyremitthetax)isdemandingthattheCSPperformthistaxfunctionaccurately.

3. TheCSP(whichisassumingallthetax-complianceobligationsofthebusi-ness, includingremissionof taxes fromfundsprovidedbythebusiness) ismotivatedtobeaccurate(todetectanyfraud)becauseithasliabilityforanyerrorsinthecalculationandremittanceoftax,andmustcompensatethetaxauthorityforsucherrorsoutofitsownfunds.

WithaCSP-basedsystem,a“legalreceipt”isnotrequired.ItcouldbemandatedtocombatfraudoccurringoutsidetheeCR,ormaybeasafurthertoolagainstconsumer-businesscollusions,butitisnotnecessaryfortheCSP.Itislikelythattherevenueauthoritywoulddemandalegalreceipttofacilitateauditchecks.

TheSSUTAisavoluntarysystem.However,therearestrongincentivestopartici-pate.Businessesparticipatetogetrelieffromregularaudit,relieffrompenaltiesfortaxcalculationerrors,andrelieffromadditionaltaxes(penaltiesandinterest)thatstemeitherfromlatechangesinlawsorerrorsintaxabilitydeterminations.119CSPsparticipateforcommercialreasons:feesforservicefromthebusiness-clientorthestate,120andmoney-movementbenefits.TheseincentivesareoffsetbyashiftintaxliabilitytotheCSPifitmakeserrors.Onlyfraudbythebusiness-client(thetax-payer)121removesthisliability.122AllCSPsinsureagainsttheriskoftheirownerrors(sothereisalwaysafundoutofwhichmissingtaxescanbepaid).Theyarealsore-quiredtopostabondbeforereceivingcertification,andtheyarepermittedtoretainconfidentialtransactionaldatainordertodefendthemselves,ifnecessary.

119 SSUTA,supranote13,atsection9(a).120 Ibid.,atsections601to603(providingthatthegovernmentmayenterintocontractswitha

CSPtocompensatetheserviceproviderdirectlyonthebasisoftaxabletransactionsprocessed,orapercentageofinstanceswheresellerswithoutnexusvolunteertocollectsalestaxesthattheyarenototherwiseobligatedtocollect).

121 ACSPisalsorelievedfromliabilityforchargingandcollectingtheincorrectamountoftaxifthaterroriscausedbyerroneousdataprovidedbyamemberstateontaxrates,boundaries,ortaxingjurisdictionassignments,orifitisbasedonerroneousdataprovidedbythememberstateinthetaxabilitymatrix.SSUTA,supranote13,atsections328and331.

122 Ibid.,atsection9(a).


2. How Can a CSP Be Sure That the Data It Has Are Accurate (Free from Manipulation)?

ensuringtheaccuracyofthedatarelieduponiskeytotheSSUTAapproach.Inourview,themosteffectivewaytodothisistoadopttheGermansmartcardinthepri-vatesector.TheGermansmartcardcanbeconfiguredtosigneveryevent—completedsales,temporaryrecords,refunds,testmodes,openorpartiallycompletedtrans-actions. Thus, every keystroke could be recorded, collected, and signed on thesmartcard,andthentransmittedtotheCSP.123Thetaxauthoritycouldthendirectquestionsaboutanytransaction,oraboutthebusinessrecordsassociatedwithanyeCR,totheCSP.Onlyincasesoffraudwoulditbenecessaryforthetaxauthoritytoapproachthetaxpayer-client.Ifsuspicionswereraised,itwouldbeintheself-interestoftheCSPtoassistthegovernmentindeterminingthetruth.

UseofasmartcardwouldbeaformofcomprehensiveeCRmonitoring,buttheprivatesectorwouldbemonitoringtheprivatesector, incontrasttoanintrusivegovernmentoversightprogram.124Foradditionalprotection,itislikelythataCSPwouldalsoadopttheGreeksecurityregime;thatis,itwouldtakestepstocertifyeachspecificeCR,andthenkeepadigitalrecordoftheprogrammingofeachma-chinethatcouldbeconfirmedinthemannerofaGreekaudit.125

3. What Standards Should the Government Use To Certify a CSP’s Automated System?

WhatdatadoesataxauthorityneedinordertobesurethatitcantrusttheCSP’sattestationtotheaccuracyofthetaxpayer’ssystem?

ThedatapreservationstandardsthataCSPwouldneedtomeetifitweretocer-tifytheaccuracyofbusinessrecordsinaneCRshouldbethesamestandardsthata

123 Inapersonale-mailcommunication,November17,2008(onfilewithR.T.A.),NorbertZiskyconfirmed,“IfIgetthedatainBerlinfromaneCRinBostonIamabletochecktheintegrity(whetherthedataisunchangedagainsttheoriginaldata)andtheauthenticity(whetherthesignaturebelongseithertotheeCRor[to]thetaxpayer).Thekindofauthenticationdependsontheoperationalconceptofthetaxbody.Inprincipleeverytransaction[finalsales(step5)andtemporarytransaction(step2)]couldbetransferredtotheauditororaremoteserver.”

124 Notonlycouldalltransactions(finalandtemporary)betrackedande-signedbytheGermansmartcard,butallofthiscouldoccurinrealtime.However,theGermanplannershaveindicatedthat,becausethedataarecollectedbygovernmentauthorities,businesses“willhaveastrongresistanceagainstthisonlinetrackingoftransactions.”NorbertZisky,personale-mailcommunication,November17,2008(onfilewithR.T.A.).ThereisaSerbianproposaltodothis,butithasnotbeenwellreceived.MilanProkin,“TechnicalandFunctionalSpecificationofTurnoverControllers—DraftPreparedforFiscalisFPG12CashRegisterProjectGroup”(undated;onfilewithR.T.A.),7.Prokin(oftheFacultyofelectricalengineering,Belgrade)proposesasystemwhereby“[a]llmisusesoffiscalcashregisters,fiscalprinters,non-fiscalcashregistersandnon-fiscalprinterslistedinthedocumenttitledCashRegisterMisuseGuideareinherentlysolvedbyanewdevicecalledaturnovercontroller[acentraldatabasewheregovernmentserversstorealltransactiondata].”

125 Seesupranote47andtherelatedtext.


principles-basedjurisdiction,liketheNetherlands,wouldsetdownforalleCRs.Inaguide tobusinessesoutliningtheirfiscalaccountingobligations, theDutchtaxauthorityliststherequirementsthatabusinessmustmeetinordertobringitseCRsorPOSsystemintocompliancewithDutchlaw.126Theyinclude

n detailedrecordsavailableforthetaxauditorifandwhenrequired,n electronicpreservationofthedetailsoftransactions,n preservationofacompleteaudittrail,andn adequatemeasurestoguardagainstsubsequentalterationsinamannerthat

willensurethatdataintegrityismaintained.

TheDutchrequirementsmaynotbedifficultforlargerbusinessestomeet,butforSMes(whichiswherephantomwareandzappersarefound),therequirementsareburdensome.VanderZwetconfirms:

HardlyanyofthecashregistersorPointofSalesystemsbythemselves[comply]withthe requirements set out by the Dutch Tax Authority. With larger companies thisomissioncanbecompensatedforwithadequateinternalcontrolmeasures.Withoutsimilarinternalcontrolefforts,SMesthatmaybewillingtocomplywithDutchfiscalobligationswillfailintheirattempts.

n Dataneedstobestoredelectronically.n Facilitieshavetobeimplementedtoexportdatatodigitaldatacarriers.n Settingsof the software and the adequatedatabase structuresmust support a

properaudittrail.n Measuresmustbetakentoassurethereliabilityofretaineddata.127

Under theSSUTAmodel,a third-partyserviceprovidercouldnotbecertifiedunlessitcouldassuretaxauthoritiesthatitssystemaccurately,completely,andauto-maticallycapturedtherequireddatafromthetaxpayer’seCRs.Withthesedataonhand,theCSP’sattestationswouldbehighlycredible.

4. What Is the Most Efficient and Cost-Effective Way for a CSP To Satisfy the Government’s Standards?

CombiningthesmartcardwiththeSSUTAapproachappearstobethebestsolution.Itisfarlessexpensivethananyotheroption;itusesproventechnology,andtheCSPinanSSUTAcontextisaprovenlegalstructure.ButthereisalsoastrongargumentforblendingintheGreekapproachtoeCRcertification,aswellastheQuebecSRM’s

126 Belastingdienst,Your Cash Register and the Fiscal Accounting Obligations(TheHague:Belastingdienst,2007)(online:http://www.gbned.nl/downloads/xmllogistiek/poas/Your%20cash%20register%20and%20the%20fiscal%20accounting%20obligations.pdf ),paragraph6,“ChecklistforCashRegisters.”

127 VanderZwet,supranote105,at4.


bar-codereader.Mergingattributesofallthreesystems,aCSPvehiclemakesagreatdealofsense.

Theonlycompetingoptionisforthegovernmenttobecomethevehicleforim-plementation.However, even theGermanresearch teamsworkingon the smartcardprojectconcedethatdirectgovernmentinvolvementcompromisestheeffect-ivenessofthesolution.

TheGermansmartcardsolutioncomesfromsuccessfulresearchinlegalmetrol-ogy,specificallytheSeLMA(SecureelectronicMeasurementDataexchange)project.TheimmediategoalofSeLMAwasto“...ensurethesecuretransferofmeasuredenergy datafromdecentralizedmeterstotheauthorizedusersviaopennetworks.”128SeLMAsucceeded.TheprojectleaderssummarizedSeLMAasfollows:

SeLMA...developedasecurityarchitecturetoestablishtrustintheelectronictransferofdatafromthemetertodataacquisitionsystemsandfurthertothecustomers.Theintroduced security mechanisms are based on asymmetric cryptography and morespecificallyondigitalsignaturesthatenablethesignedmeasurementdatatobeverifiedandauthenticatedinconjunctionwithasuitablekeymanagement.Particularsecurityunitshavebeencreatedthatcontainthenecessarysecuritymechanisms.

TheSeLMAarchitecturerepresentsabestpracticesolutionofstrongcryptographicmechanismstosecureawiderangeofmetrologyapplicationsandiscompatiblewithappropriateeuropeandirectivesandguidelines.129

SeLMAlookedatnaturalgasmeters.TheSeLMAsolutionassuredmultipleparties(traders,distributors,ownersofdistributionnetworks,andconsumers)thatremotelymonitoredmeterswereaccurate.OnthebasisoftheassumptionthateCRsandPOSsystemsareonlyadifferentkindofmeterrecordingadifferentkindofdataflow,theSeLMAresearcherssuggestedthatthesamesolutioncouldapplyinthisnewcontextaswell.TheINSIKAproject(describedearlierinthisarticle)waslaunchedin2008toconsiderthisapplication.

There are two critical differencesbetween SeLMAand INSIKA: (1)the INSIKAdata represent confidential tax information (not natural gas measurements), and(2)thegroupofinterestedpartiesincludesthegovernment(whereasonlyprivatepartiesareinvolvedingasmetering).Theresearcherssoonbecameawarethatbusi-nesseswerestronglyresistanttoonlinetrackingoftransactionsbythegovernment.130Asaresult, theSeLMAsolutionwasnotable tobe fully implemented in INSIKA.Ziskynoted:

Therealtime,centralcollectionofverylargeamountsofdataisalreadybeingcarriedouttodayindifferentsectorsoftheeconomy.Oneexampleworthmentioningistheareaofspecialcontractcustomersforpowersupply.Ofapproximately300,000special

128 Iaconoetal.,supranote84,at312-13(emphasisadded).

129 Ibid.AlsoseetheonlinesourcefortheSeLMAproject,supranote84.

130 Seesupranote124,quotingfrompersonale-mailcommunicationwithNorbertZisky.


contractcustomers,energyamountsrecordedinintervalsof15minutesarereadoutdailyandstoredcentrally.Thesedata,relevanttocalibrationlaw,providethebasisforthemonthlybilling.Forthesakeofcompleteness,thefollowingshouldalsobementioned:workiscurrentlybeingdonetowardssecuringmeasurementdatacryptographically.

The decisive difference between the example of energy data transfer and the realtime, central recording of tax-relevant data consists in the fact that the data must be collected by the author-ities, rather than by a contracting partner.131

Simplyput,evenwhenthereis“nothingtohide,”therearerealprivacyconcernswhenthegovernmentgetstoointrusive.132

ThesearethesameissuesthatconfrontedtheSSUTA.Thereal-timecollectionoftaxdatabythegovernmentwasnotacceptabletobusiness,butthecollectionofsuchdatawasacceptablewhenathirdpartydidit.Thus,theissuechanged.Now,thequestionwaswhetherthegovernmentcouldtrustthethirdpartyasmuchasthetax-payerdid(ratherthanwhetherthegovernmentshouldbetrustedtocollectthedatadirectly).TheSSUTAanswerwasthat,yes,thegovernmentcouldtrustathirdparty,butonlyifthethirdparty’ssystemswerecertified.133(Similarly,theDutchtaxau-thoritywasconcernedwithfindingawaytoencouragevoluntarycompliancebytaxpayers,ratherthanimposingtoomuchgovernmentcontroloverprivatebusinessrecords.)

TheSSUTAwasbornasaninexpensive,voluntaryregimetostreamlinesalestaxcompliance.ItextendsauditimmunitytotaxpayerswhouseCSPs,becausetheCSPis trusted by the government. An SSUTA type of system to prevent zappers andphantomwareapplicationsineCRscouldbemademandatoryforallsectorsofaneconomy.Alternatively, it couldbe appliedonly inhigh-risk sectors,or it couldperhaps be made mandatory only for those taxpayers who had previously beenfoundtomanipulatesalesrecords.evenif itwereonlymandatoryforsometax-payers,participationinthesystemshouldremainanoptionforallbusinesses.ThiswouldincreasethepressureonthosewhodonotuseCSPstomaintaingoodrecords.Traditionalauditresourcescouldbemoreintensivelyfocusedonthissubset.

co nclusio n: A sse ssing Quebec ’ s sr m

WiththeSRMcurrentlyinoperationinaselectnumberofrestaurantsonavolunteerbasis,itseemsappropriatetoofferanassessmentofhoweffectivetheSRMcouldprovetobe,inlightoftheexperiencewithanti-fraudinitiativesinotherjurisdic-tions.Therearefivecriticalobservations.

131 Zisky,“ManipulationProtection,”supranote83,10-11(emphasisadded).

132 DanielJ.Solove,“ ‘I’veGotNothingToHide’andOtherMisunderstandingsofPrivacy”(2007)vol.44,no.4San Diego Law Review745-72.

133 Thereisarelatedissueoftrustinvolvingconsumers.ItwasnecessarytoaddaprovisiontotheSSUTAtoprotectpersonallyidentifiableinformation(PII)fromdisclosurewhenitwasinthehandsofthetrustedthirdparty.Seesupranote92.


1. The SRM will work. Coupled with a significant audit effort, the SRM willmostlikelybeaneffectivezapperandphantomwaredeterrentintheQuebecrestaurantsector.Thereareseveralreasonsforthis:a. theSRMissimilartotheveryeffectiveFeSDandFeCRwithAFeDprinter

thathasbeeninuseinGreeceforover20years;b. theSRMdeploymentisaccompaniedbyacommitmenttoincreasepre-

auditinvestigatorswhowillrefersuspectedfraudstersforfullaudits;andc. the SRMwill facilitate rapidpre-audit investigationsby embeddingbar

codesoneachreceiptthatwillverifythatitis“legal.”Allofthesefactorsbodewellfortheworkability,effectiveness,andultimatelythesuccessoftheSRM.

2. TheSRMisexpensive.QuebecestimatesthattheSRMwillcostapproximately$650perunit,anexpensethatwillbeborneentirelybytheQuebecgovern-ment.Theestimatedcost for fulldeploymentof theSRMthroughout therestaurantsectoris$55million.ThesecostsapproximatetheGreekcosts,butare10timestheper-unitcostoftheGermansmartcard,andtheypres-entQuebecwithascalabilityproblem.Inotherwords,ifQuebecwantstoeventuallyextendtheSRMthroughouttheeconomy,insteadoffocusingonasinglesector,themagnitudeoftheseexpensesmightforcethegovernmenttoeitherlimititsfinancialsupport(asisthecaseinGreece)ormovetoade-vicemodelledontheGermansmartcard.Becausezappersandphantomwarearenotconfinedtotherestaurantsector,thescalabilityoftheSRMsolutionneedstobeconsideredinadvanceoffullimplementation.

3. TheSRMisaninvoice-basedsolution.Quebec,likeGreeceandGermany,designeditssolutionaroundtheinvoice(receipt),andpassedlawsmandatingthatalegalreceiptmustbegivenineachsale.Thisrequirementraisescon-cernsabouttoomuchgovernmentinprivatebusiness:WhyshouldeverysaleneedtobeaccompaniedbyanSRM-signedreceiptwhenprofitsfromonlysomesalesareskimmed?However,thisinterventionintoprivatebusinessre-lationshipsisanecessarypartoftheenforcementregime,becausetheinvoiceisthetriggerthatsetsthewholedatasecurityprocessinmotion.FactoringinsomeDutchconcernsandlookingmorecloselyataCSP/smartcardsolu-tionmighthavesomemerit.

4. extendingamandatorySRMsolutionoutsidetherestaurantsectormaybedifficult.Indeed,thefactthatsomerestaurantshaveagreedtoparticipateintheSRMpilotprojectonavoluntarybasisdoesnotmeanthattheSRMwillbewidelyacceptedthroughouttherestaurantsector.Couldthegovernmentimpose mandatory use of the device throughout the economy? Quebec’sempiricalworksupportsarestaurantinitiative,butauditresultsintheNeth-erlands(aswellassomeearlycasesinQuebec)suggestthattheproblemismuchmorewidespread;grocerystores,conveniencestores,andhairdressersareallsuspect.InGermany,thereisconsiderableresistancetothesmartcardpreciselybecause it isbeingconsidered for thewholeeconomy.Quebec’ssingle-sectorapproachisunusualandmayultimatelyprovetobeunstable,


becauseitwillnotsolvethewholeproblem,andittreatsbusinessesunequally.Businessincentivesmaybehelpfulinthiseffort,andbyofferingthem,Quebecwouldbetakingapagefromtheprinciples-basedjurisdictions.TheSSUTAmodelhighlightstheincentivesthathaveworkedintheUnitedStates.

5. TheSRMisnotareal-timesolution.134ThereisnothingintheSRM,intheGermansmartcardproposal,orintheGreeksystemthatacceleratesaudit,returnfiling,ortaxremissionintorealtime.Real-timecomplianceisverypos-siblewithcertifiedsystems,butthiswouldrequireadoptionofaCSP/smartcardsolution.ItisanintriguingthoughtthattheCSP/smartcardwouldnotonlystopskimmingfraudswithzappersandphantomware,butalsobringtaxcomplianceintorealtime.135

A PPendi x comPA riso n o F so lutio ns in the Fi v e Jurisdic tio ns—A gr A Phic summ A ry

Admittedly,thereisaconsiderableamountofmaterialinourcomparativeassess-mentofzapperpreventionefforts,andalotofitishighlytechnical.Ifwekeepinmindthattheeffortherehasfocusedontechnologicalsolutionstobackroom(notreal-time) skimming of cash sales,136 there are some fundamental comparative

134 However,ifoneconsiderstheentireQuebeceffort—theuseoftheSRMwithhand-heldscannersinconjunctionwithenhancedmonitoringofrestaurantsbyinspectionteams—itislikelythatQuebeccomesclosertoareal-timeenforcementeffortthanotherjurisdictions.(Althoughthisisnotaformalreal-timeaudit,itmaywellresultinreal-timeenforcement.)

135 UseofaCSPsolutionwouldnot(intheopinionofRevenuQuébec)beeffectiveinpreventingalltypesoffraud.Forthisreason,RevenuQuébecremainscommittedtoverysubstantiveaudits(alongthelinesoftheDutchapproach)inconjunctionwiththeSRM.MarcSimardindicatesthat“aCSP-typesolution(includingcertificationofcomputersystems),wouldnotbeatalleffectiveincombatingothertypesofschemessuchasfailuretorecordinvoicesandtheabsenceofinvoices.Asexplainedearlier,therestaurateurmaydecidenottousethissystemtorecordsales,evenifhehasacertifiedsystem.Itisthereforequitelikelythatwiththistypeofsolution,restaurateurswillcontinueusingothertax-evasionmethods,whichmightevenreplacetheuseofzappers.RevenuQuébec’ssolution,whichismorecomprehensive,requiresthataninvoiceissuedbytheMeV[SRM]beremittedtothecustomer,ensuringthatthesalesamountisrecordedinthesystem.Customerawareness,combinedwithon-siteinspections,willplayanimportantroleinensuringtheeffectivenessofthissolution.”MarcSimard,personale-mailcommunication,September15,2009(onfilewithR.T.A.).

136 Real-timeskimmingrunstherangefromsituationswheretheownersimplychoosesnottoringasalethroughaneCR(andputsthecashdirectlyinhispocket),tosituationswheretheownerproducescopiesofcommonreceiptsandusesthecopiesofasinglereceiptmultipletimes(andthenputsthecashinhispocket).ThereareawholeseriesoffraudsthatcanoccurdirectlyattheeCR.Someofthemdoinvolvetechnology.AhiddenswitchcouldactivateaprogramintheeCRonanindividualtransactionbasisandpreventtheeCRfromfunctioning(sothatcashcouldbeputdirectlyinanowner’spocket).Allofthesereal-timefraudsrelyontheowner(oratrustedassociate)beingtheclerkattheeCR.Thesefraudstendtooccurinverysmallbusinesses(so-calledMomandPopestablishments),becausestealingreceiptsfrom


points—costs, the nature of the security, and special features—that can providehandlestoassistanalysisoftheseveraloptions.

Costsrunfromapproximately$650to$50(�1,000to�30),withtheexpensebe-ingbornebythetaxpayer(Greece)orthegovernment(Quebec),oronoccasionbyathird-partyserviceprovider(theUnitedStates).Adoptionofthesesecuritydevicesis(orwillbe)eithermandatory(Quebec,Greece,andGermany)orvoluntary(theUnitedStates).Mandatoryadoptioncanbe limitedtoaspecificmarketsegment(Quebec).

Securityfeaturescanbeprovidedthroughdigitalfingerprintsalone(Greece)orthroughcombiningadigitalfingerprintandadigitalsignature(QuebecandGer-many). There are remote auditing possibilities (Germany), as well as hand-heldscanningoptionsthatcanbeutilizedtoassisttraditionalauditorsincomplianceef-forts(Quebec).

thegovernmentisonething,butinstructingemployeesintheartofstealingreceiptsfromthebusinessisquiteanothermatter.

ThecriticalpointwithzappertechnologyisthatthesedevicesallowfraudtomoveoutfrombehindtheeCRandintothebackroom.Itallowsthefraudtomigrateupthebusinesschain—fromthesingleMomandPopstoresintothemedium-sizedormultistorechainsofcommonlyownedbusinesses.Withazapper,anownercanputemployeesattheeCR,insistthattheyringsalesaccurately,butlateatnighteliminateselectedcashsalesfromthebusinessrecords.Itisthissecondleveloffraud(moreserious,involvinglargerbusinesses,andencompassinglargeraggregatesalestotals)thattheSRM(andtheothertechnologicalsolutions)isaimedat.TheSRMalonewillnotstopskimmingfrauds.Itisespeciallybadatdetectingreal-timeskimming.Auditsarestillnecessary,buttheSRMgivesRevenuQuébecahand-heldscanningdevicethat(alongwiththerequirementthatalegalreceiptmustalwaysbeissued)goesalongwaytowardaddressingtheseadditionalconcerns.


Sum

mar

y of

Fea

ture

s of

Ant

i-S

kim

min

g S

olut

ions

in F

ive

Juri

sdic

tion

s

Juri

sdic

tion

Cos

tC

ostp

aid

byM

anda

tory

/vol

unta

rySe

curi

tySp

ecia

lfea

ture

s

Que

bec

SRM

$650

per

eC

RG

over

nmen

tM

anda

tory

inr

esta

uran

tse

ctor

D

igita

lfing

erpr

inta

nd

digi

tals

igna

ture

Han

d-he

ldb

ar-c

ode

read

er

Gre

ece

FeC

R,A

FeD

pri

nter

FeSD

�20

0-25

0to

�80

0-1,

000a

�40

0-65

0pe

rm

achi

neb

Taxp

ayer

Man

dato

ryw

ithe

very

e

CR

inth

eco

untr

yD

igita

lfing

erpr

int

Mul

tiple

eC

Rs

can

bec

onne

cted

to

sing

led

evic

e

Ger

man

y

Smar

tcar

d�

30-5

0pe

rm

achi

nec

Und

ecid

edM

anda

tory

with

all

new

e

CR

sin

the

coun

try

Dig

italfi

nger

prin

tand

di

gita

lsig

natu

reW

illa

llow

rem

ote

audi

ting

Net

herl

ands

Com

preh

ensi

vea

udit

Unk

now

n(d

eem

edto

be

proh

ibiti

veb

yth

eN

ethe

r-la

nds

and

Ger

man

y)

Gov

ernm

ent

Ran

dom

/ris

k-se

lect

ed

audi

tN

ota

pplic

able

Not

app

licab

le

Uni

ted

Stat

es

CSP

and

SSU

TA

Fee

dete

rmin

edb

ym

arke

t-pl

ace

base

don

siz

eof

ta

xpay

er’s

busi

ness

and

se

rvic

esn

eede

d

Gov

ernm

entd

orta

xpay

erV

olun

tary

Dep

ende

nto

nsy

stem

ad

opte

dT

rust

edth

ird

part

y

a C

osto

fFe

CR

with

AFe

Dp

rint

er,l

ow-e

nda

ndh

igh-

end;

use

don

lyfo

rB

2Ctr

ansa

ctio

ns.

b C

osto

fFe

SDu

sed

for

B2B

and

B2C

tran

sact

ions

,and

pre

sum

esth

eex

iste

nce

ofa

ne

CR

or

PO

Ssy

stem

.c

Ass

umes

that

the

smar

tcar

dis

inse

rted

into

an

ewe

CR

.d

Ince

ntiv

epr

ovid

edu

nder

the

SSU

TA

tog

etso

me

taxp

ayer

sto

use

aC

SP;i

nsu

chc

ases

,gov

ernm

enta

ssum

esa

llco

sts.

Oth

erw

ise,

cos

tofa

CSP

isb

orne

en

tirel

yby

the

taxp

ayer

.

quebec’s sales recording module (srm): fighting the zapper ... · pdf filecanadian tax...

Documents