Payment and Cash Systems Council: Rethink the Swedish Tax Agency - use data encryption to secure cash registers

Payment and cashier systems Digital services

The Swedish Tax Agency is thinking wrong when it develops new regulations to secure data from retailers' cash registers. The concept of a server center is now being introduced, which is a cloud-based system to which data from cash registers should be sent. It is nothing more than a cloud-based control unit.

In 2010, a new law was introduced requiring cash registers to be certified. The Swedish Tax Agency's regulations stipulated that a cash register linked to a control unit forms a certified and approved system.

It quickly became apparent that the control unit was not adapted to technological developments, with more and more systems being delivered as cloud services. The Swedish Tax Agency then developed a variant of the control unit and named it a control system that would work in the cloud. The regulations surrounding the control system turned out to be so technically complicated that no manufacturer could undertake to develop one. Now, the Swedish Tax Agency is looking at renewing the regulations for cash registers. Unfortunately, they are sticking to the same idea of a control unit that they started with in 2010, but it comes in a new form and with a new name.

The Swedish Tax Agency is now talking about secure journals or secure server centers where cash registers will send control data. The idea is that companies will develop and offer control servers in the cloud that merchants can subscribe to or otherwise pay for. For software providers, some form of customization will be required. Even before the new Cash Register Act came into force in 2010, we in the industry discussed various alternatives to the control unit.

Among other things, we proposed to the Swedish Tax Agency to use encrypted data at the checkout, a solution that would be as secure as a cash register with a control unit. It's not a complicated technology and makes it easier to develop new solutions.

The benefits are several. Everyone has access to the same data, whether it is the owner, the auditor, the accountant or the tax authority. The merchant does not have to buy extra hardware or, for that matter, subscribe to services that in themselves do not add anything to the merchant or its customers.

We also propose to amend the law to include supplier responsibility. The supplier must be responsible for ensuring that the system it manufactures and sells also complies with the regulations. The Swedish Tax Agency must also set requirements for the technology used for change protection of data in cash registers.

This would provide a secure solution and the certification requirement could be removed from the law. We do not see that control units will disappear, but they can coexist with new regulations for those providers who do not want to be responsible for securing data in their systems.

We hope that the Swedish Tax Agency will now rethink and do the right thing and not create a new industry around control servers that we as consumers have to pay for and which in itself does not add anything new. It will just be more of the same thing that the Tax Agency introduced in 2010.

Thor Johnsson, business developer at Hogia and chairman of the Council for Payment and Cash Systems
Ted Gemzell, CEO of Frisörföretagarna
Bengt Nilervall, Business Policy Expert, Swedish Trade Federation
Clemens Wantschura, Industry Development Manager, Visita
Nils Weidstam, Business policy expert, IT&Telecomföretagen