A compliant e-invoice solution is a software used to issue invoices and notes under e-invoicing regulations in the Kingdom of Saudi Arabia (KSA). An e-invoice solution must fulfil the specifications and requirements which are mentioned in the e-invoicing resolution.
As per data and security requirements listed by Zakat, Tax and Customs Authority (ZATCA) in the resolution, the e-invoice solution should protect the data records from tampering attempts by any external user or third party.
Anti-tampering refers to protecting software from data leakage and unwanted intrusion from external sources. It helps in curbing any modification or deletion of data that can have material effects on the system.
The e-invoicing solution should necessarily have an anti-tampering mechanism that prevents any potential tampering attempts. E.g., an e-invoice solution should have a tool that prevents unauthorised access to the system, such as anonymous access to the solution.
ZATCA has mandated some anti-tampering measures to ensure that the system remains tamper-free. These anti-tampering measures will be applicable in two phases of enforcement of e-invoicing – The generation phase and the integration phase.
As per the data and information security requirements of ZATCA, the e-invoice solution should have a counter which increments with every generated invoice or related Credit or Debit Note (CDN). However, the e-invoice solution should not contain a function that allows resetting the counter of an invoice.
The compliant e-invoice solution should not enable anyone to change or modify e-invoice and associated XML documents stored on the solution. Also, the solution should keep all the invoices and related XML documents on the solution memory, which should be well equipped with sufficient storage space.
The access to the compliant e-invoice solution must always be through a login session. The user should be granted access only to those functionalities after login in to perform their duties. No person should be given uncontrolled access to the system, leading to data theft and tampering with the e-invoice solution.
The system users should not be able to reset the date and time. The e-invoice solution should ensure that no function enables modification of date and time as it can severely impact true and accurate reporting of transactions.
The e-invoice solution should have anti-tampering measures that prevent the copying or viewing the unique private keys during system initialisation. The e-invoice solution generates this key, and the cryptographic stamp identifier helps in identifying the same. The export of such stamping keys will lead to tampering of e-invoice solutions, and therefore, such tampering attempts need to be blocked by the vendor using software or hardware vault.