Updated on: Jan 6th, 2023 - 9:30:51 AM
4 min read
An e-invoice is a tax invoice issued in electronic form. As per the Zakat, Tax and Customs Authority (ZATCA) guidelines, businesses should generate and store tax invoices and related Credit/Debit Notes (CDNs) in a structured electronic format using a compliant solution.
The e-invoice solution shall be considered as a compliant solution only when
This article explains the various security requirements and specifications for e-invoicing solutions associated with the generation of e-invoices and related CDNse-notes as specified by ZATCA, the key regulating authority for taxation in the Kingdom of Saudi Arabia (KSA).
ZATCA notified the waves under phase 2 of e-invoicing as follows:
Accordingly, business must comply with e-invoice requirements, and adopt an e-invoice solution to generate the invoices and related CDNs in the XML format or PDF/A-3 format (with embedded XML). Also, the tax invoice or related CDNs should be shared with customers upon generation. These must be shared in printed form; however, e-invoices can be shared in electronic form upon agreement between the parties.
The electronic invoices and notes should include all essential data fields in addition to the requirements and details listed by ZATCA based upon the nature or type of invoices. It should also include taxable supplies as per e-invoice requirements.
The following security requirements have been mandated for e-invoicing solutions in Saudi Arabia to protect data and avoid tampering, alteration, and deletion.
1. The e-invoice solution must have a mechanism that prevents tampering of documents and discloses any attempt to tamper by users or third parties as per e-invoice requirements.
2. The solution should contain the functionality to archive invoices and notes in the specified format without an internet connection. Also, the solution should be competent enough to safeguard invoices from any type of alteration or deletion.
3. UUID, i.e. Universally Unique Identification Number should be generated for each electronic invoice or electronic note in addition to the electronic invoice sequential number. The UUID is a unique 128-bit number generated for the e-invoice by an algorithm chosen to make it. Also, the same algorithm cannot generate a similar UUID for any other e-invoice in the known universe.
4. The solution must generate a cryptographic stamp for electronic invoices and stamps, and such stamps must have an identifier per e-invoice requirements.
5. A hash must be generated for each generated electronic invoice and electronic note, which will be helpful to protect them from tampering either by deletion or replacement.
6. The e-invoice solution must generate a QR code that must contain the seller’s name, Value Added Tax (VAT) registration number of the seller, timestamp of an electronic invoice, electronic invoice total with VAT and VAT amount. The code should be readable by a QR code scanner or the camera of smart devices to enable the basic validation of electronic invoices and electronic notes.
7. Each electronic invoice or related CDNs must have a tamper-resistant electronic invoice counter that cannot be reset or reformatted. The counter must increment for each generated electronic invoice or related CDNs, and the compliant solution must record the value of this counter in each electronic invoice or related CDNs.
As per e-invoice requirements, the XML format has been approved to integrate all electronic invoices and related CDNs. By using the Application Programming Interface (API), the compliant solution should integrate with external systems with the help of the internet connection.
1. The compliant e-invoice solution should not contain any prohibited functionalities such as uncontrolled access, multiple electronic invoice sequences, tampering of e-invoices, export of stamping keys, time change, etc. An e-invoice solution that has enabled any prohibited functions will be deemed non-compliant with the ZATCA e-invoicing requirements.
2. The compliant e-Invoice solution must not generate more than one sequence of electronic invoices and related CDNs through each of the units within the e-invoice solution used. Units play a vital role in generating functionalities related to invoice sequencings, such as inserting a hash and generating cryptographic stamps for e-invoices and related CDNs. These units, being component compliant solutions, helps to curb tampering.