1 – The legal obligation
Implementation of secure collection and invoicing systems from January 1, 2018 (cf. 2016 Finance Law published in BOI of August 3, 2016).
2 – Perimeter
All software that records data related to customer payments, whether accounting and/or management software, cash systems or merchant sites.
3 – Affected data
Data that contributes directly or indirectly to the completion of a transaction (including when the transaction is only simulated by means of a "school" or "test" mode). Also concerned are all the data making it possible to ensure the traceability of the data contributing to the completion of the transaction and to guarantee the integrity of the latter.
4 – Implications for software
The software must meet conditions of inalterability, traceability, security, storage and archiving of data for the control of the tax administration.
Inalterability:
- Preservation of the original data recorded and making them non-modifiable a posteriori.
- Any necessary modification is carried out by compensation (reversal of the movement then entry of the desired movement).
- The integrity of the recorded data must be guaranteed over time by any reliable technical process.
Traceability and security of information:
- This security can be ensured by any reliable technical process, that is to say likely to guarantee and allow verification of the restitution of payment data in the state of their original recording. It may in particular be a technique for chaining records.
- The “school” or “test” functionalities intended for the recording of operations intended for the training of personnel must be either secured and clearly identified or deleted.
Storage and archiving of data:
- Since payment data is data used to draw up the company's accounts, it must be kept for a period of six years.
- The accounting or management software or the cash register system must enable the data recorded to be archived according to a chosen frequency, at most annually or per financial year. The purpose of the archiving procedure is to freeze the data and give a certain date to the archived documents. It must provide for a technical device guaranteeing the integrity over time of the archives produced and their conformity with the initial payment data from which they are created. Archives can be kept in the system itself or outside the system when there is a purge procedure.
- The archives must be able to be easily read by the administration in the event of an audit, including when the company has changed software or system.
- This security can be ensured by any reliable technical process, that is to say likely to guarantee and allow verification of the restitution of payment data in the state of their original recording.
5 – Justification in case of control
Conformity can be justified:
- Either by a certificate issued by an accredited organization under the conditions provided for in Article L.433-4 of the Consumer Code,
- Or by an individual certificate from the publisher of the accounting or management software or the cash register system concerned, in accordance with a model set by the administration.
Only one of these two documents is sufficient to justify compliance with the aforementioned conditions.
When a company has several management systems, it must present a certificate or attestation for each of these products.
The certificate must be individual, it is not possible to highlight a proof published for another entity, even if they use the same versions of the software.
Any other document (delivery note, invoice, general conditions of sale, commercial brochure, etc.) on which the compliance information appears, is not valid.
The certificate must explicitly mention that the software complies with the conditions of inalterability, security, conservation and archiving of the data provided. It must precisely indicate the name and references of this software (including the version of the software concerned and the license number when a license exists).
It will be accepted that the certificate remains valid for subsequent minor versions of the software or system.
The certificate may be issued on a physical medium (for example, by handing over a document when purchasing the software or system to be completed by the taxable person with his full identity and the date of his purchase) or in a dematerialized manner (for example, by downloading a certificate online to be completed by the taxable person to mention in particular his full identity).
6 – Risks for users and publishers
The customer has a deadline