Develop own TSE

TSE certification/evaluation (KassenSichV – Ordinance on Cash Security)

  • Awarded by BSI (Federal Office for Information Security)
  • Submit an application for evaluation (Security Target)
  • Evaluation is performed by a certified company (evaluator):
    • atsec information security GmbH
    • Deutsches Forschungszentrum für Künstliche Intelligenz (DFKI) GmbH
    • MTG AG
    • secuvera GmbH
    • SRC Security Research & Consulting GmbH
    • T-Systems International GmbH
    • TÜVsfin Informationstechnik GmbH
  • Evaluation by evaluation partners (6-9 months)
  • Evaluation partner passes test to BSI, which issues/grants certificate (valid for 5 years)

Certification procedure


  • Preparation (description of the requirements implementation – as a security target
  • Submission (formal examination by BSI)
  • Voting (publication on BSI website)
  • Testing by evaluator (duration 6 – 9 months, preliminary release by BSI possible)
  • Final certification by BSI after completion of evaluation (valid for 5 years)
  • Afterwards recertification necessary (valid for another 5 years and so on)

The detailed requirements for the security module, the storage medium, the digital interface and electronic storage have been developed by the BSI and published in technical guidelines and protection profiles. It is planned to define the requirements for the security module in a technology-neutral way in a protection profile according to ISO/IEC 15408 (Common Criteria). To fulfil these security requirements, manufacturers must have their technical security equipment certified by the BSI.

In addition to the TSE, the memory module integrated in it must also be certified according to the Common Criteria (CC). As part of this CC certification, conformity with the protection profiles [BSI PP-CSP light] and [BSI PP-SMAERS] must be proven.

Certification to be carried out for own developed TSE

The manufacturer of a TSE must prove that the TSE complies with the interoperability requirements of the Technical Guidelines. The proof must be provided by means of a conformity certification in accordance with the test specification of TR-03153.

Furthermore, the manufacturer of a TSE must prove that the safety requirements are fulfilled. This proof must be proven by security certifications according to Common Criteria with the following protection profiles:

The manufacturer can request for a provisional release of a technical safety device if the conformity certification according to the test specification of TR-03153 and a safety certification according to PP-105 has been successfully completed and the evaluation authority confirms that the evaluation is likely to be successfully completed. The provisional release is limited to one year and can be extended at the request of the manufacturer if significant progress of the evaluation can be proven. After successful completion of the certification, the TSE can be used as a certified TSE, in conjunction with a software update.

The Technical Guidelines are published under the following link

The protection profiles are published under the following links

Overview of technical guidelines for technical security devices of electronic recording systems

  • BSI TR-03153 Technical safety equipment of electronic recording system
  • BSI TR-03151 Secure Element API
  • BSI TR-03116-5 Cryptographic specifications for projects of the Federal Government
    Part 5: Applications of the Secure Element API

Different solutions of TSE

Hardware based TSE

TSE is connected to one or more cash registers via the Internet.


  • No Internet connection required
  • Data always remains under the control of the customer
  • no ongoing costs
  • especially suitable for individual cash registers/individual cash register systems
  • Can also be implemented centralized via network solution for several cash registers/cashier systems (TSE-unit is connected to all cash registers/cashier systems via local network)

Cloud based TSE

TSE is connected to a cash register via an SD memory card or a USB stick (one storage medium per cash register necessary).


  • cheaper than implementation via hardware (especially if several cash registers are used)
  • it is possible to react quickly to new legislative changes/adjustments
  • Remote maintenance possible
  • Protects and stores the transmitted data and thus ensures its integrity, authenticity and completeness
  • Archiving directly possible
  • Particularly suitable for companies with a central infrastructure and a large number of cash registers or branches – Companies are spared individual cash register conversions, which can cause immense costs if a large number of cash registers are used, etc.

DSFinV‑K: The data standard for cash registers

Explanation in detail

KassenSichV: Advantages of a cloud implementation

Explanation in detail

Services to offer