While the global pandemic has presented organizations with many IT-related challenges, it has also helped to accelerate some digitization projects. Indeed, while spending on traditional IT has been flat or even falling over the past 18+ months, organizations are increasingly investing in new digital transformation initiatives.

One such example is e-invoicing. Once a nice-to-have, limited to a select few enterprises and government organizations, e-invoicing has moved to the top of many IT teams’ project lists, and for good reason.

E-invoicing, generally thought of as the automated digital processing of invoices between buyers and suppliers, delivers a wide array of potential benefits, including:

  • Reduced chance of human error
  • Added security through encrypted exchanges between parties
  • Faster, more efficient processing compared with paper or emailed invoices
  • Enablement of remote workers
  • Lower costs (e.g. paper, ink, machinery)
  • Increased user and customer satisfaction
  • Easier tracking
  • Decreased “shadow economy” activity through greater transparency
  • Greater government control over tax collection

Government action has fast-tracked e-invoicing projects

While some organizations have initiated e-invoicing projects on their own, new requirements introduced or being considered by tax authorities in a number of countries in the MEASA (Middle East, Africa, South Asia) region (no doubt fueled by the pandemic) are forcing the issue for others.

New mandates have been introduced in Egypt, India, and Saudi Arabia, and other Gulf Cooperation Council nations are likely to follow KSA’s lead. E-invoicing is already permitted in Oman, Qatar and the United Arab Emirates; the latter also introduced a paperless strategy for its government, leading one to believe that mandatory e-invoicing will soon follow.

A good start for security – in some instances

The tax authorities have specified required features of e-invoices, including which fields are necessary and which document formats will be allowed, but not always the crucial security requirements. Anytime paper-based processes are moved online, cybercriminals will try to find weaknesses to exploit, and with cybercrime costing an estimated USD$1 trillion worldwide (PDF) and impacting nearly every industry, there is every reason to believe that e-invoices will become an attack vector.

Let’s take a brief look at the security protocols established (or not) as part of the new governmental mandates in the region, starting with Egypt.

Each invoice is assigned a universally unique identifier (UUID) by the Egyptian Tax Authority. The requirements call for organizations to electronically sign e-invoices using a hardware security module (HSM), although using a USB token is also acceptable. The use of an HSM is clearly the more secure technique for ensuring the protection of the signing key as USB tokens present a number of security risks, including being easily lost or stolen. They are most appropriate for an individual office for desktop use. On the other hand, an HSM is appropriate for enterprise deployments and can be secured within an unattended datacenter and accessed by employees anywhere via protected web protocols. For organizations that prefer to minimize their datacenter footprint, HSMs can also be licensed on a subscription-based as-a-service model.

In India, businesses with annual turnover of 500 million Rupees  must comply with that nation’s e-invoicing requirements, although organizations are not required to digitally sign invoices submitted to the Invoice Registration Portal (IRP). That said, invoices returned to the supplier by the IRP are digitally signed and include a UUID, at which point the IRP makes the invoice available to both the buyer and seller via the invoice portal. As of this writing there are no added security processes or procedures.

Finally, the Zakat, Tax and Customs Authority (ZATCA) in Saudi Arabia is requiring organizations to generate invoices that can generate a 128-bit UUID, a cryptographic stamp, and a hash that links a QR code to the underlying e-invoice XML document in a tamper-proof way (for the “integration phase” starting 1-Jan 2023). The detailed guidelines in KSA go further and stipulate that the e-invoicing solution “must not provide an option to export the cryptographic stamp private stamping key” and “the cryptographic stamp identifier is associated with a unique private key that should be generated by the [e-invoicing] solution, so that it may not be viewed or copied during system initialization. Export of the key would enable theft of the E-invoice Solution’s identity, and so should be blocked by the solution vendor using a software or hardware key vault”. As with any other use of sensitive cryptographic keys, the best practice is to secure them with a hardware security module to avoid the weaknesses inherent with software-based key vaults.

Conclusion

Given the risks associated with e-invoices and the high potential for fraud, there is an opportunity for tax authorities across MEASA and beyond to incorporate appropriate security requirements from the outset when implementing new programs. This includes cryptographically-sound digital signatures supported by adequate protection of the signing keys. Of the nations that have recently introduced e-invoicing mandates, Egypt and KSA both recognize the importance of protecting the underlying signing keys, although they leave the door open for misuse or loss by not mandating the use of certified hardware-based protection.

Read our solution brief to learn how Entrust can help with your e-invoicing requirements