Revocation of an existing CSID
3.1.1. Manual revocation of an existing CSID by the Taxpayer
3.1.1.1. Description
Taxpayers may wish to revoke their existing CSID(s) for a number of reasons, including:
● If the Taxpayer believes that the private key or the EGS Unit itself is compromised
● If the EGS Unit is discontinued or transferred to another Taxpayer or sold
● If the Taxpayer discovers that the information in the CSID is not accurate
● If the EGS Unit is lost, stolen or damaged
● If the Taxpayer discovers that unauthorized onboarding of a EGS Unit has occurred.
3.1.1.2. Process Flow
The process for Taxpayers revoking one or more CSID(s) is as follows:
- The Taxpayer accesses the FATOORA Portal
- The Taxpayer clicks on “View List of Solutions and Devices”
FATOORA Platform - accessing the list of solution and devices
- The Taxpayer can see which devices are active and can select the EGS unit(s) to be revoked
- The Taxpayer clicks on the “Revoke” button at the bottom of the screen
Revocation of an existing CSID
- The Taxpayer is prompted to click on a confirmation message before proceeding with the revocation
- The CSID(s) is/are revoked and the EGS Unit(s) is/are longer active
- The Status of the CSID of the devices can be seen as ׳Revoked׳ on the View List.
3.1.2. Automatic revocation of CSID(s) due to VAT Deregistration or Suspension
3.1.2.1. Description
The automatic revocation process involves ZATCA CA performing a revocation of CSID(s) associated with Taxpayers whose VAT registration number status (TRN) on the FATOORA Portal (ERAD) changes from “Active” or “Reactive” to “Deregistered” or “Suspended”. In this process, ZATCA CA revokes the CSID(s) for Taxpayers with a VAT registration status of “Deregistered” or “Suspended”.
For individual VAT Taxpayers, automatic revocation of the CSID(s) would apply in the following case:
- The Taxpayer׳s VAT registration status on the FATOORA Portal (ERAD) is “Deregistered” or “Suspended”.
For VAT groups, automatic revocation of CSID(s) would apply in the following cases: - Creating a tax group: ZATCA automatically revokes any existing CSIDs associated with the individ- ual Taxpayers (whether they are the group representative or members) who have joined the tax group (if applicable).
- Adding one or more members to an existing group: ZATCA automatically revokes any existing CSIDs associated with the individual Taxpayers (group members) who have joined the group (if applicable).
- Entire group is disbanded: ZATCA automatically revokes any existing CSIDs associated with the group (whether they are for shared devices or devices associated with individual group members).
- Group representative changes (replaced by existing member or new member): ZATCA automati- cally revokes any existing CSIDs associated with the group
(whether they are for shared devices or devices associated with individual group members).
Note: Taxpayers whose VAT registration status used to be “Active” or “Reactive” but changes to “Deregistered” or “Suspended” would still be able to access the FATOORA Por- tal for a period of 90 days but can only view a list of their previously onboarded EGS Units and cannot use any other onboarding functionalities such as generating an OTP. Once the buffer period of 90 days is over, these Taxpayers will no longer be able to access the FATOORA Portal.
3.1.2.2. Process Flow
The process for the automatic revocation of a CSID is as follows:
- Taxpayer׳s VAT registration status on the FATOORA Portal (ERAD) changes from “Active” or “Reac- tive” to “Deregistered” or “Suspended”
- ZATCA CA revoke the CSID(s) for Taxpayers with a VAT registration status of “Deregistered” or “Suspended”
- The CSID status available on the list of devices changes from “Active” to “Revoked”
3.2. VAT Group Onboarding Scenarios
3.2.1. Specific tax group Onboarding Scenarios
VAT Groups follow the same onboarding, renewal and revocation processes as individual Taxpayers. The table below summarizes the scenarios applicable to VAT groups that would have an impact on Onboarding:
|
# |
Group Scenarios |
Impact on e-invoicing (Onboarding) |
|
1 |
Creating a Tax Group |
|
|
2 |
Adding one or more members to an existing group (Add another TIN to an existing device) |
group, the group representative would need to onboard the device associated with this specific member
with the individual Taxpayers (whether they are the group representative or members) who have joined the group (if applicable) |
|
3 |
Removing one or more existing members from the group (Cannot include the representative) |
group, the group representative would need to revoke the device associated with this specific member
which they will be using to generate e-invoices (individually and not as part of a group) (if applicable) |
|
4 |
Entire group is disbanded |
|
|
5 |
Group representative changes (re- placed by existing member or new member) |
|
3.2.2. VAT Group Onboarding Roles
|
Step |
Group Representative |
Group Member |
|
Login to FATOORA Platform |
Yes |
No |
|
Click on onboard new device |
Yes (only the group representative can initiate onboarding of devices, including those of the members) |
No |
|
Generate OTP |
Yes |
No |
|
Enter OTP and generate CSR from device (including assigning single TIN) |
Yes (must mention TIN to be asso- ciated with the device; Organization Unit name should be the TIN of the tax group member) |
Yes (must mention TIN to be asso- ciated with the device; Organization Unit name should be the TIN of the tax group member - the tax group member can proceed with the rest of the onboarding using its own device) |
|
Complete compliance |
- |
- |
|
Install CSID |
- |
- |
|
View List of Devices |
Yes |
Yes (only for the first 90 days (con- figurable) from the date when they join the group) |
|
Revoke CSID |
Yes |
No |
3.3. Common Onboarding/CSID related scenarios faced by Taxpayers
This section provides an overview of the most common invoicing structures implemented by Taxpay- ers and identifies for each scenario, how the CSID structure should be set up in order to allow accurate issuing, signing and sending of e-invoices to ZATCA׳s e-invoicing APIs.
3.3.1. Centralized Server - On Premise or Cloud
In the case of a centralized server, whether it is on premise or cloud, a CSID is required on the server for both signing and authentication to ZATCA e-invoicing APIs. There should be one CSID per Taxpayer and also one CSID per unique sequence of generated documents.
3.3.2. Branch Based Smart POS Devices Issuing and Sending Invoices
In cases where Branch POS devices are issuing and sending invoices, a CSID is required on each POS device that will be signing and sending invoices to ZATCA e-invoicing APIs.
3.3.3. Branch Based Standard POS Devices with Branch Servers and Centralized Sending Server
For branch based POS devices with branch servers issuing invoices and a centralized server sending invoices to the ZATCA e-invoicing APIs - if the POS devices are dumb terminals and the server stamps the invoices before presenting them to the customers, then no CSIDs are required on the POS devices. However, a CSID is required on the branch-based servers for signing the invoices and a CSID is required on the server sending the invoices for authentication to ZATCA׳s e-invoicing APIs.
3.3.4. POS Devices Unable to Sign Invoices
In the case of dumb terminal POS devices issuing invoices and sending them to a Taxpayer server, which will send the invoices to the ZATCA e-invoicing APIs for clearance - then the server must stamp the invoices and apply the QR code before presenting the invoice to the customers from the POS. In this case, the POS device does not need to have its own CSID and the CSID can be on the server which is stamping and applying the QR code on simplified invoices (B2C). It is important to note that Standard documents (B2B) are still expected to be submitted prior to completing the transaction as the Buyer is expected to receive a valid document which has been cleared by ZATCA.
