Hash chaining of all sales invoice and payment transactions

[chdecultot]

In order to be compliant with the french legal requirements, the POS system needs to guarantee the integrity of its data.

I have checked the work in progress by the Dolibarr community and they are doing the following to tackle this issue:

1. Creation of new module called modBlockedLog to generate a real time archive of all actions regarding sales invoices and payments.
2. Forced activation of this module if the country is France
3. Control and log if the country is changed afterwards
4. Creation of a CSV file from the modBlockedLog to be able to export an archive of this file
5. Creation of a dedicated page to be able to consult this log at any time.

For ERPNext I would therefore propose to start with adding two or three new fields in a Sales Invoice Doctype (maybe Payment Entry also ?):

• A line print: SHA256 (or more secure) of [list of all document fields + auto timestamp]

• Chaining Hash: SHA256 (or more secure) of [line print + chaining hash of the preceding line]

• Possibly: checksum version to be able to modify the algorithm, add or remove document fields in the future and still be able to verify the checksum.

If the country is France (or any other country with the same requirements): force a POST Request of the Chaining Hash to a log before any payment is registered in POS.
We would loose the offline capability of the POS unless another solution is found, but it will ensure that data coming from a POS are not corrupted.
My main concern is that with the current implementation, people can clear their LocalStorage and erase submitted sales invoices.

We can then have a dedicated administration page to verify that the checksum is identical in the log and in the invoice and potentially inform the Administrator that an invoice is missing.

I have found the following links to generate SHA256 hash:
https://github.com/emn178/js-sha256
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest

I am starting to implement it but would love to have some feedback on this matter since it is not trivial.
I guess it will also be of interest for people outside of France since it is a more and more current legal requirement.

Thank you.

[aiqual]

Hello Charles Henri. You are right this securing of POS data from tampering is a requirement that goes beyond France. As you may know countries of the Gulf Cooperation Council (UAE, Saudi, etc) have introduced VAT starting Jan 1st 2018 and although the details of the law are not all published, we expect that there will be an interest (initially or eventually) in applying any data security best practices such as those of France. I am planning to provide ERPNext hosted in a public cloud with data center in-country in Dubai UAE so we will also be compliant with any laws about geographic storage of sensitive financial data.

I will be watching this development with a strong interest and I hope to be able to contribute to the development of features that will be mandated by GCC VAT law.

Thanks a lot.

[chdecultot]

I have started a wiki page with the specifications to solve this issue. Don't hesitate to provide some feedback!

https://github.com/frappe/erpnext/wiki/%5BSpecifications%5D%C2%A0Hash-chaining-of-sales-and-payment-transactions-in-ERPNext

[chdecultot]

Closed with: frappe/frappe#4974