Intro
ZATCA integration Phase 2 is critical for organizations in Saudi Arabia as it mandates them to ensure that their ERP systems, accounting systems, and internal systems all adhere to the local tax regulations legislated by the authorized tax authorities; which in Saudi Arabia is managed by ZATCA. Consequently, this forces businesses that are included in any of the waves shared, so far by ZATCA, to take action and manage their integration process with the FATOORA platform properly.
However, ZATCA integration Phase 2 is a systematic process that requires some preparation before proceeding with the system integration part and the rest of the requirements needed to carry out the process known as onboarding with ZATCA which we have explained thoroughly in a previous article. Nevertheless, we’ll go over it real quick so you’re able to follow on with us!
Onboarding with ZATCA in A Nutshell
Onboarding with ZATCA starts by accessing the FATOORA platform to request a new E-invoice Generation Solution also known as EGS. This step is usually handled without requiring technical skills as it’s almost similar to creating an account and filling out any info needed. However, following this step is a whole different process that does indeed require technical assistance which InvoiceQ, of course, can offer. This ensures that businesses adhere to the technical requirements published for ZATCA integration Phase 2.
The ultimate goal of the onboarding is to ensure the following requirements are met before proceeding with the rest of the invoice cycle integration process between InvoiceQ and ZATCA:
- Successful generation of the CSR, and Private/Public Keys [symmetric key].
- A signed compliance certificate, password, and request ID number.
- Compliance testing of invoices with ZATCA.
- Requesting the production certificate & password from ZATCA via the request ID to get the production certificate.
The invoice type is determined in the CSR to state whether it’s a B2B invoice, a B2C invoice, or both types. For B2B and B2C invoices, testing requires issuing 3 invoices (one of each):
1- A Normal Invoice.
2- A Credit Note.
3- A Debit Note.
Upon gathering all mandated data, it’s encrypted and saved in a vault to keep it from unauthorized access.
What Follows ZATCA Onboarding?
After finalizing the onboarding process with ZATCA which is the foundation for the rest, comes the process of having all systems communicate properly with one another through proper integration solutions. Thus, InvoiceQ ensures that all required keys and certificates obtained are valid, data is secure, and proper communication between the client’s system and the InvoiceQ system happens.
ZATCA relies on XML and generally speaking this is the preferred go-to in the fintech field due to the sensitive information it’s concerned with. ZATCA uses the Universal Business Language UBL 2.1 invoice message XML; which is considered as a standard XML template that includes all invoice data and values to be added. This template is utilized by ZATCA, however, it’s not ZATCA-restricted as it follows globally enforced criteria and rules.
InvoiceQ generates the UBL invoice with the values received from the client. Upon the generation of the XML form, we get it through a validation phase for the first step to ensure that the XML structure is set properly.
This is to validate the technical specifications. After ensuring the technical validation part, we move on to ensure another type of validation which is the business validation. For business validation, we ensure that all required values such as tax number are correct before sending any invoice to ZATCA. The UBL entails a UBL extension which plays a big role in setting our security measures.
How Do We Handle The Security Part?
Through the XML invoice, we do Hashing; which is used to implement one-way encryption. This is to ensure that the data in question didn’t go under any modifications or manipulation. Each XML is compressed into a hash string, which in turn means that each invoice has a unique hash.
After generating the hash from our side, ZATCA performs the same process and then checks if the hashes on both sides match to eliminate any tampering attempt.
The hash is then signed by the private key to generate the digital signature. The purpose of this step is to ensure that the EGS has been issued by the right person and that it has not been manipulated by anyone else. In other words, increased security.
After that, InvoiceQ generates the EGS certificate Hash using the SHA-256 algorithm to make sure that the issued invoice from the EGS uses the certificate that we have acquired during the onboarding process.
Following this is the process of populating the signed properties that we have generated in the previous steps, having them hashed again, and then populating them inside the UBL extension tags.
Additionally, each invoice would have a unique hash to identify as well as another one to refer back to the preceding invoice. The purpose of this is to verify the identity of the sender through another added security layer. As a result, this ensures:
– The sequencing.
– The request is not manipulated.
– The identification if the sender for each invoice matches or not.
– Another layer of protection through the preceding invoice hash.
B2B VS B2C Invoices: How Does it Happen?
This process applies to invoices whether they’re B2B or B2C. Nevertheless, a slight difference should be considered.
In B2B invoices, it’s not mandatory (optional) for the cryptographic stamp or QR code to be sent to ZATCA as it’s not allowed for the business to issue any invoice unless it’s approved by ZATCA in the first place since part of ZATCA’s response is to add/modify cryptographic stamps and QR codes. In other words, it is a sync approach where the business can’t send the invoice to the customer unless it’s approved by ZATCA first.
In B2C invoices, an async approach is implemented where the cryptographic stamp or QR code for the invoice is generated from the business side before sharing it with ZATCA and sending the invoice within 24 hours.
The Major Difference Between B2B & B2C is:
- B2B is a sync approach where you can send a QR code or cryptographic stamp optionally inside the XML invoices as it’s already added/modified by ZATCA.
- B2C is an async approach where you need to generate a cryptographic stamp or QR code, and the QR code is provided to the client (service provider) by InvoiceQ.
- The QR code includes various fields such as the seller’s name, tax number, tax amount, invoice hash, and more. But the key difference between both lies in the last field which is a digital signature (Hash Invoice Signed By Private Key) specialized for the B2C invoices; through which both invoices are told apart.
Conclusion,
The overall process of integrating any system with ZATCA whether it’s Oracle, Quickbooks, Xero, SAP, Microsoft Dynamics, or any other internal system the company is utilizing requires setting up the foundation correctly right from the start. This starts with managing the onboarding process with the FATOORA platform to ensure that your organization’s ZATCA integration Phase 2 goes smoothly.
However, ZATCA onboarding isn’t the final step as you have to consider further additional steps to finalize the process according to the type of invoices your business is concerned with. Whether it’s B2B or B2C. But rest assured while relying on InvoiceQ for ZATCA integration Phase 2, why? Simply because we’re already qualified by ZATCA for Phase 2 service providers.