KSeF and security: roles, tokens, access audit
The KSeF security model for companies that want to reduce the risk of fraud and operational errors.
Minimal security model
The most important thing is to separate business and technical roles. The person administering authorizations should not accept accounting exceptions at the same time.
This simple division significantly reduces the risk of unauthorized changes and facilitates auditing.
- •Separate the administrator and operator roles.
- •Apply the principle of least privilege.
- •Enforce periodic access recertification.
Tokens and system access
System access must be treated as a critical secret. Tokens and keys should be stored in a secure repository, not in local code or configurations.
Additionally, it is worth implementing secret rotation and controlling which system and user performed which operation.
- •Vault to store secrets.
- •Token rotation and expiration.
- •Full audit trail of operations.
Audit and compliance
An audit should not be a one-time project. In practice, the best results are achieved by monthly inspections and quarterly testing of procedures.
If a company has several invoicing systems, the audit must cover the entire data flow, not just the point of integration with KSeF.
- •Monthly review of eligibility.
- •Quarterly testing of security procedures.
- •Compliance report for management.