VIND
EN
Request demo

Compliance / MTCA

MTCA-native, by construction.

Sequential numbering, signed receipts, immutable Z-reports, voids paired with credit notes. The spec is the contract — and we cite it openly.

Talk to compliance Back to compliance

Receipt numbering, in plain language

Every receipt VIND emits carries a strictly monotonic, gap-free fiscal number from a range pre-allocated to the device when the cashier clocks in. The number is signed with HMAC-SHA256 keyed to the tenant’s fiscal secret, alongside the timestamp, total, and item digest. Print and store both.

If a sequence gap appears — say, the device crashed mid-receipt and the next number landed two higher — we do not auto-fix it. We flag the gap for MTCA review with full diagnostic context (last good receipt, device id, shift id, cashier id) and surface it on the super-admin compliance pane. Auto-correction is the wrong default for a regulated sequence; the policy is conservative on purpose.

Z-readings, X-readings, and end-of-day

Each shift closes with a Z-reading that reconciles cash drops, card payments, voids, and credit notes against the receipt log. The Z is signed and immutable — you cannot edit it, you can only emit a credit-note pair that adjusts the figures on the next day’s books. X-readings are non-resetting mid-shift snapshots; cashiers can pull them as often as they want.

The cumulative grand-total (CGT) is monotonically non-decreasing: once a number is on the books, it stays on the books. Refunds never subtract from CGT — they post as separate negative-signed credit notes referencing the original receipt id.

WORM enforcement

Receipt rows have no UPDATE, no DELETE path in the database — the migration explicitly forbids both. A void is a formal operation that:

  1. Marks the original receipt as voided=true while keeping every field intact, and
  2. Emits a paired credit note with its own sequential number, signed and immutable.

Both rows persist forever. A tax auditor can replay the day from the receipt log alone and arrive at the same totals you see in the backoffice.

Why this matters in Malta

The Malta Tax & Customs Administration audits restaurants on sequence integrity, signature validity, and Z-report reconciliation. VIND ships these as the floor, not the ceiling — and we expose every relevant artefact in a read-only auditor portal so the inspector reviews receipts without sitting at the cashier’s terminal.

The receipt format, the signing scheme, the void workflow, and the Z-report shape match the agents.md “MTCA Receipt Requirements” section line-for-line. We treat the spec as the contract.

Common questions

What happens if a sequence gap appears?
We do not auto-fix it. The gap is flagged for MTCA review with the device id, shift id, cashier id, and last good receipt. Auto-correction is the wrong default for a regulated sequence; the policy is conservative on purpose.
Can a receipt ever be deleted?
No. The receipts table has no UPDATE or DELETE path in the database. A void is a formal operation that marks the original as voided=true and emits a paired credit note with its own sequential number; both rows persist forever.
How long do you retain receipt data?
Seven years, in line with MTCA expectations. Backups stay inside eu-central-1.
Can an auditor see the data without using a cashier terminal?
Yes. We ship a read-only auditor portal — compliance overview, receipt audit trail, fiscal-day summaries, replayable Z-readings. The portal is RBAC-scoped to the audit role and never touches POS state.

Bring your accountant. We'll open the auditor portal.

Talk to compliance Security & data residency