What makes electronic signatures secure for business usage?

 

An electronic signature is a legally valid and efficient way to get approvals on electronic documents. It replaces physical signatures almost completely. Electronic signatures are secure and verifiable. They address all the issues with handwritten signatures. Adoption rate of E-signature solutions is on the rise in India as it is around the world.

 

Tampering of paper documents and forgery of signatures is quite easy. How does one know if the paper has really been signed by the intended signer? One cannot.

 

An electronic signature on the other hand establishes beyond doubt the identity of the signer by performing multi-factor authentication. The typical factors used are email id, mobile number, access id, login credentials (such as Active Directory). The digital signature solution maintains the audit trail for traceability. It includes IP address of the signer’s system, timestamp as well as the reason for signing. Also once the document is signed, it is sealed or made tamper evident by certifying it using a PKI digital signature certificate.

 

Signatures done using digital signature certificates are also one kind of electronic signatures. The signature certificates are issued by a Certifying Authority after verification of the identity of the applicant. This ensures that the signatures are verifiable. Also, most signature certificates are issued in a FIPS 140-2 secure hardware device like a USB token or HSM. Also, every certificate is password protected thus providing multi-level authentication.

 

In the context of an enterprise, the digital signature solution TRUESigner is built in a way that builds a strong security framework ensuring only bonafide access to the signatures from authorized individuals and from whitelisted IP addresses only.

 

Thus, electronic signatures help with the last mile digitization in a safe, secure and scalable manner.

 

 

 

Need to sign a large number of documents? Automate your bulk signing!

 

When I visit offices or colleges or banks I always notice the amount of paper lying around on desks and filed away in cabinets. Given that we, at Truecopy Credentials (www.truecopy.in) are on a mission to help organizations go paperless, naturally my attention always turns to paper documents. I wonder how painfully time consuming it must be to get so many documents printed, signed, posted/emailed and filed away for future reference; that too on a daily basis!

 

 

The Need

Wouldn’t it be nice to have a desk that is free of clutter?

 

Wouldn’t it be lovely to have all that time spent of handling and signing paper added back to your life so you can spend it on something more meaningful?

 

Wouldn’t it be useful to store documents in a central repository from where they can be searched and accessed easily, anytime and from anywhere?

 

Wouldn’t it be less painful to literally not have to sign hundred and thousands of documents?

 

What you need is a reliable and scalable bulk PDF signer software. TRUESigner digital signing solution comes to the rescue.

 

What does TRUESigner bring to you?

To put it simply, it fulfills every need above. It totally automates signing in bulk. No matter from where your documents are generated - MIS or CRM or ERP or legacy systems or manually TRUESigner can help you automate signing. Whether you are looking for signing files on your desktop/laptop/smartphone or a bulk PDF signer software online, you are covered.

 

You can integrate APIs or simply setup the input/output folder interface. All you need to do is save the PDFs to be signed in the input folder; that’s it. TRUESigner will automatically sign them all and place them in the output folder. You have the flexibility of defining the signature placement on desired pages. You can also benefit from the unique anchor feature where the signature is automatically placed at the pre-defined anchor, for ex - “Authorized Signatory”.

 

Signatures can be done using USB tokens (they are also called as dongles), or with signature certificates placed in Hardware Security Module (HSM) or you can use electronic signatures too. These are all legally valid alternatives.

 

TRUESigner suite of digital signing solutions support DSC signing for Windows as well as Linux and Unix operating systems.

 

Who will find the bulk PDF signer software software useful?

 

1.     Human Resources department is perhaps the largest consumer of paper in the corporate setting. They can automate bulk signing of offer letters, increment and promotion letters, employment agreements etc using TRUESigner. It supports bulk distribution of documents like Form 16 and Org policies among all employees in one go for acceptance or counter signing.

 

2.     In colleges and universities, transcripts, mark sheets, degree certificates, rank certificates and admit cards are generated in large numbers. TRUESigner can automate signing of these documents.

 

3.     Bank processes also involve a large number of documents that includes client communication, term deposit receipts, investment documents as well as internal approvals. TRUESigner helps banks and other Finserv companies to go completely paperless.

 

4.     Insurance companies can well benefit from the bulk signing capability to sign and distribute policies.

 

5.     Clinical and Analytical laboratories can bulk sign and distribute reports.

 

No brainer, right? These are only a few examples. Just think about your business. Are you printing and signing paper? Are you doing this over and over again? Do you wish you had a better way of doing this? If your answer is yes, then TRUESigner is for you. Visit www.truecopy.in to know more about our solutions and how they can help you.

 

 

 

 

 

8 tactics for making your business paperless

 

Digital transformation gained momentum like never before thanks to the corona pandemic. When everyone was pretty much home bound, technology came to the rescue of businesses; Zoom, Google Meet, Microsoft Meetings replaced in-person meetings; document management tools enabled collaboration on documents and digital signing solutions enabled offer letters to be sent out, invoices to be issued, contracts to be signed and what have you.

 

Going paperless in your business comes with significant benefits.

 

A)    You save on paper and thereby save trees. (Yes! Every paper that you do not print helps.)

B)    You save on the printing costs. This includes maintenance costs associated with the printer.

C)    You save on the manual effort required. This is the most expensive component.

D)    You save on physical storage and retrieval of paper documents.

E)    Printouts lying around can result in a security breach. When you go paperless you can secure your documents.

 

Based on our experience, we have come up with these 8 tips to assist you in helping your business go paperless.

 

1.     Integrate TRUESigner with your ERP/CRM system

 

It is possible to integrate our digital signature software TRUESigner into any ERP/CRM system; be it SAP or Oracle EBS or MS Navision or Salesforce or any home-grown ERP system for that matter. You can sign directly from within the system. So documents such as purchase orders and requisition slips or challans can be signed with a click of a mouse. You can easily issue digitally signed invoices too.

 

2. Integrate TRUESigner in your document management system

 

It is high time that businesses moved away from printing and storing documents. A wide variety of tools are available to store documents in the digital format on the cloud. Google Drive, Apple iCloud, Microsoft Sharepoint are a few examples. They help you to store documents in a secure and centralized place and also make your documents easy to search and retrieve. Think about it, wouldn’t it be great to take the digitization a step further and integrate signing in these systems as well so you have the entire workflow in a single place. No more opening a PDF and signing from there. You can do it right from where you are within the system.

 

3. Digitize your purchase approvals

 

If you are buying supplies/IT that ultimately helps you to do your business better, then you should have a process in place that allows for faster approvals for procurement. The traditional method of paper based approvals or all approvers getting in a room and approving is passé. Take this process online. You just define the workflow - who are the approvers and in what order will they approve. That’s it. Set the workflow in motion; approvers can view the document, sign online and voilà the approval is done. Saves time and is so convenient.

 

4. Take your contracts to the cloud

 

It is safe to put your contracts on the cloud such as AWS or Azure or Google GCP and so on. Apart from digital signing in India, you can even have automated e-stamps on your contracts making it a completely paper free process. All parties can sign the contracts electronically; a great way to do vendor agreements, user licenses and partner contracts.

 

5. Transform your HR processes

 

When one thinks of HR, one visualizes desks over flowing with paper! There are these employee letters, offers, promotion letters and what have you that this department needs to deal with. It is easily possible to completely eliminate paper from all HR workflows. Whether your HR team uses an HRMS system or generates documents manually it is possible to go to last mile digitization with TRUESigner. Imagine that you issue an offer to a candidate and the candidate accepts it by signing it online. That would save so much time and effort right? Not to mention the insights that the HR team could get with all this online data in their system.

 

6. Onboard your customers online

 

If you are running an online business, your dream situation is if you can get your customer to sign up right away before they leave your website. We all know how tough it is to get them back to sign up. If you are getting to sign contract, let them sign digitally online itself and you are all set. Client acquisition is streamlined, it’s faster and directs helps the growth of your business.

 

 

7. Get your finance team to adopt digital signatures for regulatory compliance

 

Get them to digitally sign invoices so that they are compliant with the e-invoicing norms in your country of operation. Tax documents can be digitized and secured with digital signatures.

 

8. Receive invoices in digital format only

 

You can also consider the documents that you receive from lets say your vendor and partners. Ask them to send those to you with digital signatures. TRUESigner’s verification engine will enable you to automatically verify them online and save them in your CRM system, thereby completely eliminating any paper handling and storage.

 

Hope you find the above tips useful to transition to digitally signed invoices and other documents using digital signature solutions.

 

Digital Signatures or Block Chain - Which is more suitable for Education Credentials?

Digital Signatures based on Public-key alogrithms are an established technology for authenticating documents. A more recent alternative is based on Distributed Ledger (Block-chain). Here we explore which option is more suitable for authenticating Educational Credentials such as those issued by universities, colleges, etc in India. 

Digital Signatures: 

1) Signing Certificates are issued by designated Certifying Authorities after a detailed verification of identity of the Signature Holder. This ensures that impersonation of the Signature Holder (Universities / Colleges) is ruled out. 

2) The Signature Holder can use the Signing Certificate to sign documents, and this requires 2 factor authentication. If a Certificate is misplaced or compromized, there is a process to revoke / cancel such a Signing Certificate, thereby rendering it useless. 

3) A Signed document can be verified simply by opening it in an Adobe Reader. The Signature panel immediately shows if the document is signed / modified after signing, and the identity of the Signer can be verified via the Signature Panel. There is no need to upload the document anywhere or visit any website. Verification of documents in bulk can also be automated. 

4) Signed Documents cannot be tampered without breaking the Signature, and therefore these can be uploaded to repositories. The Govt therefore correctly selected Digital Signature Technology for its repositories such as Digilocker and NAD. 

5) Digital Signature implementations come at significantly lower costs since there is no need to maintain distributed ledgers, etc. 

Block-chain: 

1) There is no Govt body that governs or defines how the identity of a block chain participant is to be verified. 

2) Every time one needs to verify a document, it has to be uploaded to a specific website. This in turn brings the risks associated with phishing. 

3) Block chain is not compatible with various initiatives of the Govt including Digilocker. 

4) The costs associated with Distributed Ledgers are always higher. 

5) Finally, there is no legal framework in place governing Block-chain documents. 

To summarize, Educational institutions in India are better off authenticating their documents with Digital Signatures as opposed to using distributed ledgers / block chains.

Pitfalls of Signature Annotations

After the previous blog on "Collaboration" during Signing process, a question was asked if it was a good idea to permit a Signer to insert annotations into the document being signed. Technically, "annotations" are also "edits". 

Ask yourself the simple question: Can a particular Signer enter the annotation "Do not accept 2), 5), 6)" on the document when he / she signs it.

If a system allows a Signer to insert such an annotation while signing, ask yourself if you want to permit such a thing!

Collaboration must end before Signing can begin

As the adoption of electronic Signatures increases, a frequently asked question is whether it is a good idea to permit collaboration / editing of a document while its being signed by multiple parties.

In general, when confronted with any such question, it is best to ask what makes sense in the physical world. Electronic Signatures are also signatures and the common sense precautions that apply to physical signatures apply to them as well.

Imagine a situation wherein a document is to be signed by 3 persons - A, B and C. Suppose it has already been signed by a person A. Would it be OK to allow the next signer - person B, to make edits / insertions on the document before he signs it? Indeed, would it be OK to allow B to annotate anything on the document other than his signature? The answer would be clearly "NO". The reason is that any change to the document cannot be made without the concurrence of A, who in this case has already signed the document and therefore isnt a party to the subsequent changes, howsoever minor they may seem. Indeed, A's signature should be invalidated by any subsequent edits made to the document. The same applies to Electronic Signatures as well. Ideally, no edits / insertions / annotations should be permitted in a document once its electronically signed by even one of the signatories. In fact, any good system would expressly prevent such edits / insertions. Any "collaboration" has to happen before the process of signing begins, and should end before the first signature is inserted.

Further, its only common sense that a good Electronic Signing System should not permit the download of partially signed documents. So, signatory B or C should not be able to download a document signed only by signatory A. The document should be made available simultaneously to ALL signatories ONLY after it has been signed by all parties. The document should be invalidated the moment any of the signatories refuses to sign it.

Takeaways & Observations of Direct-API EInvoicing Users

On Oct 1 2020, GSTN went live with eInvoicing, i.e., registering of invoices with NIC, for companies with 500 Cr+ turnover. We have earlier written about the "Direct-API", which allows tax-payers to connect to the NIC servers directly and make the API calls.

We have enabled many of our partners to go live with this Direct-API on Oct 1. These were companies with 500Cr+ turnover, and used several different ERP systems, including SAP and Oracle. We have been getting a lot of queries about the Direct API and the go-live experience. This note is to document our observations across the many partners who have successfully started eInvoicing with the Direct-API.

My overall observation is that GSTN & NIC have done a good job with the Direct API and the on-boarding process. The process was clearly documented by GSTN / NIC, and everything worked as promised without a hitch. 

Moreover, in the last 60 hours, tens of thousands of eInvoices have been registered by our partners, and not a single case of failure has been reported as of this time.

Specific Observations:

1) The documentation provided by GSTN for consuming the direct API is clear, and all the REST API calls work as described.

2) A sandbox has been made available for testing. Taxpayers can register on the sandbox to obtain their API credentials and then begin to test the API. The sandbox behavior is as documented. (Few weeks ago, there was a delay of a few hours between new schema changes being announced and the sandbox behavior. In the recent weeks, there has been no such mismatch).

3) NIC requires Direct-API users to run a number of tests (both success and failures)  per each API call prior to Production access. The purpose is to ensure that Taxpayers actually try out all their use-cases on the sandbox, and handle success & failures, prior to accessing the Production servers. There is a spreadsheet available on the GSTN site. It is clear on the number and type of the tests to be performed. The spreadsheet takes about 10 mins to fill once you run the required number of tests on Sandbox.

4) NIC also requires Taxpayers to allocate maximum up to 4 public IPs for whitelisting. In other words these are the IPs from which requests will be permitted to hit the NIC Production servers.

5) The request for Production access can be made by logging in to the https://einvoice1.gst.gov.in portal with Admin credentials. You have to select Direct Access, then enter the Whitelisted IPs, and then upload the filled spreadsheet mentioned in item 3 above (after converting XLS to PDF).

6) Once the above request is made, the taxpayer needs to await approval from NIC. The statistics based on the experience of our partners is: 

Maximum days for getting approval: 6 days

Minimum days for getting approval:  < 1 day (!!!)

Average number of days for getting approval: 3 days

Approval received in first attempt: Approx 78% of applicants

Application rejected in first attempt: Remaining 22% of applicants (NIC provided reasons for rejection)

Applications approved on second attempt (of the 22%): 100%.

This means that a majority of applicants received their approval in the first attempt and fairly quickly. The remaining ones got approval after they fixed the errors in their application.

7) Applicants received a clear email with next steps for production access. This required the taxpayer to create API users from the https://einvoice1.gst.gov.in portal, along with their credentials. These credentials are to be used in the Production API.

8) Process of creating say 10 API users (one for each GSTN corresponding to a single PAN) takes about 10 mins.

9) Process of going live only requires the user to change the API end-points from Sandbox to NIC production server, and using the Production credentials.

10) Out of more than 100 IPs that we saw whitelisted, only 1 failed to work on production as expected. Other than this singular case, IP whitelisting by NIC worked as expected for all taxpayers.

11) There is no difference in the behavior of the Sandbox and Production servers. This is good. All API work as expected on Production, if they worked on the Sandbox.

12) Only one taxpayer faced connectivity issues for a few hours, but it was an issue on the taxpayer side, not on NIC side. The lesson for the taxpayer is to ensure good internet connectivity.

13) Direct taxpayers have been receiving responses to emails from NIC on a fairly regular basis. 

14) The schema validation changes announced by GSTN 4 days prior to go-live did require some work on our side, but we observed that many of those changes were already live on the sandbox prior to their announcement.

To be honest, we had mentally prepared our partners (taxpayers) for possible glitches after go-live. However these apprehensions proved to be unfounded and everything has worked well as of this time, with no latency issues being reported either.

To summarize, our partners have had a smooth journey going into Production with Direct eInvoicing API from a variety of ERP systems. Every single one of them went live on time, with no disruption to their business users.

(Note: The earlier note on Direct-API, background & benefits is here)

The Direct API for eInvoicing

NIC provides a Direct-API for registering eInvoices. "Direct-API" means that the API endpoints on the NIC servers can be accessed directly by the tax-payer (i.e., without having to route the data via any intermediary or GSP). 

GSTN has recognized that eInvoice data is confidential & embodies trade secrets. Pricing information in particular is something that companies protect zealously. Large companies often spend an enormous amount of money on implementing on-premise ERP solutions precisely for this reason. Invoice data is too precious to be stored on a cloud-based ERP.

It is one thing for one data-point (pricing of a particular item at a particular time) to be compromised. It is much worse when detailed invoicing data ends up being gathered over a period of time into a database. Significant analysis can be performed and inferences drawn from such databases. ("Big Data", "Data Harvesting"). Needless to say, this data is of immense competitive value. 

Many CIOs, CFOs and Information Security professionals understand this, and are reluctant to route data via third-parties. There are other benefits to going direct as well. It reduces the number of hops, and therefore reduces the latency and minimizes the points of failure. Further, you are at no risk of being charged annual or per-transaction fees by anyone.

Given these significant concerns, it is logical for NIC to provide an API which tax-payers can consume themselves, and route the data to NIC directly. Hundreds of Companies (500Cr+ turnover) have adopted the direct route to implement their eInvoicing. GSTN has also included eWayBills in this API, which means Taxpayers can now generate eWayBills along with eInvoicing as well.

E-Invoicing

IN a month from now, the Indian Govt will enforce a tax regulation that will have significant business impact for decades to come. GSTN  will make it mandatory for companies (initially those with over Rs 500 crore annual revenue) to register each B2B invoice with GSTN before goods are shipped. This is called "EInvoicing". Companies will have to electronically register / communicate to GSTN every detail of every invoice in real-time prior to shipment. GSTN will return a QR code that will have to be inserted on the invoice when it is printed / emailed and goods shipped.

This is a remarkable piece of regulation in many ways. In an era where businesses are already complaining of excessive compliance and regulatory burden, EInvoicing takes this burden to an entirely different level.

Firstly, this is a real-time compliance. Goods cannot be shipped unless the EInvoice is registered. Many companies issue several hundreds if not thousands of invoices daily, and these are usually created in real-time i.e., just when goods are ready to ship. EInvoicing adds a variable delay to every single invoice issued. If for any technical / connectivity reasons the EInvoice cannot be registered, shipments will be delayed. 

Secondly, the benefit to the Govt of a regulation like this are unclear. Given that it imposes a significant compliance cost on thousands of honest tax-paying companies, the Govt should have made public a detailed cost-benefit analysis. It is not clear what specific types of evasion this regulation would stop, or the perceived magnitude of the problem. GSTN has referred to 'spurious invoices', but no one has laid out a specific scenario which would be remedied by this regulation. That is because every such scenario is already covered by an existing regulation, or will be easily managed by a bad actor. GSTN has not published any estimates of the increased GST collections it expects as a result of this regulation. This is much like Demonetization, whose costs were visible and borne by the common man, but whose benefits are in the realm of conjecture. The effects of demonetization were temporary. The regulatory burden imposed by EInvoicing will be permanent.

Thirdly, there is the issue of privacy. The data sought from companies represents a whole different level of disclosure by private entities. The Govt wants to know the exact nature of goods sold, their quantity and price at which they were sold and to whom. Pricing of goods, and particularly services, is often a secret. Companies may sell the same product at different prices to different clients - for a variety of valid business reasons. This is confidential information. The information gathered by the Govt will hereafter allow the Taxman to ask you why a particular item was sold at Rs 100 per unit to buyer A, and at Rs 103 per unit to buyer B. (From there its a short jump to "deemed revenues". Those aware of the logic behind "deemed rent" will be worried). Conversely, the information on all inputs (incoming goods) into a company will also be known (because your suppliers will have to do EInvoicing too).

By implementing EInvoicing, Companies will be sharing their most sensitive data with the IRP and perhaps an intermediary. Imagine a radiator manufacturing company whose data of all radiators sold, to whom, at what price point, seasonal pricing variations, and much more being compromised. A competitor would love to get their hands on this data.

The fourth issue with EInvoicing is the enforcement. The only way to enforce this regulation is to have GST inspectors stop trucks en-route, to verify if EInvoice has been created and if the goods in the truck match those listed in the EInvoice. Such a verification can become absurdly complex depending on type of goods. What if the GST inspector declares that there is a mismatch? Can the poorly educated truck driver be expected to challenge the GST inspectors on the technical points of EInvoice? Can any company afford its trucks to be held up in transit? What recourse does the truck-driver or the company have?

Given the plethora of issues with EInvoicing, it is surprising that businesses and trade associations have not pushed back aggressively against it. Perhaps they are taken in by the Govt's assertion that it is only creating a 'framework' for electronic exchange of data between private parties. That however, is NOT the job of the Govt. 

Given the burden it imposes on honest businesses, GSTN is requested to consider the following:

a) It should revisit the schema and determine if it really needs to collect all the information it wants to.  

b) Announce an alternative to real-time EInvoicing.

c) Address the concern of trucks being stopped in transit.

It would be a favor to businesses struggling to recover from COVID.

How to insert a digital signature in a PDF file?

[A recap post for new users]

In order to digitally sign a PDF file, you need a couple of things.

1. Your digital signature certificate (DSC) that usually comes in the form of a USB token.
2. A software tool that uses your DSC and signs the PDF file.

You can get the free TRUESigner tool after filling out the form http://www.truecopy.in/truesignerdsc.php and install it on your PC. Here are the simple steps to follow -

1. Connect your DSC token in the USB port of your PC and launch the TRUESigner tool.
2. Browse and select the PDF file you wish to sign.
3. Select the output folder in which you would like to save the signed file.
4. Select your signature certificate from the drop-down menu.
5. Click on Submit.
6. Your signed PDF will be available in the output folder.

If you would like to apply for your DSC token or sign PDF files in bulk in one go then you can contact us using http://www.truecopy.in/contact.php