Unlock tax planning solutions to

maximize your investment results.
achieve your financial goals.
comply with regulations.

Leverage a proprietary dataset from 190+ countries, Artificial Intelligence, and a network of top local experts.

Pennsylvania’s Sales and Use Tax: has nearly $1 Billion been “zapped” away in Fraud?

The Sales and Use Tax is an essential part of Pennsylvania’s revenue profile. Not only is it the State’s second largest revenue source,[1] it has historically played a critical role in reducing the volatility of Pennsylvania’s overall tax collections.[2] The sales tax is also critical to the city of Philadelphia,[3] and Allegheny County.[4] During the current economic downturn both the revenue and structural attributes of this levy should be pushing it to the front of the tax policy line.

In short, the observation is ñ if revenue is going to be hard to come by for a period of time, then at least it needs to be dependable. In Pennsylvania, dependable revenue means sales and use tax revenue. It would also be helpful if revenue could be found that did not involve a rate increase or a tax base expansion.

As a result, the two topics that should rest atop Pennsylvania’s tax policy agenda should be: (1) joining the Streamlined Sales Tax initiative[5] and (2) stemming revenue losses from automated sales suppression software (Zappers). The first initiative would yield additional revenue of $220 ñ $384 million (from e-commerce alone);[6] the second effort (based on the author’s estimates) would yield additional $922 million in revenue (in the restaurant industry alone). One of the more attractive aspects of both of these efforts is that neither involves changing rates. Both provide additional revenue primarily by improving enforcement.

For the moment at least, Pennsylvania has decided not to join the twenty-three other states[7] that are part of the national effort to streamline sales and use tax compliance through the harmonization of common tax rules and procedures[8] ñ the Streamlined Sales and Use Tax Agreement (SSUTA).[9]

Joining SSUTA would require changes in the tax base. It is understandable that there could be difficult political questions here. However this does not mean that Pennsylvania should ignore Zappers and the serious revenue threat that automated sales suppression technology poses to state and local revenues. Zappers are cash skimming software applications. When they are added to modern electronic cash registers (ECRs) they create serious enforcement problems.

Quebec is the sub-national jurisdiction closest to Pennsylvania that has an aggressive anti-Zapper enforcement effort. The Quebec program is returning sizable amounts of revenue to the government. There is a lot to be learned from this Canadian province. The Quebec Sales Tax (QST) is a value added tax (VAT) like the Canadian federal goods and services tax (GST). For sales to final consumers (which is where Zappers are installed) there is no difference between the retail sales tax that Pennsylvania has adopted and the Canadian GST, or the Quebec QST.

This paper is about the threat that Zappers pose to the strength and stability of the sales and use tax, and how Pennsylvania can move against them by borrowing from experiences in other jurisdictions ñ some international, some domestic. Importantly, one of the places that Pennsylvania can look is to the certification provisions of the SSUTA. It is not necessary to join SSUTA to learn from it ñ although joining it might not be such a bad idea eventually.

Pennsylvania and SSUTA. Before moving on to Zappers a word on SSUTA is necessary. There are arguments on both sides of the debate on whether or not to join SSUTA. It seems that the larger states (California, New York, Illinois and Texas for example) have not found them persuasive.

The financial argument for joining SSUTA comes from Section 401(B). It allows remote vendors (without nexus in a market state) to collect and remit tax on sales sourced to the state.10 The business incentive for doing so involves assurances that compliance cost will be minimal, and an amnesty is available (just in case the vendor should have been collecting taxes all along).

The ease of compliance that encourages businesses to collect taxes is a result of the uniformity that the state laws have under the SSUTA.

One of the major reasons that states do not join SSUTA is this same uniformity. Some argue that SSUTA’s “one size fits all” solution does not always “fit” local circumstances.[11] Additionally, states that join SSUTA loose sovereignty on critical issues like the definition of the tax base.[12]

For example, at last count there were in excess of 258 provisions in Pennsylvania Statute that would need to change to bring the state into conformity with SSUTA. Some changes are as minor, such as, replacing “retail price” with “sales price,”[13] others are potentially more significant. Conforming the definition of “candy and gum” to the SSUTA’s definition of “candy,” or “food and beverages” to SSUTA’s “prepared food,” and “grocery type items” to SSUTA’s “food and food ingredients,”[14] would have a broad impact on a large number of Pennsylvania businesses.

If Pennsylvania is not anxious to engage in the political debate necessary to make SSUTA-mandated changes, then perhaps it could make a concerted effort against Zappers. This might be the preferred way to go, if the state is in need of additional revenue.


Skimming cash receipts is an old-fashioned tax fraud; a fraud traditionally associated with small or medium sized enterprises. Large businesses with formalized internal control mechanisms, external accountants, and professional management structures do not normally engage in skimming,[15] although personal conversations with auditors from Revenue Quebec indicate that this may not be a solid assumption any more.

Businesses that skim frequently keep two sets of books (one for the tax man, the other for the owner). In its simplest (non-technological) form there are two tills, and the cashier simply diverts some cash from selected sales into a secret drawer. A record of the diversion may be maintained, but it will be kept outside the formal accounting system. Businesses that skim rarely do so with credit card transactions precisely because these sales can be documented externally through the banking system. Skimming frauds thrive when the owner (or a close family member) is the cashier.[16]

Technology is changing how businesses skim. The agents of change are software applications ñ phantom-ware and zappers. Phantom-ware is a “hidden,” pre-installed programming option(s) embedded within the operating system of a modern electronic cash register (ECR). It can be used to create a virtual second till and may preserve a digital (off-line) record of the skimming (a second set of digital books). The physical diversion of funds into a second drawer is no longer required, and the need for manual record keeping of the skim is eliminated. Because phantom-ware programming is part of the operating system of an ECR its use can be detected with the assistance of a computer audit specialist.

Zappers are more advanced technology than phantom-ware. Zappers are special programming options added to ECRs or point of sale (POS) networks. They are carried on memory sticks, removable CDs or can be accessed through an internet link. Because zappers are not integrated into operating systems their use is more difficult to detect. Zappers liberate owners from the need to personally operate the cash register. Remote skimming of cash transactions is now possible without the knowing participation of the cashier who physically rings up the sale. This attribute of Zappers allows the incidence of skimming fraud to migrate beyond the traditional “mom and pop” stores. Zappers allow owners to place employees at the cash register, check their performance (monitor employee theft), but then remotely skim sales to cheat the taxman.

While Pennsylvania has uncovered no zappers or phantom-ware applications, the Province of Quebec (alone) has brought over 250 cases to court

To get a sense of how Zappers and phantom-ware function in the marketplace, and how it becomes a “cottage industry” for the installers of electronic cash registers (ECRs) and point of sale (POS) systems, a brief review of the two US cases and three Quebec cases is helpful.

American Zapper cases. There are only two reported US Zapper cases ñ Stew Leonard’s Dairy and the La Shish restaurants. Both follow federal income tax investigations.[20] Detailed information about the LaShish restaurants case is not publicly available. It remains an open and active criminal case involving international fugitives closely associated with a known terrorist organization. There is a great deal known about Stew Leonard’s Dairy.

Stew Leonard’s Dairy. Stew Leonard’s Dairy was “the largest criminal tax case in the history of Connecticut.”[21] It was also the “largest computer driven tax-evasion case in the nation.”[22] Stew Leonard’s Dairy (a local grocery chain associated at one time with a dairy farm) skimmed an estimated $17 million in receipts over a ten-year period. The cash was taken in large denomination bills by suitcase to St. Martin in the Caribbean.[23]

The Connecticut Supreme Court describes the Zapper used in Stew Leonard’s Dairy as follows:

The Dairy’s sales recording system was composed of a computerized cash register system [with 25 ECRs] that recorded sales at the time of the transaction. At the point of sale, each product, which contained a universal product code (UPC) indicating its taxable or non taxable status, was scanned and the resulting sales information was transmitted to the main computer terminal. The Equity program [the in-house name for the Zapper], among other things, altered some of the UPC-based computerized records of the Dairy’s gross sales. Specifically the program reduced item and dollar sales across a broad range of products to

correspond with the amount of cash diverted each week. As we noted previously, the Equity program did this by writing over the original sales data, thereby rendering the original data irretrievable.

In our view, the result was akin to destroying the electronic equivalent of cash register tapes and replacing those tapes with ones containing false sales data.[24]

Stew Leonard’s Dairy is a microcosm of how the manual skimming of cash receipts moves into technology. There are two pressures on an enterprise like Stew Leonard’s Dairy (a) an increased risk of detection from increasingly sophisticated auditors, and (b) the sheer complexity of skimming small amounts of cash from a large number of small transactions in an extremely diverse retail operation.

Skimming began at Stew Leonard’s in the 1970’s as a physical skimming operation. It was performed by the CFO, Barry Belardinelli who worked in the store’s vault room where large bags of cash were received daily from the store’s cash registers.[25]

Belardinelli coordinated the skimming (but the amounts and days of the week when skimming was performed was designated by Frank or Steven Guthman). In about 1981 or 1982 this skimming was automated. The Second Circuit indicated:

To conceal the skim, defendants instituted a computer program that altered the stores sales data to account for the skimmed cash. Creation of the program was necessary to synchronize the data generated by the computerized cash registers with the information generated by Belardinelli’s altered daily sales reports. In 1981or 1982, Frank Guthman instructed Jeffrey Pirhalla, a store computer programmer, to write a complex program [called the “Equity Program”] that reduced the store’s sales and financial data by the amount of the skimmed cash and permanently altered the data from which the books and records were created. The program left no audit trail that it had run. Frank Guthman operated it on the first day of each accounting week using the figures provided him by Belardinelli and kept the tape cassette containing the program hidden in his office. He instructed Pirhalla to keep the program secret and, from time to time, told Pirhalla to alter the program to keep up with the store’s changing computers.[26]

Mr. Pirhalla was a computer specialist with detailed knowledge of the operating system of the ECRs used in Stew Leonard’s Dairy. Stew Leonard hired Pirhalla from National Cash Register (NCR). It was important to employ someone like Mr. Pirhalla, because a Zapper need to be re-designed whenever the base operating system is updated. Running an old Zapper against the records of an updated ECR often leaves traces that a good auditors can use to detect the fraud.

Mr. Pirhalla however, was a risk that could not be minimized. Once fraud was suspected, “[t]he IRS and U.S. Attorney [became] very interested in Mr. Pirhalla’s first-hand knowledge, and immediately enlisted his cooperation in return for granting him immunity from prosecution. Ö The IRS [also] retained the services of NCR personnel who were expert in the Dairy’s computer system. They, along with Mr. Pirhalla, worked under the supervision of special agent Doreen Schultz, the IRS’s own computer book-keeping system expert.”[27]

One of the special features of the Zapper in Stew Leonard’s Dairy was that it was designed to do more than “zap” cash sales. It was also designed to withstand the scrutiny of a rigorous income tax audit ñ an audit that undertook to systematically match purchases (inventory) against sales. The Equity Program adjusted both prices and units bought and sold. Minor price changes were evenly spread out and inventory losses recorded as increases in spoilage. The design was to make the skimming nearly undetectable on normal audit. The Connecticut Superior Court makes this clear:

As an example, the program was designed to say that today’s criteria for the sale of cucumbers would be 50 units. If more than 50 units of cucumbers were sold, the excess was diverted into the Equity Program. The Equity Program scanner went through every single item that was sold that day. The amount diverted was spread over a wide spectrum of products. Some calculations amounted to pennies per item.[28]

The Zapper in Stew Leonard’s Dairy pre-dated memory sticks, CDs and zip files. This Zapper was kept on a cassette in a hollowed out book in Stew Leonard’s library. Obsolete versions of the program were kept by Frank Guthman at home in his basement.[29]

La Shish restaurants. More recently, Talal Chahine and his wife, Elfat El Aouar, owners of the thirteen-store La Shish restaurant chain in Detroit, Michigan acquired the dubious distinction of replacing Stew Leonard’s Dairy as the leading U.S. Zapper case. Although Elfat was sentenced, May 16, 2007, to 18 months for tax evasions, Talal remains a fugitive from U.S. authorities (believed to be in Lebanon) with a warrant issued for his arrest.[30] Together they zapped more than $20 million in cash sales over a four-year period and sent the funds in small denomination cashiers checks to Hezbollah in Lebanon.[31]

Quebec Zapper cases. There are over 250 zapper cases in Quebec, but three of them can be used to more fully illustrate how Zappers are spread through a marketplace by small IT professionals that install and maintain ECRs and POS systems ñ the cases of Audio Lab LP, Michael Roy and Luc Primeau are considered.

Audio Lab LP. On April 8, 2004 Revenue Quebec announced that it executed four search warrants on the numbered company 9061-1184 Quebec Inc. that operated a restaurant under the name San Antonio Grill in Laval, Quebec. The allegation was that a “sales Zapper” (camoufleur de ventes) was used delete sales records. The Zapper was on a diskette used in connection with the restaurant’s computer system.[32]

Next year, on April 25, 2005, Revenue Quebec announced that the director of San Antonio Grill pleaded guilty to using a Zapper. (The director, Mr. Apostolos Mandaltsis, was personally fined.) A related company of similar name, Grill San Antonio in Repentigny, also pleaded guilty to similar offenses.[33]

Later that year, on October 1, 2005, Revenue Quebec announced that it executed five more search warrants in Montreal and Laval with respect to Audio Lab LP, Inc. It was under suspicion of having developed and marketed a Zapper that was compatible with its own restaurant cash register software, Softdine.[34]

Softdine was the operating software in the cash registers at San Antonio’s Grill in Laval, and at Grill San Antonio in Repentigny. On June 26, 2007 Audio Lab LP, Inc. pleaded guilty to charges of having, “Ö designed and marketed a computer program designed to alter, amend, delete, cancel or otherwise alter accounting data in sales records kept by means of a software that [Audio Lab LP] had designed and marketed.” In other words, it pleaded guilty to developing a Zapper to “add-on” to its own commercial software (Softdine) that it provided to restaurants for use in their POS systems. Press reports directly link this conviction to the investigation begun at Grill San Antonio in Laval in 2004.[35]

Michael Roy. Before the first warrants were issued in Audio Lab LP Revenue Quebec had successfully brought to conclusion an extensive investigation of twenty-eight restaurants doing business under the name Stratos. Each of the restaurants in the Stratos chain used Zappers. To dispose of the excess cash from skimmed sales (1) a double billing system was put in place with suppliers (to conceal purchases made in cash), and (2) wages were paid to employees in cash (without being reported as income).

The guilty pleas from this investigation came in waves ñ nineteen companies pleading guilty on September 26, 2002; another six pleading guilty on October 11, 2002, and the four remaining pleading guilty on March 21, 2003. Press releases provide details of only the final ten companies. In aggregate the taxes and penalties for these companies came to $1,816,070.90, but the real thrust of the news releases were that “Ö the Department has conducted searches in order to establish proof that the designer of the IT function associated with the cash register software Terminal Resto had participated in the scheme set up by restaurants in the Stratos chain.” The breakdown is: $429,179.07 (GST) + $492,023.11 (PST) + $214,589.55 (federal penalties) + $625,028.89 (provincial penalties) + $55,250.28 (judicial fees).[36]

That proof was forthcoming on April 25, 2003, when Mr. Michel Roy and his two sons Danny and Miguel were convicted of tax evasion. The father (Michel) was the creator of the Zapper that worked with Resto Terminal. He promoted it and made the sales. His sons (Miguel and Danny) installed the software and designed the civil fraud. Aggregate fraud penalties assessed against the Roys were $1,064,459.[37]

Luc Primeau. Revenue Quebec announced on March 17, 2003 that seven Patio Vidal restaurant franchises and a bar, La Tasca, from Gatineau, Quebec as well as another bar named O’Max in Masson-Angers, Quebec were convicted of adding Zappers to their Microflash cash register software (later upgraded to a new version called Caracara). Even though guilty pleas were entered on March 14, 2003, a search warrant had already been executed the previous December against the designer of Microflash and Caracara, because the software developer was suspected of also being the developer of the associated Zapper program.[38]

On October 17, 2005 Luc Primeau admitted using his software to assist these companies to evade $435,000 in GST and QST. They skimming $2.7 million is cash sales. Mr. Primeau was fined $20,000 for his involvement. However, Mr. Primeau was more than a Zapper salesman, he considered himself a provider of management services (admittedly focused on how to “manage Zappers”) for which he also charged a fee. Revenue Quebec determined that not only did Mr. Primeau fail to report GST and QST of $33,725.45 on his own sales (of Zappers), but he also failed to report income of $155,084.99 in services income Zapper management advice).[39]

The real reason Mr. Primeau did not report this income is probably [although no one really knows] has to do with the fact that he was being paid out of the $2.7 million in skimmed cash sales from the nine companies where he sold, installed and managed his Zappers. These funds probably needed to be kept “hidden” (to facilitate the overall success of the fraud), and in a sense represented his “share” of the skimmed profits.


The leading government studies of automated sales suppression are from Quebec and Germany. The UK has completed a national study but it is not public. Sweden has also completed a non-publicly available study, and all we know is that the results indicate that 70% of the ECRs in Sweden are infected.[40] The available studies (Quebec and German) focus on the restaurant sector.

The German and Quebec studies both underscored the need for significant enforcement efforts. Neither government has made the full studies available (because some details contain confidential taxpayer information), but a government-to-government exchange could be (and most likely should be) arranged, if Pennsylvania wanted more detail. Summaries have been released, and they arrive at similar conclusions.

Quebec. The government of Quebec conducted two studies. The first study gathered its subjects from the customer list of a known distributor/developer of automated sales suppression software. This investigation (the First Inspection Wave) examined 70 systems and uncovered 41 zappers.[41] A more statistically accurate investigation followed (the Second Inspection Wave). It was based on a random sample of businesses within the restaurant and hospitality industry. This survey, conducted by Finances Quebec, found that 16% of all sales went unreported.[42] This of course is a consumption tax as well as an income tax problem.

Both of these studies were relied upon by the Quebec Minister of Revenue, Jean-Marc Fournier, when he announced legislative changes, enhanced enforcement efforts, and a pilot project designed to counter the penetration of sales suppression technology in the restaurant sector. On January 28, 2008 he indicated:

Although the majority of restaurant owners comply with their tax obligations, the restaurant sector remains an area of the Quebec economy where tax evasion is rampant, both in terms of income taxes and sales taxes. Tax losses in this sector are significant. Revenue Quebec estimates them at $425 million for the 2007≠2008 fiscal year.[43]

Other things being equal,[44] because Pennsylvania’s economy is roughly 217% the size of the Quebec economy, a similar study in Pennsylvania’s restaurant sector might find tax losses in the range of $900 million to $1 billion.[45] Although restaurants are a popular area for sales suppression it is clear from Dutch and Brazilian investigations that grocery and convenience stores, hairdressers and butcher shops also have very high concentrations of automated sales suppression. Because the sales tax does not reach as broadly as a GST/VAT, this kind of technology-assisted fraud in Pennsylvania’s grocery stores and hairdressing salons would impact the income tax more than the sales tax.

Germany. The Interim Report of the German Working Group on Cash Registers indicated that the Group was “Ö aware of [technology-assisted] fraud amounting to 50% of companies cash receipts.”[46] The Working Group did not separately quantify the kinds of technology-assisted fraud involved.

The Working Group’s 50% observation is supported by a report made by the German Federal Audit Office (BHR) to the German Parliament in 2003. In this report the BHR appears to focus only on factory installed software.[47] The BHR concludes that the potential loss in

Germany is in the billions of euro:

The Federal Audit Office (BHR) has complained that later models of electronic cash registers and cash management systems now fail to meet the principles of correct accounting practice when it comes to recording transactions Ö The risk of tax fraud running into many billions [of euro] should not be underestimated in cash transactions.[48]

Both the BHR’s observations and the Working Group’s study are further buttressed by summaries from studies conducted by three German federal states. These studies are limited. Like the Quebec studies, they companies cash receipts.” focus only on the restaurant sector. But, they too conclude that sales suppression is a significant problem:

One federal state is currently implementing a special “restaurant” initiative. Checks already made have led to average upward revisions of 46% of original turnover. A comparable initiative in another federal state resulted in over half the cases (54%) having upward revisions of 60% of declared turnover. Fraud amounting to 25% was detected in a fifth of the cases, and was as high as 5% in the remaining 26% of cases. A third federal state has found that around 45% of till receipts involving cash are subject to upward revisions ranging from 20% to 118%.[49]

Therefore, based on these studies and the American cases, it seems reasonable to conclude that zappers may well be siphoning off more than $900 million in sales tax revenue from Pennsylvania’s restaurant sector each year (and have been doing so for about ten years, given the start of the Quebec enforcement activities and the scope of the problem at that time).


Globally, two policy orientations guide enforcement actions in this area ñ one approach is rules-based; the other is principles-based.[50] They are not mutually exclusive ñ degrees of blending are common. Rules-based jurisdictions adopt comprehensive and mandatory legislation regulating, and/ or certifying cash registers. Jurisdictions taking this approach include Greece and (possibly) Germany. These jurisdictions are classified generally as “fiscal till” or “fiscal memory” jurisdictions.

Principles-based jurisdictions rely on compliant taxpayers following the rules. Compliance is enforced with an enhanced audit regime. Comprehensive, multi-tax audits (the simultaneous examination of income, consumption and employment returns) are performed by teams that include computer audit specialists. Audits are frequently unannounced and preceded by undercover investigations that collect data to be verified. Jurisdictions taking this approach include the UK and the Netherlands. France has implemented a program of preventive audits that target technology providers.51 A similar effort can be found in Quebec where the customer lists of audited technology providers have been used to roadmap later audits of businesses suspected of technology-assisted skimming.

Quebec is in transition between these policy orientations. Prior to January 28, 2008 Quebec was squarely with the group that preferred a principles-based approach. However, the Quebec Minister of Revenue, Jean-Marc Fournier, announced52 that by late 2009 the MRQ (Ministry of Revenue, Quebec) would be testing the module d’enregistrement des vents (MEV).53 The MEV is currently used only in the restaurant sector. By 2011 MEVs will be mandatory in all Quebec restaurants, where they will assure accuracy and retention of business records within electronic cash registers (ECRs).

The US is particularly hampered in its approach to Zappers ñ federal income tax audits are not well coordinated with state and local retail sales tax audits. In addition, federal computer audit specialists are not normally assigned to audits of small and medium sized enterprises (SMEs), and this is where the Zappers are.

Nevertheless, if Pennsylvania wants to tackle this problem it could apply a uniquely American solution – blending rules and principles based solutions in a simple extension of SSUTA principles.54 Under a SSUTA structure certified third party software providers (CSPs)55 could be tasked with assuring ECR accuracy. Not only is the SSUTA legal framework operational, but at present levels of technology a CSP could readily assure a state like Pennsylvania that the ECRs were accurately recording sales, that the correct retail sales tax was being collected by the business, and that it was properly remitted. At the same time federal authorities could be assured that Zappers were not being used to underreport income. Certification of the CSP could be undertaken jointly (by state and federal agencies).

But there is even more that can be done. Puerto Rico has been invited to join the SSUTA and has not done so (like Pennsylvania), but it is contemplating a comprehensive sales tax compliance systems that will involve (a) direct remission of tax collected on credit card transactions to the tax administration, (b) Zapper preventions software installed on all ECRs, and
(3) certified tax calculation and return submission by third party providers.


The final part of this article will describe four solutions to the zapper problem. The traditional fiscal till solution (employed by Greece) will be contrasted with the traditional principles-based solution (employed by the Netherlands). The Germany smart card approach will be considered next, followed by the Puerto Rican comprehensive hybrid approach.


Greece has had comprehensive, rules-based fiscal till legislation in place for over twenty years. Technical specifications for Fiscal Electronic Devices (FEDs) were published widely in 2004. These rules provide complete ECR data security.

All Greek ECRs are certified. It is illegal to operate a business with a non-certified cash register. All technical specifications for certification are set out in Greek law. It is a very simple matter for an auditor to determine if a specific ECR has been tampered with. Factory-installed phantom-ware must be removed before certification. If a self-help version of phantom-ware56 is put on an ECR it will either be blocked or, or there will be a record of the manipulation so that its impact on revenues will be neutralized. Data from all transactions are preserved and SHA-1 encrypted in the fiscal memory. Use of an add-on zapper is a violation of the licensing regulations, and is detected in the same manner as self-help phantom-ware.

Through the certification process the Ministry of Finance preserves a copy of all approved firmware. It is a simple matter to calculate a checksum value (CRC-3257 or SHA-1) for the object code of the firmware. Auditors can then read the contents of the program memory of a certified ECR and determine if changes have been made in the firmware (through phantom-ware or zappers) by comparing his reading with that of the file kept in the Ministry of Finance.

If Pennsylvania were to adopt the Greek approach it would most likely do so through a business license rule. One of the conditions for doing business in Pennsylvania (if the business was planning on making sales to the public) would be the purchase, installation and use of a certified cash register. A more stringent rule would make it illegal to sell unregistered cash registers in the state.


The Netherlands is a principles-based jurisdiction, relying only on traditional audits to detect sales suppression technology. Fiscal till jurisdictions, like Greece, also rely on audits, but not to the same extent and certainly not with the comprehensive scope as the Dutch.

The Dutch are convinced that audits (alone) are sufficient. They reject fiscal till technology. The fundamental emphasis in the Netherlands is on detailed, comprehensive, and technologically penetrating audits. Direct government intrusion into the record keeping systems of all businesses (encrypting the memory of all ECRs and POS systems) just to catch a few fraudsters is avoided. The Netherlands feels it can rely on good business practices and compliant taxpayers.

Netherlands officials speak about performing “deep audits.” A “deep audit” considers businesses comprehensively ñ it looks at income taxes, consumption taxes and employment taxes simultaneously and with heavy stress on the interrelationships among taxes.

The Netherlands has been successful with this approach. One of the best examples of how a comprehensive multi-tax audit can uncover data manipulations, and how this fraud is derivative of the symbiotic relationship that develops between SMEs and their ECR providers can be seen in the Grand Cafè Dudok case.[58]

Dudok skimmed cash receipts with a primitive zapper and used a portion of the cash to pay employees under the table. The Belastingdienst (Dutch IRS) was suspicious of the low wages reported, and thought that additional (unreported) compensation might be being distributed (under the table).[59] Testimony in the case indicated that on the second day of the payroll audit the managing director of Straight Systems BV visited Dudok. Straight Systems BV[60] supplied the Finishing Touch point-of-sale cash registers that were used by Dudok. The owner-manager explained that he was having difficulty accounting to the Belastingdienst for wages, in part because the auditors were also questioning the turnover. The numbers did not “seem right” to the auditors, and they were requesting back-up data, something that would lead them to the primitive zapper he was using.

The managing director of Straight Systems explained the existence of a more sophisticated zapper, a “hidden delete” option already embedded in the Finishing Touch cash registers. This was, “Ö a hidden menu option that, after enabling Ö, allowed operators of catering establishments to delete cash register receipts from the system.”[61] After this discussion “Ö an employee of [Straight Systems] visited [Dudok] and explained [and enabled] the application of the erase rule [or hidden delete function62], after which [Dudok] subsequently decided to start using [it] Ö”[63]

The court upheld criminal tax fraud determinations in the Dudok case under income, value added, and payroll taxes. Both the restaurant operator and the ECR/ software provider were convicted.

It is clear that an intensive and comprehensive audit approach works against automated sales suppression devices. If Pennsylvania were to take this approach it would (most likely) need to invest heavily in technology proficient tax auditors. This is a labor-intensive approach to Zappers, and the state would need to make this commitment.


The German solution involves encrypting critical data from the ECR on smart cards securely embedded in ECRs. The German National Metrology Institute (PTB: Physikalisch-Technische Bundesanstalt) is the home of the INSIKA project (Integrierte Sicherheitslˆsung f¸r Kassensysteme ñ Integrated Security Solutions for Cash Registers), which began work on prototypes of the solution in 2008.

Papers on encryption[64] by Dr. Norbert Zisky of the PTB convinced the German Working Group that encryption techniques had been sufficiently tested in secure communication settings with measuring instruments[65] that they could form the basis of a solution to zappers. The INSIKA project was charged with completing the technical specifications for a signature smart card by the summer of 2008,[66] but work was not fully complete until the middle of 2009.

Included with the technical specifications for the signature smart card was a determination of the data structures and formats, communication protocols and security analysis for the system.[67]

Based on the recommendations of the Working Group, Vectron Systems AG developed (and is currently demonstrating) a privately developed prototype of the German solution. Under the Vectron prototype, every record holding of sales data (or any other activity performed on a cash register) is secured through an encrypted hash total of the main data elements in the ECR. A secure electronic signature is issued for this data based on Public Key Infrastructure (PKI).

The essence of the German solution revolves around cryptography and smart card access to cryptographic data preserved within the cash register or POS system. When the revenue authority audits it can access the records of the cash register with a “key” to read the data and determine if there has been tampering.

The German solution is a fiscal till solution, but it is far more flexible and potentially more comprehensive than the Greek solution. The German solution was to have all ECRs and POS systems fitted with a smart card containing a crypto processor that e-signs designated “tax≠relevant data.” With this device the entire Electronic Journal could be signed on a regular basis, or each transaction open or closed (sale, refund, training session, voided sale, or temporary record) could be designated as a tax relevant and signed whenever entered into the ECR. It would not matter under the German system if a receipt issues (Greek and Quebec solutions are dependent on “legal receipts.”) It would only matter that each sale be processed through an ECR or POS system, and for that system to be fitted with a smart card.

The government could conduct audits remotely, because the German solution is fully digital. A data feed could be taken directly from ECRs, or data could be transmitted through an e-mail attachment. The Greek solutions cannot do this, but the Puerto Rican and Belgian solutions do.

The Greek and German solutions can also be distinguished based on “per unit” cost of implementation. The German solution is far and away the least expensive. Greece has concerns over the high costs of its solution. Under the Greek regime the entire cost is born by business, although the government does provide tax breaks (accelerated depreciation) and financial assistance (low interest loans) to assist with hardware purchases. Quebec on the other hand plans to provide their solution to businesses for free, but the overall cost to the government is expected to be $55 million.[68]

Dr. Zisky estimates a cost of 50 euro for the German smart card solution.[69] In fact, Vectron’s prototype of the INSIKA smart card solution has an even lower cost estimate of a “single-unit end-user price of less than 25 euro.”[70]

In spite of all this work the German solution has not been implemented. Political will seems to be lacking, or revenue needs are not sufficiently acute. If Pennsylvania wanted to adopt the German smart card (instead of the Greek ECR certification) approach the cost per ECR would be small, and the implementation would most likely be through the same business license rules suggested under the Greek section above.


If Pennsylvania suspects that Zappers are a problem,[71] the immediate next step is to measure the extent of the problem. It needs an initial probe and a follow-up study. If this study returns results like Quebec’s and Germany’s, then one would expect to find that nearly 50% of all Pennsylvania’s ECRs are infected with Zappers or phantom-ware (although the Swedish results were 70%). Estimated (aggregate) revenue losses should be in the neighborhood of 16% of total revenue (sales tax, business income tax, payroll taxes and personal income taxes combined).

Pennsylvania might also consider a visit to Belgium to discuss Belgian approaches to this problem. Belgium is assessing the latest European technological solutions. As of this writing (August 2010) Belgium is reviewing Swedish, and German approaches as well as some of the best private-sector solutions.

Belgium has reviewed the Swedish Board for Accreditation and Conformity Assessment (SWEDAC) certification standards that were completed in late 2009. It also completed an assessment of the smart-card solution developed by the INSIKA project of the German PTB. The PTB published technical specifications to its signature smart card in late 2009.[72] Data structures, formats, communications protocols and security analysis are all freely available.

Pennsylvania should also take note of the way Belgium encouraged tailor-made third-party solutions to meet its needs. For example, when BMC Inc. appeared before the Belgian revenue authority it responded to the Belgian request for an even better and more cost effective ECR security module by sending its eTax device into further development. BMC’s eTax was already one of the few devices that met SWEDAC standards. It was certified by the Swedish tax administration on August 24, 2009.

When BMC made its presentations on March 4 and 5, 2010 it demonstrated a greatly enhanced eTax device ñ the Sales Data Controller (SDC). The SDC incorporates the INSIKA smart card into its protection profile. This new system meets German and Swedish demands for security. But BMC did not stop there. It went further. The new BMC system borrowed from the Quebec solution an ability to produce encrypted bar codes on receipts that can be read by a hand-held audit scanner.

The Belgian effort then, is a classic example of how a tax administration can use the marketplace to forge strategic partnerships that advance cutting-edge solutions. By controlling the specifications and insisting on free competition, Belgium feels confident that it will find a balanced (cost-effective/cutting-edge/optimally secure) solution. Pennsylvania could do the same. Belgium is casting the net broadly, considering a wide range of government and private-sector solutions. As technology advances, so too will the specifications and the certification standards.

Belgium, at this point, is looking around for feasible technical solutions at reasonable cost for both taxpayer and government and [which will offer] the highest possible protection. Ö The Belgian Government will make a choice and then publish the required technical specifications Ö Whatever that choice will be [, the field for providing cash register security] will be open for competition, in accordance with all EU rules of free competition.[73]

What else can be done? Perhaps the agreement reached between the major credit card companies and the government of Puerto Rico whereby tax collected on credit card sales is remitted directly to the tax authority should be considered?[74] Businesses prefer a direct remission system because it removes the sales tax from credit card fees. Under the current system when a credit card company remits the tax back to the retailer it assesses credit transaction fees on the tax amount as well and the purchase price, before the tax is forwarded to the state. This system will directly reduce business costs. In Pennsylvania this would reduce credit card fees by 6% to 8%.

There are three aspects to accurate sales tax collection and enforcement: (1) credit card sales, (2) cash sales, and (3) Zappers. If credit card sales are directly remitted, and cash sales are securely recorded (and digitally reported to the government through an eTax device similar to that on the SDC) and if these attributes are blended with the certified service provider concept under the SSUTA, then a fully digital, accurate, and fiscally secure sales tax system can be put in place. Returns would be fully automated, revenues would be remitted close to real time, and audit burdens would be substantially reduced.

The author proposed this solution in Montreal at a conference sponsored by the Quebec Ministry of Finance.[75] This conference, like this symposium issue, was reaching out to tax academics to try to find solutions to revenue shortfalls.

But then again, Pennsylvania might not believe there is a problem with Zappers and phantom-ware in the Commonwealth. On May 16, 2008, after a Zapper presentation at the Federation of Tax Administrators the author directed the following question to Ms. Janis Holloway, a spokesperson for the Pennsylvania Department of Revenue:

“Have you seen a zapper in Pennsylvania?”

The question was referred, and the Deputy Secretary for Compliance and Collections responded for the Commonwealth. He indicated:

“We do not have Zappers [in Pennsylvania. However, t]hey are being deployed in Canada Ö mostly in the restaurant businesses Ö”[76] If this is indeed the case, and there have been no cases uncovered since 2008 in Pennsylvania to prove otherwise, then the search for more sales tax revenue needs to be directed at rate increases or the SSUTA.

[1] Federation of Tax Administrators, 2007 State Tax Collection by Source (indicating that 28.1% of all Pennsylvania revenue is generated by the sales tax whereas 31.8% is generated by the personal income tax) available at: https://www.taxadmin.org/fta/rate/07taxdis.html (last visited, August 26, 2010).

[2] John L. Mikesell, Dynamic Patterns in State Sales Tax Structures: Tax Policy Change and Convergence, 1979≠2007, 51 STATE TAX NOTES 175, 187 (Jan. 19, 2009) (indicating that without the sales tax the volatility of the Pennsylvania tax system increases by more than 50% to 8.23% from 5.64% over the period from 1979 through 2000, also indicating that the full Pennsylvania system is less volatile than the mean generally, but more volatile than the mean if all states are considered without the sales tax).

[3] Philadelphia Office of the City Controller, Financial Forecast & Snapshot, (January 2010) (indicating that a dramatic increase in sales tax revenues – $18.2 million or nearly 60% reflects an increase in the sales tax rate to 2%, but masks a 8% decline in the City’s tax base from the prior year) available at: https://www.philadelphiacontroller.org/publications/fpau/Combined%20Snapshot%20and%20Forecast_2010_01.pdf (last visited, August 26, 2010).

[4] 2009 County of Allegheny Comprehensive Annual Financial Report (December 31, 2009) 127 & 316 (indicating that sales tax revenues were $39,172,875, which represented a decrease of 2.9% or $1.2 million) available at: https://www.alleghenycounty.us/controll/cafr2009.pdf (last visited, August 26, 2010).

[5] The Streamlined Sales and Use Tax Agreement (SSUTA) is a tax harmonization and voluntary software certification regime. Under the SSUTA tax calculation software is certified by Member States. Businesses that use certified software (or that contract with trusted third-party providers that uses certified software) are insulated from liability for any errors in determining the proper tax. See: SSUTA ß 301 (voluntary registration); ß 402A (amnesty rules); ß 501 (certification provisions). The SSUTA is available at: https://www.streamlinedsalestax.org.

[6] Donald Bruce, William F. Fox & LeAnn Luna, State and Local Sales Tax Revenue Losses from E-Commerce, 52 STATE TAX NOTES 537, 544 (May 18, 2009) (estimates for years 2007 ñ 2012, aggregating to $1,711.9 million in Pennsylvania for all six years).

[7] Although the agreement itself was the product of the combined effort of 44 states and the District of Columbia, the 23 full-member states that are currently implementing the SST are: Aransas, Indiana, Iowa, Kansas, Kentucky, Michigan, Minnesota, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Oklahoma, Rhode Island, South Dakota, Vermont, Washington, West Virginia, Wisconsin and Wyoming. Ohio, Tennessee, and Utah are associate members.

[8] Douglas Rooks, Maine Tax Panel Rejects Compliance with Streamlining Agreement, TAX ANALYSTS (Doc 2006≠6877; 2006 STT 69-9) (Apr. 11, 2006).

[9] Streamlined Sales and Use Tax Agreement (adopted November 12, 2002, amended November 19, 2003 and further amended November 16, 2004).

[10] Andrew W. Swain & Helder A. Pinto, State Interest Grows in Tapping Out-of-State Sellers for Revenue, 53 STATE TAX NOTES 505, 513 2009 STT 161-1 (Aug. 24, 2009) (comparing the efforts under the SSUTA with revisions of nexus rules as a way to secure e-commerce revenue).

[11] Robert D. Plattner, Daniel Smirlock & Mary Ellen Ladouceur, A New Way Forward for Remote Vendor Sales Tax Collection, 55 SATE TAX NOTES 187, 191; 2010 STT 11-2 (Jan. 18, 2010) (explaining the New York position on the SSUTA and indicating why it is not likely that it will join). See also: Thomas M. Leonard & Stephen McGonegal, The Streamlined Sales Tax Project Ö An Initiative Whose Time Has Not Come, THE MILKEN INSTITUTE REVIEW 18 (June 2005).

[12] Id., at 191

[13] 61 Pa Code ß31.14(a).

[14] 61 Pa Code ß60.7(a)

[15] EU Commission, Fiscalis Committee Project Group 12, Cash Register Project Group, Cash Register Good Practice Guide, ∂ 2.5 (Dec. 2006) (on file with author).

[16] See for example the use of double tills to manually skim cash receipts in the UK at Aleef Garage Ltd. This was a £5.3 million tax fraud, and according to Steve Armitt, Group Leader HMRC Criminal Investigations indicated, “Ö the investigation was made all the more difficult because of the closed ranks of the employees involved some of whom were close family members Ö [t]hose involved tried to make it as difficult as possible for the cheating to be discovered.” HMRC News Release, Company Directors Jailed for £5million Fraud 1 (Nov. 13, 2007) available at https://www.gnn.gov.uk/content/detail.asp?NewsAreaID=2&ReleaseID=330199 (last visited August 25, 2010). 17 Roy Furchgott, With Software, Till Tampering Is Hard To Find, NYT C6 (August 20, 2008) indicating:

[17] In the early days Quebec was concerned that the software that facilitated this fraud was US made and was sold over the internet for $500 [T]he Canadian province of Quebec may be the world leader in prosecuting zapper cases. Since 1997, zappers have figured in more than 230 investigations, according to the tax collecting body Revenue Quebec, which has found an active market for the software. In making 713 searches of merchants, Revenue Quebec found 31 zapper programs that worked on 13 cash register systems. Available at: https://www.nytimes.com/2008/08/30/technology/30zapper.html?scp=1&sq=With%20Software,%20Till%20Tamperi ng%20Is%20Hard%20to%20Find%20%20comments&st=cse18 Craig Silverman, Zapped!, HOUR (Feb. 19, 2004) available at: https://www.hour.ca/news/brief.aspx?iIDArticle=783 (last visited August 25, 2010). 19 Turcotte v Quebec (Ministry of Revenue) 1998 CarswellQue 1041, [1998] R.D.F.Q. 110 Superior Court of Quebec. This case involved the MRQ investigation of Gamma Terminal, Inc., a wholly owned Canadian subsidiary of an American company, Gamma Micro Systems. This investigation began in 1997 and focused on the distribution of the Gamma Restaurant Management System. It eventually lead to a number of conviction of restaurants that used this system to delete sales records, including the companies 136530 Canada, Inc. and San Antonio’s Grill. Revenue Quebec, Press Release, Deux sociètès coupables d’avoir utilisè un caufleur de ventes dans des restaurants de Laval et de Repentigny (English Trans. Two companies guilty of having used a camoufleur sales in restaurants in Laval and Repentigny) April 25, 2005 available at https://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/ev-fisc/2005/25avril.asp (in French, translation on file with author) last visited August 25, 2010.

[18] Canadian subsidiaries of US companies were early providers

[19] Soon however, the design and installation of this software became a “cottage industry” for local IT professionals.

[20] In the Stew Leonard’s Dairy case U.S. Customs searched Stew Leonard Sr. in the Spring of 1991, leading to the execution of search warrants on August 9, 1991 by special agents of the IRS Criminal Investigation Division. Leonard, 37 F.3d at 35; 75 YEARS OF CRIMINAL INVESTIGATION HISTORY, supra note 21, at 145. The State of Connecticut commenced its audit “Ö as a result of IRS actions, in February, 1992 Ö” Leonard, 254 Conn. 286, 289 (2003). On July 22, 1993 Stew Leonard pleaded guilty in the federal audit. The State’s audit was no where near completion at this time. A final Connecticut determination was not rendered until February 27, 1996. The La Shish case seems to follow a similar pattern, although this cannot be stated with certainty. The only public information on the La Shish case is through court documents filed in the federal enforcement action. Nothing is public from the State of Michigan, although it would seem clear that along with the skimmed gross receipts would be skimmed sales tax. There is no record of a prior State of Michigan tax, or related search and seizure action. In a request for this information Mike Eschelbach, Administrative Law Specialist, Tax Policy Division replied: Michigan law (Michigan Compiled Laws Section 205.28(1)(f)) prohibits divulging any facts or information obtained in connection with the administration of a tax, or information or parameters that would enable a person to ascertain the audit selection or processing criteria of the department for a tax administered by the department. According, we are unable to provide you with the information you seek. Personal e-mail communication, Feb. 4, 2008 (on file with author).

[21] DEPT. OF THE TREAS., I. R. S. 75 YEARS OF CRIMINAL INVESTIGATION HISTORY (1919 ñ 1994) 146, available at https://www.thememoryhole.org/irs/irs_75_years.rtf (last visited Sept. 15, 2010).

[22] Jacques Steinberg, Connecticut Store Owner Sentenced in Tax Fraud, NYT, Sec. B, page 1, col. 3 (Oct. 21, 1993)

[23] U.S. v. Stewart J. Leonard Sr. & Frank H. Guthman, 37 F.3d 32 (1994), aff’d. 67 F.3d 460 (2nd Cir. 1995) (although the tax case was settled, the details of the fraud are preserved in these federal sentencing appeals).

[24] Leonard, 264 Conn., at 298.

[25] Leonard, 37 F.3d at 33.

[26] Id. at 35.

[27] Brief for Appellee, supra note Error! Bookmark not defined., at 17-18.

[28] Stewart J. Leonard Sr. dba Stew Leonard’s Dairy v. Commissioner of Revenue Services, No. CV 980492503S, 2000 Conn. Super. LEXIS 991, at 4-5 (Conn. Sup. Ct. Jun. 10, 2003) (emphasis added).

[29] U.S. v. Stewart J. Leonard Sr. & Frank H. Guthman, 37 F.3d 32, 35 (1994), aff’d. 67 F.3d 460 (2nd Cir. 1995).

[30] Press Release, U.S. Dept of JU.S.tice, Eastern District of Michigan, LaShish Financial Manager Sentenced for 18 months for Tax Evasion (May 15, 2007) available at: https://www.cybersafe.gov/tax/U.S.aopress/2007/txdv072007_5_15_ElAouar.pdf (last visited Sept. 15, 2010).

[31] Press Release, U.S. Dept of JU.S.tice, Eastern District of Michigan, Superseding Indictment returned Against LaShish Owner (May 30, 2007) available at: https://www.jU.S.tice.gov/tax/U.S.aopress/2007/txdv072007_5_30_chahine.pdf (last visited Sept. 15, 2010).

[32] Revenue Quebec, News Release, Le ministËre du Revenu soupÁonne le restaurant Grill San Antonio de Laval d’avoir utilisè un zapper (Eng. Trans.Tax Evasion: The Ministry of Revenue Suspects the Restaurant Grill San Antonio de Laval of having used a Zapper) (Apr. 8, 2004) available at: https://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/ev-fisc/2004/08avril.asp (in French only, (last visited Sept. 15, 2010)

[33] Revenue Quebec, News Release, Deux sociètès coupables d’avoir utilisè un camoufleur de ventes dans des restaurants de Laval et de Repentigny (Eng. Trans. Two Companies Guilty of having used Zappers in Restaurants in Laval and Repentigny), available at: https://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/ev-fisc/2005/25avril.asp (in French only, last visited Sept. 15, 2010)

[34] Revenue Quebec, News Release, Revenu Quebec enqu’te sur un concepteur de logiciel de point de vente soupÁonnè d’avoir conÁu et distribuè un camoufleur de ventes (Eng. Trans. Revenue Quebec Investigation of a Software Designer Outlet Suspected of having Developed and Distributed Zappers (Oct. 14, 2005) available at: https://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/ev-fisc/2005/14oct(2).asp (in French only, last visited Sept. 15, 2010)

[35] Revenue Quebec, News Release, La sociètè Audio L.P. inc. condamnèe pour fraude fiscale (Eng. Trans. The Company Audio LP, Inc. Convicted of Tax Evasion) (Sept. 21, 2007) available at: https://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/ev-fisc/2007/21sep.asp (in French only, last visited Sept. 15, 2010).

[36] Revenue Quebec, News Release, Tous les restaurants Stratos coupables de fraude fiscale en lien avec l’utilisation du zapper (Eng. Trans. All Stratos Restaurants Convicted of Fraud in Connection with the use of a Zapper (Mar. 18, 2003) available at: https://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/ev≠fisc/2003/18mars.asp (in French only, last visited Sept. 15, 2010)

[37] Revenue Quebec, News Release, Des amendes de plus de un million de dollars – Un pËre et ses deux fils condamnès pour fraude fiscale en lien avec le zapper (Eng. Trans. Fines of more than One million dollars ñ A Father and his Two Sons convicted for Tax Evasion in connection with the Zapper (May 2, 2003) available at: https://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/ev-fisc/2003/02mai.asp (in French only, last visited August 25, 2010).

[38] Revenue Quebec, News Release, M. Marcel St-Louis de l’Outaouais coupable de fraude fiscale lièe ‡ l’utilisation d’un zapper (Eng. Trans. Mr. Marcel St. Louis de l’Outaouais Convicted of Tax Evasion related to the use of a Zapper) (Mar. 17, 2003) available at: https://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/ev-fisc/2003/17mars.asp (in French only, last visited August 25, 2010).

[39] Revenue Quebec, News Release, Le concepteur d’un camoufleur de ventes de Boucherville plaide coupable ‡ diverses accusations portèes par le fisc quèbècois (Eng. Trans. The Zapper Designer of Boucherville Pleads Guilty to Various Charges brought by Inland Revenue Quebec (Oct. 26, 2005) available at: https://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/ev-fisc/2005/26oct.asp (in French only, last visited August 25, 2010).

[40] Bo Arvidsson, Tax Director, Head Office, Swedish Tax Agency, personal e-mail communication, February 18, 2010: The study was made of a random sample from different manufactures of cash registers sold in Sweden. That 70 % of all registers could be used for manipulation is not the same as 70 % in reality were used to suppress earnings. (emphasis in original)

[41] Dave Bergeron & Richard Ainsworth, Zappers (Automated Sales Suppression) 12, powerpoint presentation at the New York Prosecutors Training Institute (Syracuse, NY) July 31, 2008 (on file with author).

[42] Id. at 13 (but noting further that the 16% figure measures all skimming frauds, not just skimming with Zappers).

[43] Revenue Quebec, Press Release, Jean-Marc Fornier, Pour plus d’èquitè dans la restauration : il faut que Áa se passe au-dessus de la table; (English trans. For more equity in the restaurant sector it is required that [business is conducted] above the table ) available at : https://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/autres/2008/28jan.asp (last visited Mar. 20, 2009). See also the accompanying powerpoint presentation, Facturation obligatoire dans le secteur de la restauration, L’èvasion fiscale au Quebec, Sous-dèclaration des revenus dans le secteur de la restauration; (English Trans. Tax Evasion in Quebec : Obligatory Billing in the Restaurant Sector ñ Under-declaration of revenues in the restaurant sector) 3 (January 28, 2008) (in French) (on file with author, with translation).

[44] Of course “other things” are not equal. Take for example the relative tax rate structures of Quebec and Pennsylvania. Because zappers reduce reported taxable income of businesses, and because these businesses tend to use these funds either to pay undeclared dividends or employee wages under the table, there is more than just a consumption tax problem here so the tax rate comparison needs to be broad. In some taxes, the Pennsylvania rates are lower, but in others they are higher than those in Quebec. Consumption Tax: Pennsylvania’s sales tax rate is 6% (although in Philadelphia an extra 2% is added and in Allegheny County an extra 1% is added) whereas Quebec’s is 7.5% throughout the province. Corporate Income Tax: Quebec taxes corporate business at 11.9%, but there is a reduced rate for small businesses of 8%. The corporate income tax rate in Pennsylvania is 9.99%. Personal Income Tax: Quebec taxes personal income between 16 and 24% (indexed with an inflation factor of 2.36%). Personal income tax rate in Pennsylvania is 3.07%.

[45] Quebec’s GDP was $166.9 million (expressed in 1999 dollars); Pennsylvania’s GDP was $362.7 (expressed in 1999 dollars). Thus, 362.7/166.9 = 217%; 217% x 425 million = $922 million. Demographia, Regional Gross Domestic Product (GDP): Ranked North America, Europe, Japan & Oceania (Purchasing Power Parity) (GDP figures based on US Department of Commerce, European Union, OECD, Statistics Canada, Australian Bureau of Statistics, New Zealand Bureau of Statistics, Japan Statistical Bureau) available at: https://www.demographia.com/db-intlppp-region.htm

[46] Working Group on Cash Registers: Interim Report 5 (Mar. 16, 2005) (Ger.) (translation on file with author).

[47] Id. at 5 (listing the following attributes: (1) erasing all data entries, (2) resetting the zero counter, (3) unwarranted counter-entries, (4) unwarranted use of the training mode, and (5) suppressing the grand total memory).

[48] BRH comments 2003, No 54, Federal Parliament circular 15/2020 at 197-198 (Nov. 24, 2003) (in German) (original and translation on file with author).

[49] Id. at 5.

[50] Fiscalis Committee Project Group 12, Cash Register Project Group, Cash Register Good Practice Guide, 5-6 (Dec. 2006) (unpublished report on file with author).

[51] Id. at 6.

[52] Revenue Quebec, Press Release, Jean-Marc Fornier, Pour plus d’èquitè dans la restauration : il faut que Áa se passe au-dessus de la table (For more equity in the restaurant sector it is required that [business is conducted] above the table) (Jan. 28, 2008) available at : https://www.revenu.gouv.qc.ca/eng/ministere/centre_information/communiques/autres/2008/28jan.asp (last visited Mar. 18, 2009, translation on file with author).

[53] Jean-Marc Fornier, L’èvasion fiscale au Quebec : Facturation obligatoire dans le secteur de la restauration ñ Sous-dèclaration des revenus dans le secteur de la restauration (Tax Evasion in Quebec : Obligatory Billing in the Restaurant Sector ñ Under-declaration of revenues in the restaurant sector) 3 (January 28, 2008) (in French) (powerpoint presentation and translation on file with author).

[54] Streamlined Sales and Use Tax Agreement (adopted November 12, 2002, amended November 19, 2003 and further amended November 16, 2004) ß 203 (defining a CSP as “[a]n agent certified under the Agreement to perform all the seller’s sales and use tax functions, other than the seller’s obligation to remit tax on its own purchases.”) available at https://www.streamlinedsalestax.org.

[55]Id., at ß 203 (defining a CSP as “[a]n agent certified under the Agreement to perform all the seller’s sales and use tax functions, other than the seller’s obligation to remit tax on its own purchases.”)

[56]For a discussion of self-help phantom-ware see: Richard T. Ainsworth, Zappers and Phantomware: The Need for Fraud Prevention Technology, 50 TNI 1017 (June 23, 2008) available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1139826.

[57] CRC-32, or cycle redundancy check, takes as input a data stream of any length, and produces as output a value of a certain space, commonly a 32-bit integer. The term CRC is often used to denote either the function or the function’s output. A CRC can be used as a checksum to detect alteration of data during transmission or storage. CRCs are popular because they are simple to implement in binary hardware, are easy to analyze mathematically, and are particularly good at detecting common errors caused by noise in transmission channels. The CRC was invented by W. Wesley Peterson. W. Wesley Peterson & D. T. Brown, Cyclic Codes for Error Detection, 49 PROCEEDINGS INST. RADIO ENGINEERS 228 (Jan. 1961).

[58] District Court of Rotterdam, LJN: AX6802 (Jun 2, 2006) available at: https://zoeken.rechtspraak.nl/resultpage.aspx?snelzoeken=true&searchtype=ljn&ljn=AX6802 (in Dutch) (translation on file with author); appealed to the District Court of The Hague where the judgment is upheld LJN: BC5500 (Feb. 29, 2008) available at: https://zoeken.rechtspraak.nl (in Dutch) (translation on file with author)

[59] LJN: BC5500, at F3. Prior to using the phantom-ware installed on its system Dudok was skimming sales in a very amateur fashion. The entire sales records of the POS system were deleted and records were reconstructed on x-cell spreadsheets. The examining agents did not trust the spreadsheets and asked for the POS records as a back-up to confirm what they were being shown on the audit. This in turn lead to the conversation with Straight Systems BV where Dudok was informed that they already had phantom-ware that might solve this problem installed in their system. Ben B.G.A.M. van der Zwet, (personal e-mail correspondence May 28, 2008) (on file with author).

[60] Straight Systems BV is a Netherlands company that specializes in single-service ECR systems where all hardware and software are developed “in house.” The company web site offers a 24-hour help desk where there is “Ö one point of contact for all hardware and software for checkout’s front office and back office systems.” Available a t: https://www.straight.nl (in Dutch, translation on file with author) (last visited August 25, 2010).

[61] LJN: AX6802, at Consideration of the Evidence (Jun 2, 2006) (in Dutch) (translation on file with author). The case discusses three software programs: Twenty/Twenty; Finishing Touch; Tickview.exe. Twenty/Twenty was a US touch-screen program that did not have a phantom-ware application. Straight Systems BV added the phantom-ware application to Twenty/Twenty and renamed the program Finishing Touch. Using just this program you can view the sales ticket and change data. With a secret command the Tickview.exe program within Finishing Touch can be activated and the operator is asked if they would like to delete the whole ticket. If an affirmative response is given then the system records a “no sale” and the entire audit trail to the original data is eliminated. Ben B.G.A.M. van der Zwet, (personal e-mail correspondence May 28, 2008) (on file with author).

[62] The trial court in Rotterdam refers to the phantom-ware application as a “hidden delete function” whereas the appeals court in The Hague refers to the phantom-ware as “the erase rule.

[63] LJN: BC5500, at F3.

[64] Norbert Zisky, Manipulation Protection ñ Electronic Cash Registers and POS Systems, German Federal Standards Laboratory, Brunswick & Berlin (May 2005) (unpublished draft on file with author); Norbert Zisky, Manipulationsschutz elektronischer Registrierkassen und Kassensysteme German Federal Standards Laboratory, Brunswick & Berlin (Mar. 15, 2004) (Ger.) (unpublished draft on file with author).

[65] Luigi Lo Iacono, Christoph Rulans & Norbert Zisky, Secure Transfer of Measurement Data in Open Systems, 28 COMP. STANDARDS & INTERFACES 311 (Jan. 2006); SELMA Project https://www.selma-projekt.de (in German) (last visited August 25, 2010).

[66] The INSIKA project finished its work on schedule, although the time line for publication of the results has been pushed back. The results were demonstrated at a February 18, 2009 conference in Berlin.

[67] Ben B.G.A.M. van der Zwet, Note: Draft 20080201 ñ Fiscal Obligations for Cash Registers in the Netherlands 10 (Feb. 1, 2008) (unpublished draft on file with author).

[68] Caroline Rodgers, Quebec va de l’avant pour stopper la fraude fiscale, HOTELS, RESTAURANTS & INSTITUTIONS (Feb. 12, 2008) available at : https://www.hrimag.com/spip.php?article2771 (in French only, translations with author)

[69] Personal e-mail communication, Professor Zisky (February 19, 2008) (on file with author).

[70] Vectron, A.G., Tamper-proof POS Data for Projectgroep Onderzoek Administratieve Software (Oct. 31 2007), available at https://www.gbned.nl/downloads/xmllogistiek/poas/20071031%20Vectron.pdf (last visited Mar. 23, 2009).; Norbert Zisky, Manipulation Protection ñ Electronic Cash Registers and POS Systems, German Federal Standards Laboratory, Brunswick & Berlin (May 2005) (unpublished draft on file with author) at ∂ 5.7 (estimating 50 euros); Norbert Zisky, Manipulationsschutz elektronischer Registrierkassen und Kassensysteme German Federal Standards Laboratory, Brunswick & Berlin (Mar. 15, 2004) (Ger.) (unpublished draft on file with author)

[71] One of the easiest ways to do this is for the tax administration to open up a false storefront and advertise for ECR sales people to visit and make business proposals. When this was done in a state on the east coast the authorities were surprised when 17 out of 19 sales proposals included Zappers. That state is now conducting further studies and more carefule technology audits.

[72]Mathias Neuhaus, Jˆrg Wolff and Norbert Zisky, Proposal for an IT security standard for preventing tax fraud in cash registers, Information Security Solutions Europe conference papers (September 2009) (copy on file with author); Ben B.G.A.M. van der Zwet, Note: Draft 20080201 ñ Fiscal Obligations for Cash Registers in the Netherlands 10 (Feb. 1, 2008) (unpublished draft on file with author).

[73] Personal email communication of 25 February 2010 with Jan C.A. de Loddere, Belgian Ministry of Finance (on file with author).

[74] Standard & Poors, GLOBAL RATINGS PORTAL, RATINGS DIRECT, Puerto Rico Sales Tax Financing Corp.; Sales Tax 6 (May 18, 2009) available at: https://www.gdb-pur.net/investors_resources/documents/COFINA05x2009SP.pdf Collection and payment procedures Sales tax revenues are collected on a monthly basis by First Data Corp., a provider of electronic commerce and payment solutions for businesses and consumers; Banco Popular de Puerto Rico; or any other authorized collector designated by the Secretary of the Treasury. Merchants have until the 10th of every month to remit sales tax collections for the prior month. Collectors transfer sales tax revenues on a daily basis to a bridge account at Banco Popular in the name of the Treasury Department, as paying/receiving agent. Once the funds are deposited in the Banco Popular bridge account, Banco Popular then transfers on a daily basis (with a two-day delay) to the trustee collections from the entire 5.5% sales and use tax until the base amount has been deposited in the DSTF, and thereafter to the Treasury Department all subsequent sales tax collections until the department has received its share (2.75%/5.5%) of the collections received to date in the fiscal year …

[75] Richard T. Ainsworth, US Enforcement and Research in Consumption Tax Fraud (June 3, 2010) powerpoint presentation at the Conference on Consumption Tax Compliance (Montreal).

[76] Personal e-mail communication to Janis Holloway, responded to by Robert Coyne (May 16, 2008) (on file with author).

Previously published by the Boston University School of Law, September 2010

To top