Qoyod
Pricing

Knowledge Base

PCSID Production Certificate in E-Invoicing

When you move to the second phase of e-invoicing in Saudi Arabia, your business passes through two consecutive technical stages: the compliance testing stage first, then the actual production stage. The PCSID certificate is your entry pass to the second stage. Without it, your system cannot sign a single real invoice, nor send it to the Fatoora platform.

Many accountants confuse the three types of cryptographic certificates. This guide covers the production certificate (PCSID) alone: what it is, how you obtain it, how long it stays valid, how you manage it, and what happens when it expires. If you are looking for the full picture of the cryptographic stamp identifier, see the CSID certificate guide. And if you are in the testing stage before production, your place is the Compliance CSID certificate.

The importance of understanding this certificate lies in the fact that it is the line between a “system that is ready in theory” and a “system that issues actual invoices.” Many businesses pass the testing stage successfully, then stumble in the move to production because they misunderstand the role of the production certificate or neglect to renew it later. The goal here is to leave you with a clear, practical picture that spares you these pitfalls.

What is the PCSID certificate?

PCSID stands for Production Cryptographic Stamp Identifier. It is the digital certificate that the Zakat, Tax and Customs Authority (ZATCA) issues to a billing system after it successfully passes the compliance tests. This certificate is used to sign the real invoices that the business issues in the production environment.

The cryptographic stamp is a digital signature attached to every e-invoice. This stamp proves that the invoice was issued by an approved system and that it has not been altered after issuance. The PCSID certificate is the key that generates this stamp in the production environment specifically.

The essential difference that must settle firmly in your mind: the compliance certificate (CCSID) works in the testing environment only, and its invoices are test invoices with no legal value. The PCSID certificate, on the other hand, works in the production environment, and every invoice you sign with it is an official invoice approved by the Authority. Neither certificate can be used in place of the other.

The PCSID certificate comes paired with a private secret key (Production Secret). This key is used together with the certificate in every connection to the Fatoora platform, whether to request clearance for tax invoices or to report simplified invoices.

In short, you can picture the PCSID certificate as a driving licence for your system on the production road. The compliance certificate is like a learner’s permit: it lets you practise in a closed lot. The full driving licence is what allows you to head out onto the real road. Every invoice you sign with this licence carries its legal weight before the Authority and before the buyer.

This certificate binds three elements together: the business identity (the tax number and commercial registration), the billing unit that issues the invoices, and the cryptographic key that signs them. Any change to one of these elements calls for a review of the certificate, and may call for issuing an entirely new certificate.

Why is there a separate certificate for production?

The Authority split the process into two environments deliberately. The testing environment lets developers and system owners try out the integration without issuing real invoices, which prevents the tax records from being polluted with fake invoices. The production environment is reserved for actual invoices only.

This separation protects the business. If a test fails, the failure stays inside the testing environment and touches no real invoice. Only the systems that prove full readiness earn the PCSID certificate and move to production.

From the simulation environment to the production environment
How a business moves from the compliance certificate to the PCSID production certificate.
1

Simulation environment: CCSID certificate and test invoices

2

Passing the compliance tests

3

Production environment: PCSID certificate and real invoices

The PCSID production certificate is not issued until the compliance tests are passed.

How do you obtain the PCSID certificate?

Obtaining the production certificate is not a standalone step, but the result of a chain of steps that begins with registration and ends with production. The business goes through the following path in order:

First: registration on the Fatoora portal. The business logs in to the Authority’s portal and registers the billing unit (your accounting system) that will issue the invoices. From the portal it extracts a one-time password (OTP) for each billing unit.

Second: requesting the compliance certificate (CCSID). The system sends a request to the Authority accompanied by the OTP and a certificate signing request (CSR). The Authority responds with the temporary compliance certificate that works in the testing environment. This is a separate stage that we explained in detail in the Compliance CSID certificate guide.

Third: passing the compliance tests. The system must pass a set of test cases defined by the Authority. These cases include issuing tax and simplified invoices and credit and debit notes in valid format, signing them, and sending them to the testing environment. The Authority verifies that every invoice matches the technical specification.

Fourth: requesting the production certificate (PCSID). After passing all the test cases, the system sends the production certificate request. Here the Authority issues the PCSID certificate along with its secret key. From this moment the system becomes ready to sign real invoices.

Fifth: moving to production. The system begins sending actual invoices to the Fatoora platform. Tax invoices (B2B) go through clearance before being delivered to the buyer. Simplified invoices (B2C) are issued immediately and then reported within 24 hours.

It is worth knowing the limits of the system provider’s role here. The Authority requires the business to register its identifier with the Authority itself, and no provider can perform this step on its behalf. A good accounting system’s role is limited to guiding you through the process and handling the technical side of generating the requests and managing the certificate.

The path to obtaining the PCSID production certificate
Five steps from registering on the Fatoora platform to actual issuance.
The PCSID path
1

Registering on the Fatoora platform with the OTP verification code

2

Requesting the CCSID compliance certificate

3

Passing the compliance tests in simulation

4

Requesting the PCSID production certificate

5

Starting to issue real invoices in production

The fourth step is the moment the PCSID production certificate is issued.

What happens technically when the certificate is requested?

The previous steps may seem abstract, so let us clarify what goes on behind the scenes. When requesting any certificate, the system generates a pair of keys: a public key and a private key. The system keeps the private key secret and sends the public key within the certificate signing request (CSR) to the Authority.

The Authority verifies the request, then signs it and returns it as a valid certificate. This certificate contains the public key stamped with the Authority’s signature, which proves to any third party that the certificate was indeed issued by a trusted entity. When the system later signs an invoice, it uses the private key, and any recipient can verify the signature via the public key embedded in the certificate.

The difference between the compliance certificate request and the production certificate request lies in the endpoint the system addresses and the type of certificate returned. The compliance request addresses the testing endpoint and returns a test certificate. The production request addresses the production endpoint and returns a real certificate valid for signing invoices with tax effect.

The OTP is a pivotal element in this process. It is a one-time code you extract from the Fatoora portal, and it links the certificate request to the business account at the Authority. The code’s validity is limited to a short time, so it must be used as soon as it is extracted. If it expires before the request is completed, you extract a new code.

Readiness checklist for moving to production

Before you request the production certificate, make sure the following items are complete. A gap in any one of them delays your move to the production environment:

  • The business is registered on the Fatoora portal, and the tax data is up to date and correct.
  • You have extracted an OTP for each billing unit you intend to operate.
  • You have obtained the compliance certificate (CCSID) and worked with it in the testing environment.
  • You have passed all the required compliance test cases without errors.
  • You have verified that invoices are issued in the correct format (UBL 2.1) and carry the QR code and the correct hash.
  • You have prepared a secure storage mechanism for the private secret key of the production certificate.

Each of these items corresponds to a technical procedure in the accounting system. When the system handles these items automatically, your move to production becomes a single step instead of a long list of manual tasks. For more detail on the full requirements of this stage, see the second phase requirements.

PCSID certificate validity and renewal

The PCSID certificate is not permanent. Every cryptographic certificate has a defined validity period after which it expires, exactly like any other digital certificate. The Authority sets this period, and the business must renew the certificate before it expires to ensure invoices keep being signed without interruption.

Renewal is not automatic on the Authority’s side. The system must take the initiative to request the certificate renewal a good while before the expiry date. The process resembles the first certificate request: the system generates a new signing request and sends it to the Authority, which issues an updated production certificate with a new key.

The practical rule: do not wait for the expiry date to approach. Set an alert a comfortable time before the certificate’s expiry date. The gap between one certificate expiring and its replacement being issued may halt invoice issuance, which exposes the business to a violation of not issuing the invoice on time.

Why does the certificate expire in the first place?

Expiry is a standard security measure in the world of cryptography. The longer a secret key is used, the higher the likelihood of it being leaked or breached. Renewing the certificate periodically renews the secret key, which reduces the risk of an old key being exploited to sign illegitimate invoices.

This measure serves the business’s interest. A certificate updated with a new key means your billing system stays within the latest security standards the Authority imposes.

When do you start the renewal?

There is no single rule that suits every business, but the practical principle is constant: start early. Do not wait for the last day. Renewing a comfortable while before expiry gives you room to handle any error in the request without issuance stopping.

Monitor the expiry date from the system dashboard, and set a reminder for yourself or rely on a system that fires an automatic alert. When the system handles the renewal automatically, this follow-up disappears from your task list entirely, and this is the essential difference between manual and automated management of the certificate.

Remember too that renewal does not cancel your record of previous invoices. Invoices signed with the old certificate remain valid and approved, because they were signed while the certificate was in effect. The new certificate only takes over signing the invoices issued after it is activated.

Start today

Let Qoyod handle your billing certificates for you

Qoyod manages the cryptographic certificate and its renewal automatically, signs your invoices and sends them to the Fatoora platform in line with the second phase, so you can focus on your business.

Start your free trial and activate your e-invoicing

How to manage the PCSID certificate in the real world

Managing the certificate does not end with issuing it. You must keep the certificate and its secret key in a safe place inside the system, monitor its validity date, be ready to renew, and handle any change in the business or billing-unit data.

The day-to-day tasks of managing the certificate include the following:

  • Storing the secret key in encrypted form, and preventing unauthorized access to it.
  • Monitoring the certificate’s validity counter to avoid it expiring suddenly.
  • Re-requesting the certificate when the commercial registration data or the tax number changes.
  • Issuing a separate certificate for each billing unit when running more than one branch or point of sale.
  • Keeping a record of the signed invoices and the hash chain for verification during an audit.

These tasks are purely technical, and they are exactly what separates a ready accounting system from manual solutions. When the system handles managing the certificate automatically, the burden of manually tracking expiry dates and renewal requests disappears. This is what the integration with the Authority in Qoyoddelivers, since generating the requests and certificates is managed automatically behind the scenes.

Multiple branches and billing units

If your business runs several branches or point-of-sale devices, each billing unit has its own certificate. The Authority treats each unit as an independent issuing entity, with its own OTP and its own production certificate.

This means a business with ten branches may manage ten production certificates at once, each with a different validity date. Tracking this number manually is tiring and error-prone, which is why a system that manages the certificates centrally becomes a necessity rather than a luxury in multi-branch businesses.

What happens when the PCSID certificate expires?

When the production certificate’s validity expires without renewal, the system loses its ability to sign new invoices. Any attempt to issue an invoice after the certificate expires will be rejected by the Fatoora platform, because the attached signature is no longer issued by a valid certificate.

This has direct consequences:

  • Immediate clearance of tax invoices (B2B) stops, so you cannot deliver the invoice to the buyer.
  • Reporting simplified invoices (B2C) of daily sales within the prescribed window becomes impossible.
  • The business is exposed to a violation for the delay or failure to issue the e-invoice in its statutory format.

The remedy is simple but takes time: request a new production certificate through the renewal cycle. And because this cycle is not instant, prevention is cheaper than cure. Setting an early alert before expiry spares you a complete halt in issuance.

Here the value of automated certificate management shows. When the system monitors the expiry date and takes the initiative to renew before it, the business never even reaches the moment of stopped issuance. This is one facet of second-phase readiness provided by Qoyod, compliant with the second phase.

Common mistakes in the production stage and how to avoid them

Many of the problems businesses face after moving to production trace back to small details in managing the certificate. Here are the most prominent, with how to avoid them:

Letting the certificate expire without renewal. This is the most common and most costly mistake. Billing stops suddenly on an ordinary working day. Prevention: set an alert a sufficient time before expiry, or rely on a system that renews the certificate automatically.

Losing the secret key or storing it insecurely. The private key cannot be retrieved from the Authority if lost. Losing it means issuing a new certificate from scratch. Prevention: store the key encrypted inside the system, not in exposed text files.

Using the test certificate in production or vice versa. This results in invoices being rejected or records being polluted with test invoices. Prevention: confirm the active environment before issuance, and keep a clear separation between the two setups.

Neglecting to update the certificate after changing the business data. A change in the tax number or the commercial registration makes the certificate data outdated. Prevention: re-request the certificate as soon as any change occurs in the registration data.

Managing branch certificates manually. With multiple branches, expiry dates multiply, and it becomes easy to miss the renewal date of one of them. Prevention: a central system that tracks all certificates in a single dashboard.

The common thread among these mistakes is that they are all avoidable through automation. When the system handles monitoring the certificate, renewing it, and storing its keys, most of these risks disappear from your daily concern.

Production versus simulation: do not mix them up

A mature billing system provides a simulation environment alongside the production environment. The simulation environment resembles production in all its technical details, but it is dedicated to testing before the actual launch. It helps you make sure your settings are sound before you sign a single real invoice.

The decisive difference between the two environments:

  • Production environment: uses the PCSID certificate, its invoices are official and approved by the Authority, and it has a real tax effect.
  • Simulation environment: uses a separate simulation certificate, its invoices are for testing only, and it has no tax effect.

The golden rule: do not issue a real invoice from a simulation environment, and do not test your settings on the production environment. Mixing them pollutes your tax records with invoices that do not belong where they are. Always identify which environment you are working on before pressing the issue button.

The last rule worth repeating: use the simulation environment before your first real invoice to test your actual business scenarios, from tax invoices to credit and debit notes. Once you are confident everything works as it should, move to production with confidence and start signing with the PCSID certificate. This gradual approach reduces launch errors to a minimum.

To go deeper into how your system connects with the Fatoora platform through clearance and reporting, see the integration with the Authority.

Production environment versus simulation environment
The characteristics of each environment in terms of the certificate, the invoice value, and its effect.
Criterion Production environment Simulation environment
Certificate PCSID CCSID
Invoice value Real Test
Tax effect Approved by the Authority No effect
Purpose Actual operation Integration testing
The production certificate works in a real environment, while the compliance certificate is for testing only.

How Qoyod helps you manage the PCSID certificate

Qoyod is compliant with the second phase of e-invoicing. The system handles the entire technical side: generating the signing request, requesting the compliance certificate and then the production certificate, signing every invoice with the cryptographic stamp, and sending it to the Fatoora platform through clearance or reporting depending on its type.

Most importantly, Qoyod manages the certificate and its renewal automatically, so you do not need to track expiry dates manually or remember renewal dates. Your role stays confined to one indispensable step: registering your business identifier with the Authority, a step Qoyod guides you through one step at a time.

The benefit of this automation shows clearly in multi-branch businesses. Instead of the accountant tracking ten production certificates with different expiry dates, Qoyod brings them together in one unified management, so no renewal window is missed and issuance does not stop at any branch. This frees the accounting team from a technical burden unrelated to the core of its work.

Alongside managing the certificate, Qoyod connects the full invoice cycle: from creating it, to signing it, to clearing or reporting it, to keeping the hash chain for later review. Your records stay organized and ready for any audit by the Authority without extra effort on your part.

And if you face any obstacle during the integration or renewal, the Qoyod support team is available 24 hours a day, seven days a week to help you until the move to production is completed smoothly.

Frequently asked questions

What is the difference between the PCSID certificate and the CCSID certificate?

The CCSID is a compliance certificate that works in the testing environment, and its invoices are test invoices. The PCSID is a production certificate that works in the production environment, and every invoice you sign with it is an official invoice approved by the Authority. You obtain the production certificate after passing the compliance tests with the first certificate.

How long is the PCSID certificate valid?

Every cryptographic certificate has a defined validity period set by the Authority, after which it expires. The certificate must be renewed before the expiry date to ensure invoices keep being signed without interruption. Renewal is not automatic on the Authority’s side; the system initiates it.

What do I do if the production certificate expires?

When the certificate expires, the system stops signing new invoices, and the Fatoora platform rejects any invoice signed with an expired certificate. The solution is to request a new production certificate through the renewal cycle. It is best to set an early alert before expiry to avoid an interruption in issuance.

Do I need a separate certificate for each branch?

Yes. Every billing unit, whether a branch or a point-of-sale device, needs its own production certificate with an independent registration code. Multi-branch businesses manage several certificates at once, which is why a system that manages the certificates centrally helps organize this multiplicity.

Can Qoyod obtain the certificate on my behalf?

Qoyod handles the entire technical side, from generating the requests to managing and renewing the certificate. But the Authority requires the business to register its identifier with the Authority itself. Qoyod guides you through this step; no one performs it on your behalf.

What is the difference between the production environment and the simulation environment?

The production environment uses the PCSID certificate and its invoices are official with a real tax effect. The simulation environment uses a separate certificate and its invoices are for testing only with no tax effect. Do not issue a real invoice from a simulation environment, and do not test your settings on the production environment.

Guides

Continue your learning journey

Explore the rest of Qoyod’s guides, or start applying what you’ve learned.

Live webinars hosted by the Qoyod team to help you use the software easily and answer your questions.

Discover Qoyod’s latest updates, ongoing improvements, and new features in one place.

Our team is ready to help you and provide instant support for any issue you face, around the clock.