gpp_good Check e-invoice visibility XML‑first lock_open Free & anonymous

Check e-invoice: The invisible risk in ZUGFeRD/Factur-X invoices

Every ZUGFeRD/Factur-X e-invoice has two data layers: the PDF (view) and the embedded XML (data record). Your systems process the XML – and that is exactly where manipulation or silent deviations can hide.

Check e-invoice for free Proof of Concept (6 Document Types)

Note: The video is in German. The relevant part starts at 11:00.

Your invoice has two faces

When PDF and XML don’t match, people often see one thing — while accounting systems book or pay the other. Comparing them isn’t a “nice-to-have” but a security check.

picture_as_pdf PDF (view)

Amount1.500,00 EUR

IBANDE89 3704 0044 0532 0130 00

This is the part you see on screen. Visually everything can look correct — even if the data record differs.

data_object XML (data record)

Amount15.000,00 EUR

IBANDE21 5001 0517 1234 5678 90

This is the part software processes further (posting/payment/tax). Deviations are often not immediately visible — until it’s too late.

account_balance Payment fraud (IBAN)

Attackers selectively change bank details in the XML while the PDF stays unchanged. Automated processes then pay to the wrong IBAN.

percent Input VAT deduction at risk

Missing mandatory fields or incorrect tax rates in the XML can have tax consequences — even if the PDF “looks fine”.

rule Mis-postings & audit risk

Rounding differences or separate data sources create silent discrepancies. This often only surfaces during internal controls or audits.

public_off Non-EU origin

Factur-X/ZUGFeRD is a European standard. A seller outside the EU/EEA is unusual and may indicate identity spoofing or cross-border fraud. Canary detects the country of origin (BT‑40) and warns automatically.

Critical fields (EN 16931)

These Business Terms are particularly relevant for payment and tax. If you only check one thing: check these.

Field	BT code	Risk if mismatched
IBAN	`BT‑84`	Payment to the wrong account
Invoice total (gross)	`BT‑112`	Incorrect posting, payment discrepancy
Tax amount	`BT‑110`	Incorrect VAT return
Payee	`BT‑59` (BG‑10)	Payment to an unknown third party
Tax rate	`BT‑119`	Input VAT deduction at risk
Invoice number	`BT‑1`	Duplicates, archiving errors
Supply/service date	`BT‑72`	Incorrect service period
Seller country	`BT‑40`	Non-EU origin, identity spoofing

sync_alt How mismatches happen

Separate generation: PDF and XML from different sources.
Manual edits: Fixing only one layer.
Rounding logic: Different calculation/formatting.
Targeted tampering: Interception/changes in transit.

visibility What Canary makes visible

Document preview directly from XML data (human-readable).
PDF preview next to it (visual comparison).
Highlighting payment-relevant values (amounts, taxes, bank details).
XML source + download (nice extra).

Complete source list

Selected references (EU, Germany, standards, publishers). Links go to the respective official pages.

European Union

Directive 2014/55/EU EU EU directive on electronic invoicing in public procurement
Implementing Decision (EU) 2017/1870 EU Reference to EN 16931 as the European e-invoicing standard

Germany

§ 14 UStG DE Mandatory invoice details (German implementation)
§ 27 UStG DE Transitional periods for e-invoicing 2025–2028
BMF FAQ on e-invoicing DE Official FAQ on the e-invoicing requirement from 2025, incl. notes on hybrid formats
BMF letter dated 15/10/2024 DE First guidance letter: the XML component is authoritative for hybrid formats
BMF letter dated 15/10/2025 DE Second letter: format errors, Section 14c risk if there are discrepancies between PDF and XML

Standards & standardization

EN 16931‑1:2017 (CEN catalog) EN European semantic data standard for e-invoices
CEN/TC 434 – Electronic Invoicing EN Technical committee for electronic invoicing

ZUGFeRD / Factur‑X

FeRD (ZUGFeRD) DE German Electronic Invoice Forum – ZUGFeRD specification
Factur‑X portal FR/EN Franco-German portal on the hybrid invoice format

DATEV / practical guidance

DATEV: How to properly check e-invoices DE XML is legally binding – recommendation: visualize the XML independently instead of only viewing the PDF
DATEV: ZUGFeRD DE No content discrepancies between PDF and XML permitted

Expert articles & notes

heise online: Trojan ZUGFeRD DE Critical expert article: Should people really compare XML and PDF manually?
IHK Cologne: BMF letter DE Chamber of Industry and Commerce (IHK) summary: XML component is leading, input VAT deduction at risk in case of discrepancies
ELSTER: Visualize e-invoices DE Official visualization tool of the tax authorities for XML invoice data
ELSTER forum: security risks DE Community discussion: tampering potential of PDF↔XML, missing signatures