B2B buyers — resellers, nonprofits, government entities — present tax exemption certificates that legally prohibit collecting sales tax on qualifying purchases. When a customer's is_tax_exempt flag exists in the database but the tax calculation function never checks it, the store collects tax it is not entitled to receive and must remit it to the state, then issue refunds when challenged. US state resale exemption certificate laws (uniform under the Streamlined Sales Tax Agreement in 24 states) impose penalty exposure when a seller knowingly ignores a valid certificate. CWE-682 applies: the calculation produces an incorrect non-zero result when it should return $0.00.
High because collecting tax from exempt customers despite holding an exemption certificate is a state tax law violation that triggers refund liability and potential audit penalties.
Gate the tax calculation on the customer's exemption status in lib/tax.ts:
// lib/tax.ts
function calculateTax(
customer: Customer,
items: OrderItem[],
address: Address
): number {
if (customer.is_tax_exempt) {
return 0 // exempt customer — do not collect tax
}
// ... normal taxable calculation
const taxable = items
.filter(i => !i.is_tax_exempt)
.reduce((sum, i) => sum + i.price * i.quantity, 0)
return Math.round(taxable * getTaxRate(address))
}
Add the matching schema column if it doesn't exist:
ALTER TABLE customers ADD COLUMN is_tax_exempt BOOLEAN NOT NULL DEFAULT FALSE;
ALTER TABLE customers ADD COLUMN tax_exempt_certificate_id TEXT;
Verify in test that a cart for an exempt customer returns tax: 0 regardless of items or jurisdiction.
ID: ecommerce-shipping-tax.tax-computation.exempt-customers
Severity: high
What to look for: Count the number of customer-level tax exemption layers: (1) is_tax_exempt boolean in customer/user schema, (2) tax_exempt_certificate_id or similar reference field, (3) conditional check in the tax calculation function that returns 0 for exempt customers, (4) UI indicator showing exempt status during checkout. Report: X of 4 layers present.
Pass criteria: At least 2 of 4 customer tax exemption layers are implemented: a flag in the customer schema and a conditional check in the tax calculation that returns $0.00 for exempt customers. The exemption must be applied during the checkout tax calculation step.
Fail criteria: Fewer than 2 of 4 layers exist, or tax is always applied regardless of customer status, or the exemption flag exists but the tax calculation never checks it.
Skip (N/A) when: The business is consumer-only with no B2B customers (search customer schema for tax exemption fields; if no exemption concept and no B2B indicators, skip).
Detail on fail: "1 of 4 customer exemption layers found (is_tax_exempt boolean in schema). Tax calculation at lib/tax.ts does not check customer.is_tax_exempt — tax applied to all customers." or "No customer tax exemption fields in user/customer schema."
Remediation: Add customer-level tax exemption in the customer schema and lib/tax.ts:
// Schema
CREATE TABLE customers (
id UUID PRIMARY KEY,
email TEXT,
is_tax_exempt BOOLEAN DEFAULT FALSE,
tax_exempt_certificate_id TEXT -- optional: reseller ID or cert number
)
// Tax calculation with customer exemption
function calculateTax(customer: Customer, items: OrderItem[], address: Address): number {
if (customer.is_tax_exempt) {
return 0
}
// ... normal tax calculation
}