A tax exemption flag on the customer record that is granted without any certificate validation — no upload, no expiry check, no certificate number format validation — is an open door for fraudulent exemption claims. US state resale exemption certificate laws (and the Streamlined Sales Tax Agreement for member states) require sellers to retain a valid certificate to defend a tax-free sale during an audit. An expired 2019 resale certificate that still exempts a customer today invalidates the seller's audit defense: the state can assess tax plus penalties on every sale covered by an invalid certificate. CWE-682 applies when the exemption calculation returns $0 on the basis of unvalidated input.
Low because fraudulent exemption abuse requires deliberate exploitation, but audit liability from accepting expired certificates is a routine compliance risk that scales with B2B transaction volume.
Implement certificate validation in lib/tax-exemption.ts before granting exemption:
// lib/tax-exemption.ts
interface TaxExemptCertificate {
id: string
customerId: string
certificateNumber: string
issuerState: string
expiryDate: Date
fileUrl: string // uploaded scan
}
function isCertificateValid(cert: TaxExemptCertificate): boolean {
const expired = new Date(cert.expiryDate) < new Date()
const hasNumber = /^[A-Z0-9-]{5,20}$/.test(cert.certificateNumber)
return !expired && hasNumber && Boolean(cert.fileUrl)
}
function getEffectiveTaxExempt(
customer: Customer,
cert: TaxExemptCertificate | null
): boolean {
if (!customer.is_tax_exempt || !cert) return false
return isCertificateValid(cert)
}
Add the certificate table migration and wire getEffectiveTaxExempt into the checkout tax calculation so exemption requires both a flag and a currently-valid certificate.
ID: ecommerce-shipping-tax.regional-compliance.cert-validation
Severity: low
What to look for: Count the number of certificate validation layers: (1) certificate upload/storage mechanism, (2) expiry date check, (3) certificate number format validation, (4) issuer verification. Enumerate which layers are present in the customer/tax exemption workflow.
Pass criteria: If B2B transactions are supported, at least 2 of 4 certificate validation layers exist: a certificate storage mechanism (file upload or ID field) and at least 1 validation check (expiry date, format, or issuer). Expired certificates must be flagged or rejected during checkout.
Fail criteria: B2B customers are supported (tax-exempt flag exists) but no certificate validation is implemented — exemptions are granted without any certificate proof or expiry checking.
Skip (N/A) when: The business is B2C only (no tax-exempt customer concept in the schema) or does not support B2B transactions.
Detail on fail: "Tax exemption flag on customers but 0 of 4 certificate validation layers. No upload, no expiry check, no format validation." or "Certificate upload exists but no expiry checking — expired certificates from 2019 still accepted."
Remediation: Implement certificate validation in lib/tax-exemption.ts:
interface TaxExemptCertificate {
id: string
customerId: string
certificateNumber: string
issuer: string
expiryDate: Date
isValid: boolean
}
function validateCertificate(cert: TaxExemptCertificate): boolean {
return cert.isValid && new Date(cert.expiryDate) > new Date()
}