UK businesses could find themselves locked out of secure payment websites if they don’t act to accommodate changes caused by a new and more sophisticated level of internet security.
SHA-256 SSL is soon to be introduced and it is essential that companies know about the new security and its impact, says Bacs Payment Schemes Limited (Bacs).
Currently, most secure internet sites are protected by Secure Hash Algorithm-1 SSL, or SHA-1 SSL. SHA-1 was first introduced in 1996 and is now classified as vulnerable to cyber attacks.
SHA–256 SSL, however, is the next level of sophisticated internet security. Designed by the National Institute of Standards and Technology (NIST), it’s being adopted by Microsoft and Google and the rest of the internet community as an improved means of protecting secure internet sites.
At the same time as this global change, Bacs is improving security further by withdrawing support for older connection protocols. From June 13, Bacs will only support TLS 1.1 and 1.2; this provides even more protection for the communication pipeline between Bacs services such as Bacstel-IP and the Payment Services Website and its service users.
Businesses that use Bacs to make or collect payments will be affected.
If your company uses Bacs for payroll, to settle invoices, or to collect Direct Debits, these changes will affect you, so you need to be prepared.
Any business that wants to access Bacs via Bacstel-IP will need to make sure they have the right IT in place to support these changes.
Firms will need to have a web browser, operating system, and a Bacs Approved Software Solution that support these changes. Companies that use the Payment Services Website to collect payments reports will also need to upgrade their IT appropriately.
Failure to update a company’s systems will mean it is unable to access secure services.
Access to Bacs, via Bacstel-IP and the Payment Services Website, will be affected by these changes. If companies don’t make the necessary changes they may not be able pay staff and suppliers, or to collect by Direct Debit, so it’s important that access is maintained.
Equally, many businesses use the Payment Services Website to download important actionable reports. If they cannot gain access; they cannot download reports and then may be in breach of Scheme rules, which could result in access to Bacs being removed.
Bacs is implementing these changes on June 13 2016. If companies do not upgrade their software and/or browser and operating system to make them SHA-256 SSL and TLS1.1/1.2 compliant, they will not be able to access Bacs on or after this date. Bacs has been informing the industry since 2015 and is continuing to let everyone know to make the necessary changes to ensure their access to Bacs payment services is not lost.
Bacs is key to the financial infrastructure of the UK so it’s vital that the company adopts new security measures as early as possible to ensure that all changes are in place well in advance of the global switch off of the old security measures in early 2017.
Businesses will need to check that their operating system and internet browser will work with the new security. The browser on the computer used to access Bacs services must be able to support SHA-256 SSL certificates and TLS 1.1/1.2 by 13 June 2016, whether this is to submit directly or to collect reports. Direct submitters should talk to their BacsApproved Software Solutions provider to make sure software that can accommodate these changes is in place.
Companies who use a bureau may be affected.
If companies collect their own reports from the Payment Services Website they will still need to have an up-to-date operating system and internet browser. It is known that the operating systems most at risk are Windows 2000, Windows XP and Windows Vista. Indirect submitters should check their bureau is aware of the changes and that they will be compliant by 13 June 2016.
Banks will support look after (remove) companies with smartcards and signing solutions.
Banks will send new versions of these out to businesses which use them. Existing smartcards and signing solutions will work until the new ones arrive, which may be after 13 June.
For more details on these changes and how they will affect you, go to www.bacs.co.uk/SHA-2.
Further reading on online security
See also: Internet Security for small businesses