For any business that sends and receives payments over the internet, which in today’s digital world will be near enough all of them, the security of those payments is a top priority. That’s why the majority will use the Bacs system or Direct Debits to send
money to clients and employees and to receive payments, as it’s controlled and protected through strict levels of security.
However, it’s worth noting that the payments sector is undergoing major changes which all businesses should be aware of.
In just four weeks time (13th June) payment security measures will be upgraded. The two big changes will be the upgrade to SHA-256 & TLS.1.1/TLS.1.2 security which
will be used to protect any payment files that are sent and received by yourselves from external interference and malicious threats.
TLS 1.1 and TLS 1.2 (Transport Layer Security) is used to:
- Secure the connection between your payment software and Bacs
- Secure the connection between your browser and the Bacs Payment Services Website
- It replaces SSL (Secure Sockets Layer) which is becoming more vulnerable.
Why is this change needed?
- SSL v3 is old – designed in 1996
- Its recently become vulnerable to having the connection broken
- Like many other industries, Bacs and the payments industry are stopping support of SSL v3.
What is SHA-256?
A new and more sophisticated level of internet security is being adopted (by Microsoft, Google and the rest of the internet community) and is called SHA-256.
- It is a calculation used to give data files a single verifiable code (a digital signature)
- It's used to determine that data files have not been tampered with between being signed with the digital signature, sent over the internet and received
- SHA-256 replaces SHA-1 which security experts believe could soon be economical to create a “collision” (two converted data file codes the same).
Why is the changed needed?
- SHA-1 is old – designed in 1995
- Relies on it being computationally hard to create a collision
- Increasing computer power means it’s becoming economical to create collision
- Moving to SHA-256 makes files and websites more safe it uneconomical to create a collision for 20-30 years.
From 13th June 2016, if your computer browser, operating system or the Bacs Approved Software is not compatible,
you will not be able to make payments (e.g. pay suppliers or staff) or collect Direct Debits.
Consequences and actions
If you are a direct submitter -
Speak to your IT Helpdesk to understand if you need to upgrade your IT infrastructure as TLS and SHA-2 are not supported on all computer operating systems and browsers. Also ensure your Bacs software is compliant with the new security protocols.
If you are an indirect submitter -
I'd strongly advise you to check that your bureau has implemented these new security protocols. If you are retrieving your Bacs messages from the Payment Services Website, you should check to see if your operating systems and browsers are compatible.
Download the latest browser and operating system requirements –
here.
To learn more about SHA-2 & TLS, visit the Bacs website -
here.