Changes to internet security in the payments industry - 10 things businesses need to know

The global internet community is set to introduce a new and more sophisticated level of internet security - called SHA-256 SSL - and if UK businesses don't act now to accommodate the changes, they could find themselves locked out of secure payment websites.

This could have serious implications for UK businesses that use Bacs Payment Schemes Limited (Bacs) to make salary and supplier payments or to collect by payments by Direct Debit.

But what is SHA-256 SSL and how could it affect companies? Here is the Bacs guide to the things all business should know about the new security and its impact.

Currently, most secure internet sites are protected by Secure Hash Algorithm-1 SSL, or SHA -1 SSL.

SHA-1 was first introduced in 1996 and is now classified as vulnerable to cyber-attacks. SHA-256 SSL, however, is the next level of sophisticated internet security. Designed by the National Institute of Standards and Technology (NIST), it's being adopted by Microsoft and Google and the rest of the internet community as an improved means of protecting secure internet sites.

Bacs is also making the internet more secure.

At the same time as this global change, Bacs is improving security further by withdrawing support for older connection protocols. From 13 June, Bacs will only support TLS 1.1 and 1.2 - this provides even more protection for the communication pipeline between Bacs services such as Bacstel-IP and the Payment Services Website and its service users.

Businesses that use Bacs to make or collect payments will be affected.

If your company uses Bacs for payroll, to settle invoices, or to collect Direct Debits, these changes will affect you, so you need to be prepared.

Any business that wants to access Bacs via Bacstel-IP will need to make sure they have the right IT in place to support these changes.

Firms will need to have a web browser, operating system, and a Bacs Approved Software Solution that support these changes. Companies that use the Payment Services Website to collect payments reports will also need to upgrade their IT appropriately.

Failure to update a company's systems will mean it is unable to access secure services.

Access to Bacs, via Bacstel-IP and the Payment Services Website, will be affected by these changes. If companies don't make the necessary changes they may not be able pay staff and suppliers, or to collect by Direct Debit, so it's important that access is maintained. 

Equally, many businesses use the Payment Services Website to download important actionable reports. If they cannot gain access; they cannot download reports  and then may be in breach of Scheme rules, which could result in access to Bacs being removed.

Bacs is implementing these changes on 13 June 2016.

If companies do not upgrade their software and/or browser and operating system to make them SHA-256 SSL and TLS1.1/1.2 compliant, they will not be able to access Bacs on or after this date. Bacs has been informing the industry from 2015 and continuing to let everyone know to make the necessary changes to ensure their access to Bacs payment services is not lost.

Bacs is adopting the new measures before the internet community.

Bacs is key to the financial infrastructure of the UK so it's vital that the company adopts new security measures as early as possible to ensure that all changes are in place well in advance of the global switch off of the old security measures in early 2017.
Ask your IT department for assistance.

Businesses will need to check that their operating system and internet browser will work with the new security.  The browser on the computer used to access Bacs services must be able to support SHA-256 SSL certificates and TLS 1.1/1.2 by 13 June 2016, whether this is to submit directly or to collect reports. Direct submitters should talk to their Bacs Approved Software Solutions provider to make sure software that can accommodate these changes is in place.
Companies who use a bureau may be affected.  

If companies collect their own reports from the Payment Services Website they will still need to have an up to date operating system and internet browser.  It is known that the operating systems most at risk are Windows 2000, Windows XP and Windows Vista. Indirect submitters should check their bureau is aware of the changes and that they will be compliant by 13 June 2016.

Banks will support look after companies with smartcards and signing solutions.

Banks will send new versions of these out to businesses which use them. Existing smartcards and signing solutions will work until the new ones arrive, which may be after 13^h June.

For more details on these changes and how they will affect you, go to www.bacs.co.uk/SHA-2