Go full SHA-256 by June or get locked out, say payments bods Bacs

E-business told to shape up and implement modern crypto – or else

Online businesses in the UK will have to update their systems and adopt SHA-2 before June in order to avoid losing access to vital payment and money transfer services.

Failure to change before a 13 June deadline will leave merchants unable to use Bacs Payment Schemes Limited (Bacs) to make salary or supplier payments or to collect by direct debit. The UK banking payments service has given notice that in intends to lock out laggards from using secure websites by dropping support for obsolete crypto protocols, as explained below.

From 13 June 2016, Bacs is adopting the new security, called SHA-256 SSL. At the same time as this change is being made, Bacs will withdraw support for older connection protocols to provide even more protection for the communications pipeline between the internet-based service access points, Bacstel-IP and the Payment Services Website, and the service user. After 13 June 2016, only TLS 1.1 and 1.2 will be supported.

Any business which wants to access Bacs via Bacstel-IP or the Payment Services Website to make or collect payments will need to have a web browser, operating system, and – if used – a Bacs Approved Software Solution that support these changes.

More details on these changes and how they will affect e-businesses of all types and sizes can be found here. Bacs SHA-2 support was announced last year but they’ve only recently issued a reminder about the switch-over.

Crypto experts have been warning for some time that older crypto schemes are breakable and therefore need to be updated. Browser makers and other tech firms are pushing this change. Bacs' decision could serve as a useful spur to action, particularly if people stop getting paid unless changes are made.

Wolfgang Kandek, CTO at cloud security firm Qualys, told El Reg: “Bacs is critical to almost all businesses in the UK, and the organisation’s move to support only the latest versions of TLS and SSL makes a lot of sense. For companies that rely on Bacs, this shift should not have too much impact on them, but it is worth checking that your service provider or payment systems support SHA-2 SSL certificates and the TLS 1.1 / 1.2 standards. If they currently don’t support these standards, then ask about how they intend to support these standards before the Bacs cut-off date of 13th June 2016.”

“If you use the online services provided by Bacs, then your web browser and apps should also support SHA-2 – the most recent versions of IE, Chrome, Firefox and Safari all include this as default. For companies running older versions of IE, changes may be necessary in order to add support,” he added. ®




Biting the hand that feeds IT © 1998–2018