How To Navigate Changes In Internet Payments




Many businesses and consumers could find themselves locked out of secure payment websites if they don’t make changes to their Internet security in the next 2 weeks!


Internet security is changing, as a VPN user you are already taking one of the most effective measures towards protecting yourself from a variety of Internet crimes ranging from credit card fraud to full-on identity theft. But internet security runs much deeper into the very code and algorithms used to process payments or make direct deposits.


As of now, Secure Hash Algorithm-1 SSL, also commonly referred to as SHA-1, protects almost all secure Internet sites. First introduced in 1996, SHA-1 was considered the top end of Internet security for almost 20 years. However, recently SHA-1 has been re-classified as vulnerable to a variety of different type of advanced cyber attacks, putting all of your online or in-person transactions at risk.


What is SHA-256 SSL?


The next level of Internet security will be created by the evolutionary successor to SHA-1, SHA-256 SSL. SHA-256 SSL has been designed and tested by the National Institute of Standard and Technology (NIST) and has recently been adopted by both Microsoft and Google. This development with Microsoft and Google, 2 of the 3 most important technology companies on Earth (with Apple being soon to follow) is being seen as a sign that the rest of the Internet community will also adopt SHA-256 SSL as well.


The role of Bacs Payment Schemes Limited


At the same time Bacs Payment Schemes Limited (Bacs) one of the world’s largest direct credit services allowing organizations to make payments directly into another bank account, has publicly stated that they will be phasing out all sites and users who don’t upgrade to SHA-256.


The deadline


According to Bacs, starting June 13th 2016, they will no longer support older version of Internet security and will only service sites and users who are using TLS 1.1 or 1.2.


This could affect millions of users in the United Kingdom alone who use Bacs for payroll, recurring charges or to make bank transfers.


This could affect you personally if your employer uses Bacs to pay direct deposits or if you have any charges that are set to direct debit. Beyond just needing to upgrade the web browser, operating system and use a Bacs approved software solution which has been designed to handle these upgrades, any company which uses Payment Services Websites to collect payments will also need to upgrade their IT to handle the new changes.


If a company decides not to upgrade their system, they will be unable to access ANY secure services. While it is unknown exactly how many companies and organizations use Bacs, it is estimated that there are over 150,000 in the UK alone with many others being run on their Vocalink network. In 2014 alone, Bacs processed over 5.8 billion transactions worth more than 4.4 Trillion pounds, including 3.6 billion direct debits.


To its credit, Bacs has been explaining the need for these changes and letting users know things will be changing since 2015.


The UK will be going first, since Bacs is key to it’s entire financial infrastructure, but it is expected that a global shakeup of internet security technology starting with the adoption of SHA-256 is expected to happen in early 2017.


Due to the fact that businesses will need to check to make sure that their operating system and internet browser will work with these improved security measures, businesses that utilize VPNS and other security measures may be left out in the cold. The hard deadline of June 13th 2016 means that in order to access Bacs services means that companies may have to move away from VPNs and that users making secure payments may have to as well. The changes will affect both direct submission as well as collecting and reporting data.


The one sliver of good news is that Mac users may be ok, as the most at risk operating systems have been revealed to be Windows 2000, Windows XP and Windows Vista.


Smartcards and signing solutions


The final aspect of security that will be affected by these SHA-256 SSL updates is smartcards and signing solutions.


While smartcards have been commonplace in Europe and Asia for almost 20 years, dating back to the initial version SHA-1, they have only recently made their way to America. The upgrade to SHA-256 means that banks will now have to update their cards and signing solutions (those pads you electronically sign your name on and e-signature programs). UK banks have already announced that your existing cards and signing solutions will work until at least June 13th, but there has not been any word as to when they will start sending out new cards or signing solutions. This could lead to the unfortunate situation of thousands of cards and signing solutions not working between June 13th, and whenever the new card/solutions are delivered.


Internet security is a deep and wide-ranging issue, while we mostly focus this blog on the VPN related elements of security, it’s important to also understand the overall Meta changes to Internet security that will affect your life. One example of these kinds of security upgrades was the wide spread release of debit and credit cards with security chips. While that change may have been somewhat inconvenient the switch to SHA-256 has the potential to be have life altering consequences if your business, employer or bank don’t make the required changes (or mail you the required cards or signing solutions in time). It’s important to remember that even if you don’t live in the UK where the Bacs solutions will first be implemented starting in a little over two weeks, these changes are being adopted by the Internet community as a whole and will be the rule rather than the exception early next year. Overall the switch to SHA-256 should lead to a more secure Internet with less credit card and fraud overall. But it will probably be a bumpy ride, so expect these changes to happen and affect you, your employer and your bank in the next 6-12 months.