How to avoid getting caught out by the Bacs TLS switchover in June

Ed Adshead-Grant, General Manager, Payments at Bottomline Technologies

A new security protocol

With technology, regulation and compliance advancing at such a rapid pace, it's important that businesses keep abreast of any change that is likely to impact their business and, notably, their ability to process payments – both inbound and outbound.

One such imminent initiative impacting the internet globally, with a rapidly approaching deadline is the replacement of Secure Sockets Layer (SSL) with Transport Layer Security (TLS) security protocol. The switchover will go live from 07:00 BST on June 13th, and it will impact any business that uses the Bacstel-IP service, or commonly known as ‘Bacs’ for their payments.

Whether directly or indirectly over 150,000[i] businesses in the UK rely on Bacs to pay their employees and suppliers. It is also the payment method of choice for other applications such as pension payments, employee expenses, insurance settlements, dividends and refunds.

Businesses that have not checked with their supplier and switched over by the deadline risk not being able to make payments.

What’s the switchover all about?

The switchover is not unique to the payments industry and other organisations that rely on secure internet connections will also need to upgrade. Across the internet and technology community, vendors are working together to migrate away from the earlier SHA-1 (Secure Hashing Algorithm) standards and certificates of first generation internet security.

SHA-1 is over 20 years old and with recent analysis has been found to be theoretically weaker than expected. With increasing computing power, there is tangible concern that third parties, such as criminal organisations, could exploit weaknesses in the next 5 – 10 years. To address this, the internet and technology communities are moving to internet security protocols that use the SHA-2 (also known as SHA256) standard.

For Bacstel-IP; this means supporting only the latest Transport Layer Security (TLS) standards and newer server Digital Certificates after the deadline. This is what secures the connection made between your payment software and Bacstel-IP.

SHA-2 is an exponentially more secure standard, making it uneconomical for criminals to compromise any data protected with this algorithm for the next 20 – 30 years. Therefore, this change is likely to last for some time.

If your business is currently using Bacstel-IP to process staff, supplier or customer payments or to collect Direct Debits, then you will need to take action.

What happens if I don’t take action?

If you use a Bacstel-IP approved software solution to submit your payments and you don't take action, your business will not be able to process a Bacs payment or collection after 13th June 2016. Bacs has been clear that the onus is on businesses to ensure they are up to date and complaint with the new security protocols.

In the past year, Bacs has communicated to its users and to the payments industry, that the 13th June is the absolute deadline in which only TLS-complaint solutions will be able to send payments using the Bacs system. Most Bacs solution providers, including ourselves, have proactively contacted customers to inform them of the change. This has been done via regular webinars, events, newsletters, emails, social media and blogs, and all customers have been contacted by phone.

Due to the complexity of the systems behind Bacs, a same-day fix is not an option, and we advise businesses that have not yet upgraded to a Bacs solution that supports TLS, to take action urgently.

How many businesses are impacted?

Over 20,000 organisations are thought to send their payments directly to Bacs for processing. Whilst Bacs solution providers and Bacs have sent communications to all of these users, those that have not updated their contact details, are using unsupported products to connect to Bacs, or have not acted on the counsel, could be at risk of not being able to make payments after the deadline.

How do I find out if I’m complaint?

For those that haven’t already taken action, the first thing to do is always to talk to your Bacs solution provider who can confirm whether you are using a TLS complaint solution to connect to the service. If you use a bureau to send files to Bacs on your behalf, payroll for example, it is worth confirming with them that their solution is compliant.

Exactly what needs to be upgraded?

In many cases there will be an update or migration to a later product version that will be available to you to enable payments over TLS. Where this isn’t possible, or you wish to further insulate yourself from further disruptive changes in the future, then a popular option is to look at a cloud payments solution.

There are additional considerations in the migration, as TLS and SHA-2 are not supported on old operating systems and browsers, so organisations may need to upgrade these in order to continue submitting files to Bacstel-IP and to access the Bacs Payment Services Website.

For more information talk to your Bacs solution provider and view additional information at:

or

[i]