Managing Your Cash Flow
How to avoid getting caught out by the Bacs TLS switchover in June
7 min read
03 May 2016
With technology, regulation and compliance advancing at such a rapid pace, it's important that companies keep abreast of any change that is likely to impact business and, notably, the ability to process payments – both inbound and outbound.
One such imminent initiative impacting the internet globally, with a rapidly approaching deadline is the replacement of Secure Sockets Layer (SSL) with Transport Layer Security (TLS) security protocol. The switchover will go live from 07:00 BST on 13 June, and it will impact any business that uses the Bacstel-IP service, or commonly known as ‘Bacs’ for payments.
Whether directly or indirectly over 150,000 businesses in the UK rely on Bacs to pay employees and suppliers. It is also the payment method of choice for other applications such as pension payments, employee expenses, insurance settlements, dividends and refunds. Businesses that have not checked with suppliers and switched over by the deadline risk not being able to make payments.
What’s the switchover all about?
The switchover is not unique to the payments industry and other organisations that rely on secure internet connections will also need to upgrade. Across the internet and technology community, vendors are working together to migrate away from the earlier SHA-1 (Secure Hashing Algorithm) standards and certificates of first generation internet security.
SHA-1 is over 20 years old and with recent analysis has been found to be theoretically weaker than expected. With increasing computing power, there is tangible concern that third parties, such as criminal organisations, could exploit weaknesses in the next five to ten years. To address this, the internet and technology communities are moving to internet security protocols that use the SHA-2 (also known as SHA256) standard. For Bacstel-IP, this means supporting only the latest Transport Layer Security (TLS) standards and newer server Digital Certificates after the deadline. This is what secures the connection made between your payment software and Bacstel-IP.
SHA-2 is an exponentially more secure standard, making it uneconomical for criminals to compromise any data protected with this algorithm for the next 20–30 years. Therefore, this change is likely to last for some time. If your business is currently using Bacstel-IP to process staff, supplier or customer payments or to collect Direct Debits, then you will need to take action.
Read on to find out what will happen if you don’t take action.
What happens if I don’t take action?
If you use a Bacstel-IP approved software solution to submit your payments and you don’t take action, your business will not be able to process a Bacs payment or collection after 13 June 2016. Bacs has been clear that the onus is on businesses to ensure they are up to date and compliant with the new security protocols.
In the past year, Bacs has communicated to its users and to the payments industry, that the 13th June is the absolute deadline in which only TLS-compliant solutions will be able to send payments using the Bacs system. Most Bacs solution providers, including ourselves, have proactively contacted customers to inform them of the change. This has been done via regular webinars, events, newsletters, emails, social media and blogs, and all customers have been contacted by phone. Due to the complexity of the systems behind Bacs, a same-day fix is not an option, and we advise businesses that have not yet upgraded to a Bacs solution that supports TLS, to take action urgently.
How many businesses are impacted?
Over 20,000 organisations are thought to send payments directly to Bacs for processing. Whilst Bacs solution providers and Bacs have sent communications to all of these users, those that have not updated their contact details, are using unsupported products to connect to Bacs, or have not acted on the counsel, could be at risk of not being able to make payments after the deadline.
Read more about the payments revolution:
- UK’s appetite for mobile payments increases as Liverpool FC embraces tech
- Barclays uses Pingit to become first UK bank to process Twitter payments
- World’s first wearable international payment app
How do I find out if I’m compliant?
For those that haven’t already taken action, the first thing to do is always to talk to your Bacs solution provider who can confirm whether you are using a TLS compliant solution to connect to the service. If you use a bureau to send files to Bacs on your behalf, payroll for example, it is worth confirming with them that their solution is compliant.
Exactly what needs to be upgraded?
In many cases there will be an update or migration to a later product version that will be available to you to enable payments over TLS. Where this isn’t possible, or you wish to further insulate yourself from further disruptive changes in the future, then a popular option is to look at a cloud payments solution. And there are additional considerations in the migration, as TLS and SHA-2 are not supported on old operating systems and browsers, so organisations may need to upgrade these in order to continue submitting files to Bacstel-IP and to access the Bacs Payment Services Website.
Google’s announcement that Android Pay will be coming to the UK in a few months is a hugely significant moment in the mobile payments story – one that marks a nail in the coffin for card transactions at the point of sale.
Ed Adshead-Grant is general manager of payments at Bottomline Technologies.