mandated changes to bacs – tls and sha-2 updates · mandated changes to bacs – tls and sha-2...
TRANSCRIPT
Mandated Changes To Bacs – TLS And SHA-2 Updates
Richard Ransom – Payments Product Marketing Manager EMEA
Bacs, security, and mandated changes – a history lesson
• What is changing and why?
– SSL to TLS:
– SHA-1 to SHA-2:
• What is the impact on Bacs Service Users
• TLS and SHA mandated change timeline
• Capacity Crunch
What other changes should I be looking out for?
• Bacs Service User Compliance
• SEPA deadlines for the non-eurozone countries in the SEPA Area
• Revised Directive on Payment Services (PSD2)
Agenda
Bacs Timeline: 1968 to 2006
1968 1983
1992
1998 2003 2005
BACS begins
(as Interbank
Computer Bureau)
BACSTEL
introduced:
Dial-up modem
connections
BACSTEL: start of
mass take up by
corporates
BACS stops
accepting
Magnetic Tape
Bacstel-IP opens
for business using
PKI and SHA-1
31st December
2005: Bacstel
ends 1996
SSLv3
Created
1995
SHA-1
Created
Bacs Timeline – 2007 to 2020
2007
2008 2011
2013
2014
BACS becomes
Bacs
Banks end use
of HST and
start using ETS
and STS
HMRC Real
Time
Information
Announced
RTI
Migration
planned
completion
Microsoft
End of Life
XP
2015
HMRC ends
SSL
Connections
September
2016
Bacs ends
SSL
Connections
June
2006
April TLS 1.1
Introduced
August TLS 1.2
Introduced
2009 Faster Payments
DCA Introduced,
(Secure-IP)
2020
SHA-1 no
longer
accepted
by Bacs
What’s TLS?
• TLS (Transport Layer Security) secures connection between:
– Your software and Bacs
– Your browser and the Bacs Payment Services website
• It replaces Secure Sockets Layer currently used by Bacstel-IP
Why Is The Change Needed?
• SSL v3 is old – designed in 1996
• It’s recently become more vulnerable to having the connection
being broken (e.g. POODLE)
• Browser and operating system makers are stopping supporting
SSL by default because of this
What’s SHA?
• SHA-2 (Secure Hashing Algorithm) replaces SHA-1 and is:
– A calculation used in when data is verified and sent to Bacs
– Used to determine that data has not been tampered with
– Used to add security when you log in to Payment Services Website
Why Is The Change Needed?
• SHA-1 is old – designed in 1995
• Relies on it being computationally hard to calculate a ‘collision’
• With increasing computing power, likely to become economical to calculate
collisions in next 5-10 years
– Moving to SHA-2 makes it uneconomic for next 20-30 years
How your communications to Bacs are impacted… What needs to be ready for June 2016?
Bacs
Payment
Services
Website
Bacstel-IP
Your Bacs
Software
Your Browser for
accessing Bacs
Payment Services
SHA-2
Browser*
Internet Explorer 11
Chrome 26 onwards
Firefox 27 onwards
Safari 7 onwards TLS 1.1/1.2 Connection
TLS 1.1/1.2 Connection
SHA-1*
Server Install
Windows 2008 R2
Desktop Install
Windows 7
* Supported without
need for configuration
* Until your bank issues you a SHA-2
certificate – starting 2017
1. TLS and SHA-2 are not supported on all operating systems and browsers, so organisations will need to upgrade these to be able to continue to submit files to Bacs, and to access the Payment Services Website.
2. TLS will replace SSL for connecting to Bacs by June 2016, and the software you are using to connect to Bacs may not be compatible with the changes, so you will need to check with your supplier.
3. The banks will start to issue new smartcards and certificates for your Hardware Secure Module or HSM from June next year that will be compatible with SHA-2.
4. If you send files to Bacs via a bureau, it will be worth speaking to them about the compatibility of the solution they use.
What are the impacts for users of the Bacs service
Timelines for the changes TLS v1.2
1st – 12th June
Bacs communications
to direct submitters
July
Bacs communications
to indirect submitters
1st June 2016
Bacs deadline for
removal of SSL
Jan 2017
Current browser versions
stop accepting SSLv3 SHA1
certs
Jan 2017
Banks begin issuing
SHA-2 cards & HSM
certificates
2020
All certificates SHA-2 TBC
Bacs accept SHA-2
digests
TBC
Bacs SHA-2 digest
test service
availability
SHA-2 and Bacs Smart Cards / HSMs
10,000+ organisations need to update Bacs solutions
9 Months to go
Update now to ensure you can choose when you update
“Capacity Crunch” – Do Not Leave It Too Late
For More Information
Visit our website:
http://www.bottomline.eu.com/TLS-SHA-2-
updates.html
What are my product update options?
http://bottomline.eu.com/upgrade-advisor/
Join our Linkedin group:
https://www.linkedin.com/grp/home?gid=8340720&tr
k=my_groups-tile-grp
• SHA-2 and TLS changes to Bacs are happening by June 2016
• You will need to be using a TLS 1.1 or above compliant Bacs
solution to send your payments to Bacs before June 2016
• You will need to be using a SHA-1 / TLS 1.1 or above compliant
Browser to access Payment Services Website before June 2016
• Do not leave it until the last minute
Summary
Compliance Update – What Else Is Happening?
Richard Ransom – Payments Product Marketing Manager EMEA
Bacs Service User Compliance
• Current Account Switch Service (CASS)
– CASS relies on Bacs service users downloading and processing their Bacs ‘A’ reports.
– In July 2015: 18,000 Service User Numbers had a redirected payment that should have been pointed at a switched account
– 25% of the largest users of Bacs by volume are responsible for 30% of Non-compliance
• Ensure you collect and process your Bacs reports
• When calling non-compliant users, Bacs found large numbers of ‘Primary Security Contacts’ had moved on
• If the smart cards in your organisations are not used by the people they were issued to – change them
Bacs And Service User Compliance
SEPA Deadlines
Who Is Affected By SEPA And When?
Who’s affected?
Examples
SEPA migration end
date
Organisations (including UK groups) with accounts or
operations in eurozone making euro payments and / or
DDs
1 August 2014
Organisations with accounts only in UK and / or non-
eurozone countries for making euro payments
31 October 2016
Organisations with accounts only in UK and / or non-
eurozone countries for making euro DD collections from
eurozone accounts
1 August 2014
SEPA Mandatory End Date: 1 August 2014
EU Parliament
Regulation
260/2012:
Mandatory
migration to
SEPA
instruments: 19
Eurozone and
15 non
Eurozone
countries
1 Aug 2014
1 Aug 2014
PSD2
The PSD2 is a new directive from the European Commission,
• Following the first PSD in 2007 which gave us SEPA
• To introduce more competition in the European Financial Services market
• Introduces the concept of organisations acting as Third Party Processors (TPP) to connect you to your European banks
• Through an Application Programming Interface the TPP will be able to
– Payment Initiation Services (PIS): Check your bank balance, launch a payment
– Account Information Services (AIS): Provide balances and transactions
…without you having to log into your bank
What Is Payment Services Directive 2?
Questions?
Powering and Protecting your Payments
Customer Conference 2015
Thank You!
Learn More Online:
http://www.bottomline.co.uk
For more information,
please contact: