Mandated Changes To Bacs – TLS And SHA-2 Updates

Richard Ransom – Payments Product Marketing Manager EMEA

Bacs, security, and mandated changes – a history lesson

• What is changing and why?

– SSL to TLS:

– SHA-1 to SHA-2:

• What is the impact on Bacs Service Users

• TLS and SHA mandated change timeline

• Capacity Crunch

What other changes should I be looking out for?

• Bacs Service User Compliance

• SEPA deadlines for the non-eurozone countries in the SEPA Area

• Revised Directive on Payment Services (PSD2)

Agenda

Bacs Timeline: 1968 to 2006

1968 1983

1992

1998 2003 2005

BACS begins

(as Interbank

Computer Bureau)

BACSTEL

introduced:

Dial-up modem

connections

BACSTEL: start of

mass take up by

corporates

BACS stops

accepting

Magnetic Tape

Bacstel-IP opens

for business using

PKI and SHA-1

31st December

2005: Bacstel

ends 1996

SSLv3

Created

1995

SHA-1

Created

Bacs Timeline – 2007 to 2020

2007

2008 2011

2013

2014

BACS becomes

Bacs

Banks end use

of HST and

start using ETS

and STS

HMRC Real

Time

Information

Announced

RTI

Migration

planned

completion

Microsoft

End of Life

XP

2015

HMRC ends

SSL

Connections

September

2016

Bacs ends

SSL

Connections

June

2006

April TLS 1.1

Introduced

August TLS 1.2

Introduced

2009 Faster Payments

DCA Introduced,

(Secure-IP)

2020

SHA-1 no

longer

accepted

by Bacs

What’s TLS?

• TLS (Transport Layer Security) secures connection between:

– Your software and Bacs

– Your browser and the Bacs Payment Services website

• It replaces Secure Sockets Layer currently used by Bacstel-IP

Why Is The Change Needed?

• SSL v3 is old – designed in 1996

• It’s recently become more vulnerable to having the connection

being broken (e.g. POODLE)

• Browser and operating system makers are stopping supporting

SSL by default because of this

What’s SHA?

• SHA-2 (Secure Hashing Algorithm) replaces SHA-1 and is:

– A calculation used in when data is verified and sent to Bacs

– Used to determine that data has not been tampered with

– Used to add security when you log in to Payment Services Website

Why Is The Change Needed?

• SHA-1 is old – designed in 1995

• Relies on it being computationally hard to calculate a ‘collision’

• With increasing computing power, likely to become economical to calculate

collisions in next 5-10 years

– Moving to SHA-2 makes it uneconomic for next 20-30 years

How your communications to Bacs are impacted… What needs to be ready for June 2016?

Bacs

Payment

Services

Website

Bacstel-IP

Your Bacs

Software

Your Browser for

accessing Bacs

Payment Services

SHA-2

Browser*

Internet Explorer 11

Chrome 26 onwards

Firefox 27 onwards

Safari 7 onwards TLS 1.1/1.2 Connection

TLS 1.1/1.2 Connection

SHA-1*

Server Install

Windows 2008 R2

Desktop Install

Windows 7

* Supported without

need for configuration

* Until your bank issues you a SHA-2

certificate – starting 2017

1. TLS and SHA-2 are not supported on all operating systems and browsers, so organisations will need to upgrade these to be able to continue to submit files to Bacs, and to access the Payment Services Website.

2. TLS will replace SSL for connecting to Bacs by June 2016, and the software you are using to connect to Bacs may not be compatible with the changes, so you will need to check with your supplier.

3. The banks will start to issue new smartcards and certificates for your Hardware Secure Module or HSM from June next year that will be compatible with SHA-2.

4. If you send files to Bacs via a bureau, it will be worth speaking to them about the compatibility of the solution they use.

What are the impacts for users of the Bacs service

Timelines for the changes TLS v1.2

1st – 12th June

Bacs communications

to direct submitters

July

Bacs communications

to indirect submitters

1st June 2016

Bacs deadline for

removal of SSL

Jan 2017

Current browser versions

stop accepting SSLv3 SHA1

certs

Jan 2017

Banks begin issuing

SHA-2 cards & HSM

certificates

2020

All certificates SHA-2 TBC

Bacs accept SHA-2

digests

TBC

Bacs SHA-2 digest

test service

availability

SHA-2 and Bacs Smart Cards / HSMs

10,000+ organisations need to update Bacs solutions

9 Months to go

Update now to ensure you can choose when you update

“Capacity Crunch” – Do Not Leave It Too Late

For More Information

Visit our website:

http://www.bottomline.eu.com/TLS-SHA-2-

updates.html

What are my product update options?

http://bottomline.eu.com/upgrade-advisor/

Join our Linkedin group:

https://www.linkedin.com/grp/home?gid=8340720&tr

k=my_groups-tile-grp

• SHA-2 and TLS changes to Bacs are happening by June 2016

• You will need to be using a TLS 1.1 or above compliant Bacs

solution to send your payments to Bacs before June 2016

• You will need to be using a SHA-1 / TLS 1.1 or above compliant

Browser to access Payment Services Website before June 2016

• Do not leave it until the last minute

Summary

Compliance Update – What Else Is Happening?

Richard Ransom – Payments Product Marketing Manager EMEA

Bacs Service User Compliance

• Current Account Switch Service (CASS)

– CASS relies on Bacs service users downloading and processing their Bacs ‘A’ reports.

– In July 2015: 18,000 Service User Numbers had a redirected payment that should have been pointed at a switched account

– 25% of the largest users of Bacs by volume are responsible for 30% of Non-compliance

• Ensure you collect and process your Bacs reports

• When calling non-compliant users, Bacs found large numbers of ‘Primary Security Contacts’ had moved on

• If the smart cards in your organisations are not used by the people they were issued to – change them

Bacs And Service User Compliance

SEPA Deadlines

Who Is Affected By SEPA And When?

Who’s affected?

Examples

SEPA migration end

date

Organisations (including UK groups) with accounts or

operations in eurozone making euro payments and / or

DDs

1 August 2014

Organisations with accounts only in UK and / or non-

eurozone countries for making euro payments

31 October 2016

Organisations with accounts only in UK and / or non-

eurozone countries for making euro DD collections from

eurozone accounts

1 August 2014

SEPA Mandatory End Date: 1 August 2014

EU Parliament

Regulation

260/2012:

Mandatory

migration to

SEPA

instruments: 19

Eurozone and

15 non

Eurozone

countries

1 Aug 2014

1 Aug 2014

PSD2

The PSD2 is a new directive from the European Commission,

• Following the first PSD in 2007 which gave us SEPA

• To introduce more competition in the European Financial Services market

• Introduces the concept of organisations acting as Third Party Processors (TPP) to connect you to your European banks

• Through an Application Programming Interface the TPP will be able to

– Payment Initiation Services (PIS): Check your bank balance, launch a payment

– Account Information Services (AIS): Provide balances and transactions

…without you having to log into your bank

What Is Payment Services Directive 2?

Questions?

Powering and Protecting your Payments

Customer Conference 2015

Thank You!

Learn More Online:

http://www.bottomline.co.uk

For more information,

please contact: