A deadline for businesses to make sure they were compatible with new payment security measures has been extended after around 1,000 UK companies failed to take the necessary action.
These businesses risked being unable to pay staff and suppliers, forcing Bacs Payment Schemes Limited to extend its deadline by three months from the previous 13 June deadline until 19 September 2016.
Bacs’ Mike Hutchinson said: “We have been telling businesses about these changes for well over a year, and we’re really disappointed that some haven’t taken us seriously. This is the last chance for them to do so – if they don’t make the necessary upgrades by the new deadline, they won’t be able to use Bacs to pay staff or their suppliers; they’ll have to make other arrangements.”
Organisations need to move to support only the latest versions of TLS and SSL once Bacs drops support for obsolete crypto protocols (such as SHA-1) in order to lose access to vital payment and money transfer services, as a statement by Bacs (extract below) explains.
The security changes – called SHA-256-SSL – are driven by the global internet community, which will adopt these improved security measures at the end of this year. At that stage, all organisations needing to communicate securely with users across the internet and via extranets will be impacted. Bacs is making the change early to avoid any last minute issues when the existing SHA-1 certificates are switched off. At the same time, the company is withdrawing support for older connection protocols to provide even more protection, with only TLS 1.1 and 1.2 supported after the deadline.
Businesses choosing not to adopt compatible software upgrades, and an operating system that will support the changes, will have to make alternative arrangements to pay staff and suppliers after 19 September. Access to Bacs for security laggards will be blocked after that date. There will be no further deadline extension after that date, Bacs warns.
Wolfgang Kandek, CTO at cloud security firm Qualys, previously told El Reg: “Bacs is critical to almost all businesses in the UK, and the organisation’s move to support only the latest versions of TLS and SSL makes a lot of sense. For companies that rely on Bacs, this shift should not have too much impact on them, but it is worth checking that your service provider or payment systems support SHA-2 SSL certificates and the TLS 1.1 / 1.2 standards.” ®