If you do, then this information will directly affect you sooner than you may think. A world-wide internet security upgrade is happening and for those operating websites and dealing with payments over the internet, who haven’t yet upgraded their security certificates, time is fast running out.
By early next year, it’s likely that a failure to upgrade will result in internet browsers not displaying information properly on your website. End-users will receive security warnings indicating that non-upgraded sites may no longer be secure.
Essentially, this translates to a statement that your site may not be trustworthy. If this happens to your business, you may lose trade, as many end-users will not continue to navigate through your site or proceed with a payment transaction. Visitors to your site may also ring up to talk to your helpdesk or customer service, which will cause an additional unnecessary business disruption.
Critically, there are also changes occurring to the Bacs system which mean that if you haven’t upgraded by 19 September 2016, you won’t be able to use the payment systems in your business.
What internet security changes am I talking about?
I’m talking about websites, browsers and operating systems having the right security certification, so that users know whether they are safe to enter and browse the site, or whether a site carries risks because the right certification is not in place.
Usually, as visitors to a website, the first that we know about whether that site has the right security certification is when we receive a pop-up warning from our web browser indicating that it is not recommended to proceed further on a site due to the site not holding up-to-date security certification.
Until recently for many websites, providing visitors to the site with confidence that they are safe to navigate through that site meant having what’s called a valid SHA-1 SSL/TLS 1.0 certification in place. This digital certification confirms (amongst other things) that the website holding it ensures secure or encrypted communications between that website’s server and the end user’s internet browser. It’s the way the site safely ‘talks’ to the end-user’s system, authenticating the identities of both parties to the communication, without anyone else being able to know what that communication contains. This is especially relevant where end-users are giving payment details or personal information to an online business during a transaction.
How does certification work?
These digital certificates are issued by entities generally called ‘certificate authorities’. Across the world, these are independent authorities whose role is to confirm/validate information about a website server. They can be governments or designated private companies.
There is no central body that administers certificate authorities in the UK. A number of different designated businesses are authorised to issue the certification in the UK. They must fulfill certain prescribed criteria, set by each browser and operating system, to be eligible to provide a certification service. Often the longer a certificate authority has been trading successfully, the more trust is given to the certificates they issue.
When a website applies for a basic SSL certificate, the relevant certificate authority will usually do a website domain name validation check. If this checks out as valid and confirms the applicant’s right to use the domain, the certificate authority will digitally “sign” the certificate, in essence creating a unique code. This is then displayed on the website with a padlock icon in the browser’s status bar with the “https://” prefix.
There are different types of SSL certificates, with more advanced options available, providing end-users with even greater confidence in the site. For example, an advanced certificate, such as an EV SSL certificate, is subject to more extensive checks on the website and its owner by the certificate authority. This might be sought by a website owner who handles a lot of payment transactions and/or customer information, as part of its online business activities. EV SSL certificates are usually evident showing a green bar and a padlock in the browser’s address bar.
For a new website, the process to obtain a standard certificate usually takes 1 day or for an Extended Validation (EV) SSL certificate it typically takes 1 – 7 days.
What’s caused the change?
Over recent years, the big players in the internet industry, including Microsoft and Google, have been pushing hard for a global security change from the old certification system to a new and improved one, called SHA-2 TLS (1.1/1.2).
The driver for this upgrade has been increasing industry and government concern that the existing standard of security has become vulnerable to ever sophisticated methods of hacking and internet corruption. This upgrade initiative is actively supported by the publishers of SHA-2, the National Institute of Standards and Technology (NIST), the US government agency that sets the standards for internet security best practice in the States.
Interestingly, as far as I can determine this initiative appears to have no clear legislative force, even in the US.
As far as legislation in Europe is concerned, on 19 July 2016 the European Commission adopted a position mandating the harmonisation of the rules on cyber security across EU member states. These new rules are yet to be fleshed out in any detail, but they will set a minimum standard for network and information systems security on websites, browsers and online operating systems to help prevent cyber attacks. It is anticipated that this minimum level will include an SHA-2 certification standard.
EU member states, (currently including the UK), are legally obliged within the next few months to appoint a designated authority, to adopt a national strategy to deal with cyber threats and to implement these new rules once they are finalised.
Some essential service suppliers including energy, transport, health and banking operators will be particularly affected by these new rules, as well as any digital service suppliers, for example online marketplaces and cloud computing operators. Keep an eye on our blog as we’ll regularly give updates on developments as they emerge.
How’s the change being brought into effect?
Long before any new EU or UK rules are fleshed out and given legal force, web browsers such as Google Chrome, Microsoft Edge and Mozilla Firefox are already effectively forcing through this upgrade to SHA-2 by systematically withdrawing support for SHA-1 certificates. Many of you may already have received pop-up notifications when you open your browsers, indicating that shortly your browser will require an upgrade, if you haven’t already upgraded.
These key web browsers collectively communicated an intended timescale for phasing out of the old SHA-1 certification and most certificate authorities will stop issuing new SHA-1 certificates this year.
It appears, for the time being at least, that companies like Google Chrome, are sticking with their original published date of 1 January 2017 after which they will stop supporting SHA-1 certificates.
Why should you care? Because your ability to use Bacs transactions is also affected
Well, aside from ensuring that your website is not alerting your visitors to a security risk if they continue to browse or conduct transactions on your site, there is another highly important reason to pay attention to this upgrade initiative – and this may involve a much more immediate course of action on your part.
If you use Bacs to make payments or to collect Direct Debit payments for your business, then unless your browser and operating system is upgraded to the new security standard, you won’t be able to use the Bacs system as part of your site functionality.
Bacs claim that this is an unavoidable decision for them: they have to react and adapt to new developments in cyber security in order to protect their users as much as their own company. Considering the vast number of transactions that they process every day, this can’t be a surprising position. To put this into context, on Thursday 28 April 2016, they processed a staggering 103.7 million payments during a 15.5 hour processing window.
Thousands of small businesses use the Bacs Direct Debit payment system to meet their payment commitments, not just to honour online sales, but also, for example paying staff, suppliers and collecting Direct Debits, all transactions which they action via website, browser and operating systems.
Crucially also, change is literally just around the corner. So you have a very short time to get your systems upgraded before Bacs becomes inaccessible to you.
When will the Bacs changes happen?
The new deadline has been set by Bacs for 19 September 2016. If you haven’t updated your software system by then, you will be locked out of Bacs and unable to process any transactions.
Bacs has indicated (in no uncertain terms) that they will not allow any further extension for compliance after this date and they (quite lawfully) hold all the cards here.
Is your business ready? If not, then we’d suggest swift action to avoid having to deal with unhappy employees, customers or suppliers and other nasty problems down the line.
Full details on exactly what you need to do right now can be found here.
You're on our blog and updates site, which is hosted by elXtr. elXtr is a leading digital hub powered by the award-winning lawyers at LHS Solicitors LLP, bringing you real law made easy. Find out more about elXtr here.
Law for the online generation starts here.
A deadline for businesses to make sure they were compatible with new payment security measures has been extended after around 1,000 companies failed to take the necessary action. These businesses risked being unable to pay staff and suppliers , forcing Bacs Payment Schemes Limited (Bacs) to step in and give them a grace period in order to make sure they can meet their payment commitments. The new deadline has been set as 19 September 2016.