2016 Payments Trends – Updates to internet security cause confusion and failures

The fourth item on the list of payments trends for 2016 is not specifically a payments industry issue although it could have a significant impact if not properly managed.

Internet security researchers investigating the strength and robustness of the protocols used to secure communications on the internet have recommended that older protocols, such as SSL (Secure Sockets Layer) and SHA-1 (Secure Hash Algorithm), be replaced by newer standards. This will require users to update operating systems, browsers and networked software on smartphones, tablets, PCs and servers. Already newer browsers are flagging up the old protocols and in some cases are refusing to connect to them. 2016 will be an important year rolling out these upgrades. As an example, Windows XP, already retired and out of support, cannot support these updated protocols and users are being advised to upgrade to more modern operating systems.

How does this affect the payments industry? Many communications rely on internet protocols to secure payment instructions. From consumer card payments using online merchants to corporate-to-bank connections in addition to the links used by automated clearinghouses and  payment networks, many of these rely on secure electronic signatures and encrypted communications. The payments industry has plans in place to ensure all their services use modern protocols. However, because both ends of the link need to support the same standards, any systems which connect to these services will also need to be upgraded. As an example, the latest PCI Data Security Standards have been updated – impacting all systems within the scope.


Another example is the Bacs clearing house in the UK, which operates a service for corporates called Bacstel-IP. Submissions into the Bacs system are protected by both encryption and digital signatures. The secure communication between a payments gateway and Bacs via the internet, currently SSL, will be upgraded to a minimum of TLS 1.1 (Transport Layer Security). Additionally files that are signed and submitted within Bacstel-Ip software are moving to an updated signing standard known as SHA-256 (Secure Hashing Algorithm). Businesses must therefore upgrade all software which connects by June 2016 or risk losing the ability to submit Direct Debit collections, salary and supplier payments. This may involve the installed software and any required components: for hosted or cloud-based services this may require upgrades to browsers and smartcard or “signing” software.

In addition to payment-specific connections, access to online banking systems, such as EBICS, and banking networks should also be considered as part of the upgrade. There is a risk that some businesses and consumers won’t upgrade some components of their systems in time to meet the industry deadlines; these deadlines are closer than for other typical industry migration timelines, such as the three-year timeline for Bacs between 2003 and 2005. Those who don’t update software and browsers as necessary are likely to be unable to access systems.

With hard deadlines and widespread use of Bacs for Direct Debit, Direct Credit and UK Faster Payments, it is likely that at least some payment system users will not be ready. Those who aren’t ready by applicable deadlines will not be able to access services and this will prevent them from making or receiving payments.