BACS and direct debits: Are UK treasurers ready for security changes?


For any UK business that sends and receives payments over the internet – which in today’s digital world will be near enough all of them – the security of those payments is always a top priority.

That’s why the majority will use the Bacs (formerly Bankers’ Automated Clearing Services) system to process payments such as payroll and collect direct debits, as it is a scheme that is controlled and protected through strict levels of security.

However, it’s a timely moment to mention that the UK payments sector is undergoing major changes which all businesses should be aware of. In just five months’ time, the payment industry and internet community will be upgrading its security – called SHA-256 and TLS.1.1/TLS.1.2 respectively – to protect payment files from potential outside interference and threats.

What is SHA-256?
SHA-256, an acronym for Secure Hashing Algorithm, is a piece of software that is brand new to the payments scene. This extremely sophisticated method of internet security is now being adopted by the likes of Google, Microsoft, and the majority of the internet community. Replacing the old SHA-1 software, SHA-256 has several security benefits:
• SHA-256 ensures that data files have not been tampered with or changed by external sources.
• It does this by using a single line of verifiable code, which takes the form of a digital signature.
• It is much stronger than SHA-1 from a cryptographical point of view or, in layman’s terms, it uses a secret coded language to ensure no one can read it. This means that it can be attacked again and again, and puts up a much stronger defence than SHA-1.

What is TLS 1.1/TLS 1.2?
TLS stands for Transport Layer Security, and is used to create a secure connection between both the company’s internet browser and the Bacs Payment Services website, and between its payment software and Bacs.
UK treasurers may already be familiar with a piece of technology called Secure Sockets Layer, better known as SSL, which provides protection when payments are being made through the internet. Essentially TLS 1.1 and TLS 1.2 will replace SSL, which is becoming more vulnerable against external threats.

What does this mean for Bacs users?

In June 2016, the security updates outlined above will come into effect. Should the finance or treasury department’s computer operating system, internet browser or the software used to make payments no longer be compatible, then the company will not be able to collect direct debits or make payments to suppliers or staff.

So it is incredibly important that businesses take steps to ensure that they are still protected. For the majority of people, who will use operating systems such as Windows or browsers such as Google Chrome, the updates will be taken care of for them by Google or Microsoft.

However, some checks will need to be done on the part of all financial professionals to ensure that the company’s Bacs-approved software is compatible with the new updates. This can just take the form of a simple check by the user with their provider as, for example, for users of a cloud-based direct debit system, the update may take place automatically. However, this will not be the case for everyone.

What comes next?

Businesses have five months to ensure that they have everything in order and should take the following steps:

If you are a direct submitter into the Bacs system:
Speak to your IT Helpdesk to understand if you need to upgrade your IT infrastructure as TLS and SHA-2 are not supported on all computer operating systems and browsers. Also ensure your Bacs software is compliant with the new security protocols.

If you are an indirect submitter:
It is strongly advised that you check that your bureau has implemented these new security protocols. Anyone who retrieves their Bacs messages from the payment services website should check to see if their operating systems and browsers are compatible.

Given that cashflow is the lifeblood of every business across the world, being unprepared for a payments change like this could cause serious disruption.


Related reading