You need to be sha-2 compliant

We’ve developed a decision tree to help you take the next steps in implementing required security upgrades. These are based on specific terminals, software and equipment in use. If you have any additional questions, please contact us to get specific answers on what’s required for your particular business. 

What is SHA-2 and TLS 1.2?

SHA-2 (Secure Hash Algorithm) is an improved and more secure means of protecting secure internet sites that’s being adopted by all Internet Service Providers from 1st January 2017 and replaces SHA-1. It’s part of what enables us to process card payments for you.

SHA-2 features a higher level of security than its predecessor, and was designed through The US National Institute of Standards and Technology (NIST) and the US National Security Agency (NSA). 

TLS 1.2 (Transport Layer Security 1.2) is a newer and more advanced secure protocol. Like the SSL (Secure Sockets Layer) protocol that it’s replacing, TLS 1.2 is used to establish a secure communications channel between computer systems in order to protect the confidentiality and integrity of information that passes between them.

How does this Affect Me?

This mandate is required for all IP terminals and internet activity and is not limited to card payment processing.

The 1st January 2017 date is driven by Google, Microsoft, Mozilla and others, who have announced they will end trust for all SHA-1 SSL certificates on this date. 

What Do i Need To Do?

If you rent your terminals* from us, or use Global Iris to accept card payments on the internet, you won’t need to do anything as we’ll automatically update these over the coming months so that they’re compliant with this vital requirement.

If you own your own Point of Sale (PoS) equipment, rent card terminals from a supplier other than us or use a Payment Service Provider (PSP) to accept card payments on the internet, you’ll need to contact your supplier to check that your equipment meets the SHA-2 certification and the TLS 1.2 protocol. If they don’t, you’ll need to get your equipment updated with these protocols as soon as possible and by the industry deadlines, at the latest.

*You must keep your terminal plugged in and switched on overnight, and ensure that you complete your end of day, so that we can update the software to ensure it’s compliant. Failure to do this will result in your terminal not having the latest software installed and impact your ability to accept and process card payments.

Frequently Asked Questions

  • SHA-1 to SHA-2 Certification Migration – 31st December 2016
  • SSL3 to TLS 1.2 Protocol Migration – 30th June 2018

Your transactions could be declined if you don’t make these changes. You’ll be unable to accept card payments if your terminal or software can’t access the SHA-2 Certificate / TLS 1.2 protocol or use a dial up connection to connect to us if your IP (Internet Protocol) connection fails.

If you’re still utilizing SSL or an earlier version of TLS as an encryption protocol anywhere within your network, you’ll fail any vulnerability scan required to remain compliant with the Payment Card Industry Data Security Standard (PCI DSS). To pass a scan, you must migrate to a stronger level of cryptography, or justify why they’re still in place with a ‘Risk Mitigation And Migration Plan’. You must work with your Approved Scanning Vendor (ASV) to resolve any highlighted vulnerabilities or ensure an effective plan is in place. If you’re enrolled within Global Fortress, and SecurityMetrics act as your ASV, they’ll help and guide you through the process.

As a leader in the card payments industry, we’re proactively assisting customers who need to make these changes, and help guard against any potential disruption to their businesses, once the previously accepted security measures are “switched off.” < /p>

As with many security features, over time standards can become exploitable and need to be replaced by more robust and secure standards.  SHA-1 Certificate and the SSL protocol are no longer considered the preferred secure methods of cryptography. To ensure that robust security is maintained, the internet community is mandating broad changes by moving away from the existing SHA-1 security certificates and SSL protocol and replacing these with new SHA-2 certificates and TLS1.2 or higher protocol. These important changes feature higher levels of security than their predecessors.