What is SHA-2?
SHA (Secure Hash Algorithm) is a component of a security certificate used by a web browser to ensure the security of the data it is sending and receiving. The current SHA-1 hashing algorithm is used to sign digital certificates for an online exchange of information; it is part of what enables Global Payments to process “internet” payments for our merchant customers.
SHA-2 is a family of hashing algorithms that are mandated to replace the SHA-1 algorithm. SHA-2 features a higher level of security than its SHA-1 predecessor, and was designed through
the U.S. National Institute of Standards and Technology (NIST) and the U.S. National Security Agency (NSA).
This mandate is required for all Internet activity; impacts millions of POS applications and websites of all types; and is not limited to payment processing.The November 2016 date is driven by Internet browser companies, including Google, Microsoft, Mozilla and others who have announced they will end support for all SHA-1 security certificates on or before January 1, 2017. Therefore, Global Payments is encouraging all customers to make the necessary well in advance of this date.
How does this Affect My Business?
Merchants who utilizing an IP (online) connection to accept payments must be SHA-2 ready prior October 2016. Merchants who have not made this security upgrade will lose the ability to process IP transactions beginning in November 2016, if their software application cannot navigate the SHA-2 security certificate or dial backup capabilities are not available. This mandate is required for all Internet activity and is not limited to payment processing.
How is Global Payments helping ISOs with SHA-2 implementation?
Global Payments began running messages on this topic on all merchant-facing portals in April 2016, including Global Transport, BusinessView and our Developer’s Portal to alert merchants and VARs of the looming change to SHA-2.
In the coming weeks, Global Payments will host VAR-specific webinars that are more technical in nature, to further participants’ understanding of the SHA-2 mandate and the action required from them.
Global Payments also continues to distribute statement message and stuffer template that can be used with your portfolio, in conjunction with Global Payments’ merchant outreach activities. For more information, please contact your assigned Relationship Manager.
What is the ISO’s role in SHA-2 implementation?
ISOs should reach out to all VARs that their merchants may be engaged with and encourage both parties to take action. ISOs should also reach out to all merchants who are using IP connectivity to ensure that those merchants are also reaching out to their software providers to determine if remediation of their application is needed well in advance of October 2016.
Additionally, ISOs should consider all forms of outreach to alert their merchants about the change, i.e. direct mailing, outbound call campaigns, etc. Please use your organization’s internal information tools and processes to communicate with merchants.
Why is this change happening?
The online security industry is evolving from the existing security certificates, called SHA-1, and replacing those with SHA-2. As a result, merchants must ensure their payment processing terminals, devices, software and equipment will be compatible with the new security requirements in order to accept payments through an online (IP) connection.
Where can I get more information on SHA-2 and TLS 1.2?
Further information on these required security upgrades can be found on the below websites: