What is SHA-2?
SHA (Secure Hash Algorithm) is a component of a security certificate used by a web browser to ensure the security of the data it is sending and receiving. The current SHA-1 hashing algorithm is used to sign digital certificates for an online exchange of information; it is part of what enables Global Payments to process “internet” payments for our merchant customers.
SHA-2 is a family of hashing algorithms that are mandated to replace the SHA-1 algorithm. SHA-2 features a higher level of security than its SHA-1 predecessor, and was designed through the U.S. National Institute of Standards and Technology (NIST) and the U.S. National Security Agency (NSA).
This mandate is required for all Internet activity; impacts millions of POS applications and websites of all types; and is not limited to payment processing.
How does this Affect Me?
Merchants who utilize an IP (online) connection to accept payments must be SHA-2 ready prior October 2016. Merchants who have not made this security upgrade will lose the ability to process IP transactions beginning in November 2016, if their software application cannot navigate the SHA-2 security certificate or dial backup capabilities are not available. This mandate is required for all Internet activity and is not limited to payment processing.The November 2016 date is driven by Internet browser companies, including Google, Microsoft, Mozilla and others who have announced they will end support for all SHA-1 security certificates on or before January 1, 2017. Therefore, Global Payments is encouraging all customers to make the necessary updates well in advance of this date.
Merchants’ Frequently Asked Questions
Why is this change happening?
As with many security features the standards can become exploitable and need to be replaced by more robust and secure standards. To ensure that security is maintained, this industry wide change is for the internet community, which is moving away from the existing security certificates SHA-1 and SSL protocol and replacing these with new SHA-2 certificates and TLS1.1 or higher protocol. This important change features higher levels of security than its predecessor.
I’m also hearing a lot about TLS – what is it?
Transport Layer Security 1.2 (TLS 1.2) is a newer and more advanced secure protocol that replaces the SSL (Secure Socket Layer) and early TLS (v1.0) protocols currently in place. TLS 1.2 is used to establish a secure communications channel system-to-system and to protect the confidentiality and integrity of information that passes between the systems.
What are the deadlines to make the changes for SHA-2 and TLS1.2?
The deadline for SHA-2 upgrades is December 31, 2016 per the NIST and NSA mandate. However, said changes must be made in Global Payments environment prior to the holidays, and changes are recommended well in advance of this date due to the possibility the browser providers will cease support of SHA-1 certificates prior to the mandate. Therefore, merchants must make modifications prior to October 2016. The deadline for TLS1.2 upgrade is prior to June 30, 2018.
What if I don’t want to make any changes?
Merchants who do not comply with the SHA-2 and TLS 1.2 security upgrades will not be able to accept payments through an online connection as of October 2016 and June 2018 respectively. Prevent potential negative impact to your business and upgrade now!
Where can I get more information on SHA-2 and TLS1.2?
Further information on these required security upgrades can be found on the below websites.
Why do I need to make changes now, if the industry has set deadlines in 2017?
As a leader in the payments technology industry, Global Payments is proactively assisting merchants who need to make this change to help guard against any potential disruption to their businesses once the previously accepted security measures are no longer compatible.