What is SHA-2?
SHA (Secure Hash Algorithm) is a component of a security certificate used by a web browser to ensure the security of the data it is sending and receiving. The current SHA-1 hashing algorithm is used to sign digital certificates for an online exchange of information; it is part of what enables Global Payments to process “internet” payments for our merchant customers.
SHA-2 is a family of hashing algorithms that are mandated to replace the SHA-1 algorithm. SHA-2 features a higher level of security than its SHA-1 predecessor, and was designed through
the U.S. National Institute of Standards and Technology (NIST) and the U.S. National Security Agency (NSA).
This mandate is required for all Internet activity; impacts millions of POS applications and websites of all types; and is not limited to payment processing.The November 2016 date is driven by Internet browser companies, including Google, Microsoft, Mozilla and others who have announced they will end support for all SHA-1 security certificates on or before January 1, 2017. Therefore, Global Payments is encouraging all customers to make the necessary well in advance of this date.
How does this Affect My Business?
Merchants who utilizing an IP (online) connection to accept payments must be SHA-2 ready prior October 2016. Merchants who have not made this security upgrade will lose the ability to process IP transactions beginning in November 2016, if their software application cannot navigate the SHA-2 security certificate or dial backup capabilities are not available. This mandate is required for all Internet activity and is not limited to payment processing.
Therefore, VARs need to review all prior and current software applications to determine if said application(s) are SHA-2 capable; then test application(s) against Global Payment’s Certification environment.
For applications which are not SHA-2 capable and will not be remediated to support SHA-2, VARs are to notify Global Payments and all merchants who are using the application(s) and are therefore impacted. Additionally, VARs are requested to provide Global Payments and all impacted merchants with the appropriate software version(s) merchants must implement to prevent IP processing failures in October 2016.
What assistance is Global Payments providing VARs and developers?
To continually offer the latest technology and to enable PCI DSS compliance for our customers, Global Payments will work proactively with VARs and developers in the coming months to ensure your merchant customers have the ability to receive the required update in encryption protocols and HTTPS security certificate handling.
Further, Global Payments is discontinuing support of SHA-1 Certifications in our environments and will:
- Discontinue support of SHA-1 Certificates in our partner integrator development sandbox (TEST gateway) as of May 2016.
- Require all applications currently in certification and all new or enhanced applications to support SHA-2 Certificates as of May 2016.
- Remove and discontinue support of SHA-1 Certificates and related processing from its Production environment as of October 2016.
- Discontinue support of SSL v3.0, TLS v1.0, TLS v1.1, and related cipher suites in our partner integrator sandbox (TEST gateway) at a future date to be communicated via separate bulletin in the coming months.
- Require all applications currently in certification and all new or enhanced applications to support TLS v1.2 and approved TLS 1.2 cipher suites at a future date to be communicated via separate bulletin in the coming months.
- Remove SSL v3.0, TLS v1.0, TLS v1.1, and related cipher suites from its Production environments prior to April 2018; official date will be communicated via separate bulletin at a future date in the coming months.
What is the VAR or developer’s role in SHA-2 implementation?
VARs should consider all forms of outreach to alert their merchants about the change, i.e. direct mailing, outbound call campaigns, messaging through distributers or software partners, etc. Please use your organization’s internal information tools and processes to communicate with the end merchants.
Note: If any software or code changes are needed to accommodate SHA-2, those updates must be made available to merchants for installation in their sites well in advance of October 2016.
What support is Global Payments giving our customers (merchants) for SHA-2?
Merchants have and will continue to receive communications about the migration from SHA-1 to SHA-2 certificates. In these communications, merchants are encouraged to contact their software providers / vendors to determine if their specific application version in use supports SHA-2 certificates; and where applicable, to obtain revised software from their VARs/Vendors well in advance in October 2016. As of Communications to merchants includes notices on merchant statements; statement stuffers and messaging on our merchant-facing portals.
Where can I get more information on SHA-2 and TLS 1.2?
Further information on these required security upgrades can be found on the below websites :