Skip to content
Open site navigation sidebar
Go to GoCardless homepage
LoginSign up

Bacs TLS and SHA-2 Security Updates

Written by

Last editedMay 20222 min read

With the recent high profile data breaches in the UK impacting millions of customers, from TalkTalk to British Gas amongst others, security is in the spotlight for many organisations - particularly those in the payments sector.

To ensure customer data is transferred and stored safely, and to counteract the increasingly sophisticated online threats, the internet community is adopting new, more secure protocols and standards to offer a more advanced level of security from January 2017.

Designed by the National Institute of Standards and Technology (NIST), secure internet sites will be moved from SHA-1 SSL to SHA-2 SSL certificates. As a result, over the next year, major browsers will stop supporting SHA-1 SSL certificates, meaning that all secure websites will need to upgrade to SHA-2 certificates to avoid being blocked. In turn, this means that anyone running outdated browsers and operating systems will need to upgrade in order to support the new SHA-2 certificate format that will soon be widespread.

Changes to Bacs payments and collections

Following on from the changes to all secure sites, Bacs has taken the decision to upgrade their security around the communications pipeline between Bacstel IP/the Payment Services Website and the service user. Bacs will be making this change on the 13th June 2016, 6 months before the general deadline to switch over. This is to avoid any interruption when the internet community switches off the old security measures on the 31st December and ensure a smooth migration.

Any software that communicates with Bacs will therefore need to be upgraded to meet these standards by the June 13th deadline.

What does this mean for you?

This depends on whether you are a direct submitter to Bacs, use the payment services website and/or submit via a bureau.

  • Direct submitters


    need to check with their Bacs Approved Software Solution (BASS) provider to see if their software needs to be upgraded. This may result in additional costs.

  • Payment services website users


    need to check with their IT provider that their browser and operating system support SHA-2 certificates and TLS 1.1/1.2 by June 13th 2016. A guide to browsers and operating systems supported



  • Bureau submitters


    will need to check that their bureau are aware of the 13th June 2016 deadline and ensure their Bacs Approved Software Solution (BASS) supports SHA-2 SSL certificates and TLS 1.1/1.2. A list of all the bureaus



How much will this cost you in fees and time?

In an age where technology is getting more powerful, cheaper and easier to access, it’s frustrating for businesses to have to worry about this level of technical detail. Particularly when this involves a significant cost to the organisation both in admin and in new software.

However, depending on the solution you use to submit your payments to Bacs, the time and cost to your business could be zero. There are Direct Debit solutions available which manage any upgrade requirements from Bacs in the background allowing you to focus your valuable resource on your business.

How does it impact GoCardless customers?

To put it simply - it doesn’t.

As well as already supporting SHA-2 SSL certificates and TLS 1.1/1.2, GoCardlesshandles all the communication with Bacs on behalf of their customers so they don’t even need to think about any connectivity changes. These Bacs changes will therefore have absolutely no impact on GoCardless customers and there will certainly be no additional charges or overhead costs.

We take pride in building the best Direct Debit solution for our customers to take the pain out of getting paid. Our mission is to enable you to focus on growing your business safe in the knowledge that your payments are being collected and reported on in the most secure, efficient and cost-effective way.

If you have concerns about how the above changes could impact your current way of collecting payments please get in touch. We’d love to share how easy it is for you to collect recurring payments in a secure, elegant and future-proofed way.

Talk to us about the TLS and SHA-2 upgrade

Our Direct Debit experts are on hand to talk - just call us on 020 8338 9537.

Request A Call Back

Over 85,000 businesses use GoCardless to get paid on time. Learn more about how you can improve payment processing at your business today.

Get StartedLearn More
Interested in automating the way you get paid? GoCardless can help
Interested in automating the way you get paid? GoCardless can help

Interested in automating the way you get paid? GoCardless can help

Contact sales

Try a better way to collect payments, with GoCardless. It's free to get started.

Try a better way to collect payments

Learn moreSign up