Bacs TLS and SHA-2 Security Updates

The deadline is getting ever closer... you'll need to upgrade unless your software supports the new security standard.

With the recent high profile data breaches in the UK impacting millions of customers, from TalkTalk to British Gas amongst others, security is in the spotlight for many organisations - particularly those in the payments sector.

To ensure customer data is transferred and stored safely, and to counteract the increasingly sophisticated online threats, the internet community is adopting new, more secure protocols and standards to offer a more advanced level of security from January 2017.

Designed by the National Institute of Standards and Technology (NIST), secure internet sites will be moved from SHA-1 SSL to SHA-2 SSL certificates. As a result, over the next year, major browsers will stop supporting SHA-1 SSL certificates, meaning that all secure websites will need to upgrade to SHA-2 certificates to avoid being blocked. In turn, this means that anyone running outdated browsers and operating systems will need to upgrade in order to support the new SHA-2 certificate format that will soon be widespread.

Changes to Bacs payments and collections

Following on from the changes to all secure sites, Bacs has taken the decision to upgrade their security around the communications pipeline between Bacstel IP/the Payment Services Website and the service user. Bacs will be making this change on the 13th June 2016, 6 months before the general deadline to switch over. This is to avoid any interruption when the internet community switches off the old security measures on the 31st December and ensure a smooth migration.

Any software that communicates with Bacs will therefore need to be upgraded to meet these standards by the June 13th deadline.

What does this mean for you?

This depends on whether you are a direct submitter to Bacs, use the payment services website and/or submit via a bureau.

  • Direct submitters need to check with their Bacs Approved Software Solution (BASS) provider to see if their software needs to be upgraded. This may result in additional costs.
  • Payment services website users need to check with their IT provider that their browser and operating system support SHA-2 certificates and TLS 1.1/1.2 by June 13th 2016. A guide to browsers and operating systems supported can be found here.
  • Bureau submitters will need to check that their bureau are aware of the 13th June 2016 deadline and ensure their Bacs Approved Software Solution (BASS) supports SHA-2 SSL certificates and TLS 1.1/1.2. A list of all the bureaus can be found here.

How much will this cost you in fees and time?

In an age where technology is getting more powerful, cheaper and easier to access, it’s frustrating for businesses to have to worry about this level of technical detail. Particularly when this involves a significant cost to the organisation both in admin and in new software.

However, depending on the solution you use to submit your payments to Bacs, the time and cost to your business could be zero. There are Direct Debit solutions available which manage any upgrade requirements from Bacs in the background allowing you to focus your valuable resource on your business.

How does it impact GoCardless customers?

To put it simply - it doesn’t.

As well as already supporting SHA-2 SSL certificates and TLS 1.1/1.2, GoCardless handles all the communication with Bacs on behalf of their customers so they don’t even need to think about any connectivity changes. These Bacs changes will therefore have absolutely no impact on GoCardless customers and there will certainly be no additional charges or overhead costs.

We take pride in building the best Direct Debit solution for our customers to take the pain out of getting paid. Our mission is to enable you to focus on growing your business safe in the knowledge that your payments are being collected and reported on in the most secure, efficient and cost-effective way.

If you have concerns about how the above changes could impact your current way of collecting payments please get in touch. We’d love to share how easy it is for you to collect recurring payments in a secure, elegant and future-proofed way.

There was a problem submitting the form - please try again.

Thanks for getting in touch - we'll get back to you soon.
‹ View all tips

Latest features

How to fix the 10 biggest mistakes with your terms and conditions of sale

Before you undertake business with a customer, you should establish the T&Cs of sale. Here are the 10 biggest mistakes made and how to fix them.

The Global Recurring Payments Tracker: July 2019 edition

The Global Recurring Payments Tracker, a collaboration with, is your monthly resource for tackling the complexities and challenges of the international recurring payments space.

Strong Customer Authentication (SCA): The complete downloadable guide

The in-depth guide to Strong Customer Authentication (SCA), including what the new requirements mean for businesses with recurring revenue and key exemptions you can leverage.

View all

Reference guides

View all