BACS extends payments security deadline for small businesses

Payment panic over until September as BACS pushes back the deadline for compliance with new security requirements

BACS, the UK banking industry payments organisation, has pushed back its deadline for organisations to comply with new security standards.

The decision was taken as a deadline this Monday loomed with, potentially, thousands of small and medium-sized businesses still not compliant. They now have until 19 September to comply.

Failure to comply would have meant that the organisations would not have been able to make payments to suppliers and staff - meaning that payrolls this month might not have been met for tens of thousand of people.

BACS uprated its security standards following the discovery of critical flaws in old SSL certificates going back to the 1990s, which until recently have remained in widespread use. BACS had set a deadline of 13 June for organisations to adopt SHA-256 SSL encryption in order to secure the connections they use to make payments.

However, the organisation believes that "around 1,000" organisations "failed to take the necessary action". It has given them an extra three months to sort themselves out.

"We have been telling businesses about these changes for well over a year, and we're really disappointed that some haven't taken us seriously. This is the last chance for them to do so - if they don't make the necessary upgrades by the new deadline, they won't be able to use BACS to pay staff or their suppliers; they'll have to make other arrangements," said BACS' director of scheme support and development Mike Hutchinson.

The security upgrades demanded by BACS are part of a global shift to phase out the obsolete encryption technology and to introduce SHA-256-SSL in its place - by the end of the year.

"At that stage, all organisations needing to communicate securely with users across the internet and via extranets will be impacted. BACS is making the change early to avoid any last minute issues when the existing SHA-1 certificates are switched off," it warned.

At the same time, BACS is withdrawing support for older connection protocols to provide even more protection, with only TLS 1.1 and 1.2 supported after the deadline.

"Businesses choosing not to adopt compatible software upgrades, and an operating system that will support the changes, will have to make alternative arrangements to pay staff and suppliers after 19 September," it added.