In order to keep you up to date with the latest industry changes, here are a few FAQs about the recent security update.
In the coming months all payment providers are required to upgrade their systems to only allow SHA-2 in order to order to increase their security and keep pace with industry standards. Sage Pay will be making these changes along with other providers.
What is a security certificate?
All secure websites using SSL or TLS connections - pages displaying https or padlocks - need to be issued with a valid SSL security certificate. This allows an incoming browser or server to identify and validate the site's certificate before passing any secure information over the connection.
Browsers usually indicate to the user (shopper or website) that the certificate has been validated successfully (and in this instance issued by DigiCert).
What is SHA?
SHA is otherwise known as "Secure Hash Algorithm" and is the method used during the validation of a websites security certificate. Up until now SHA-1 has been the accepted method of doing this. Developed back in 1995 SHA-1 has been the preferred method of validation. This is also the method that is used by our current security certificate. Now due to the major web browsers withdrawing support for SHA-1 it is being phased out.
SHA-256 or SHA-2 as it is known is the newer more secure version of the algorithm and the preferred method for all security certificates. Over the coming months all browsers will phase out SHA-1 and replace this with SHA-2 (SHA-256). To address this issue, Sage Pay (along with the majority of other payment gateways and online banking web sites) are updating web certificates for all payment pages and forms.
What do I need to do?
Most new versions of the browsers are both SHA-1 and SHA-2 compatible so there isn't any action that is needed if you have an up to date browser. If a customer or website is using an older version of their browser you will need to upgrade to a newer version to avoid any problems.
If you have your own server you may need to speak with your technology teams to upgrade your server set-up and possibly your operating system to ensure you will be unaffected.
What will I see?
Browsers and servers that are not upgraded to SHA-2 run the risk of generating and displaying a security certificate error.
If you do not see these errors your browser or server will be in line with the SHA-2 requirement.