Update from SHA-1 to SHA-2
One of the biggest security updates occurring is the update from SHA-1 to SHA-2. Before we get into the details of the transition, first let’s understand what SHA* is and why the update is happening. The first thing to cover is DO YOU NEED TO DO THIS? This DOES NOT APPLY TO ANALOG DIAL UP TERMINALS. It is an update required ONLY if you send your data over the Internet. So, all websites and shopping carts have to meet this standard. ALSO, if you use Ethernet connections in your business or your point of sale system or even if your terminal is connected to a high speed Internet Protocol (IP) connection where you do not have to dial out on every transaction, you DO need to be upgraded to SHA-2. This is something we can help you with, but may also require your shopping cart or web hosting company, or internet provider doing the actual upgrade.
What is SHA?
SHA-1 is “Secure Hash Algorithm 1”. It is a security certificate protocol** used to verify you are who you say you are when you send internet communications. SHA-1 was designed by the United States National Security Agency (NSA) and published as a federal standard in 1995. Hashes are used for digitally signing content for integrity validation and are a part of any digital certificate. Without these hashes authentication and integrity would be very hard to do, if not impossible.
Why is the update taking place?
SHA is a secure certificate attached to data going over the internet to certify the data sent hasn’t been altered. Due to security breaches in recent years, the way that certificate is generated has been upgraded from SHA-1 to SHA-2.
What is SHA-2?
It was published by the National Institute of Standards and Technology (NIST). SHA-2, like SHA-1 uses encryption hash. The encryption hash used in SHA-2 is significantly stronger and not subject to same vulnerabilities as SHA-1. The biggest difference between SHA-1 and SHA-2 is the number of rounds used, other than that they are virtually identical. Although SHA-2 shares some similarities to SHA-1, it is far more secure and less vulnerable.
How you update to SHA-2?
Take a look at our quick “How to” guide for SHA-2
|How do you process your credit cards?||What you need to do?|
|Using a wireless credit card machine||Call us. We need to update your machine|
|Using a credit card machine & connecting via a router to the internet||Call us. We need to update your machine|
|Using a shopping cart on my website||Call your shopping cart provider and/or gateway to ensure you are SHA-2 ready.|
|Using a payment application that runs on my PC||Call your application provider to ensure you are SHA-2 ready|
|Using a virtual terminal that runs in a browser on my PC||Ensure your Browser is updated to a version that is SHA-2 ready, and call the gateway you use to ensure you are SHA-2 ready|
|Using a credit card machine & connecting via a phone land line – VOIP (Voice Over Internet Protocol)||Call your phone service provider to ensure service is SHA-2 ready|
|Using a credit card machine & connecting via a phone land line- not Voice Over IP (VOIP)||No Action Needed|
What happens if you do not update to SHA-2?
Starting in 2017, Microsoft (Internet Explorer), Google (Chrome) and Mozilla (Firefox) browsers that encounter a SHA-1 certificate will send a security warning, telling the user that the connection is un-trusted. In some cases, like Firefox, users may get warnings during 2016.
Essentially anyone using the internet must use SHA-2 or their data will not go through. This is called “going dark”. This affects payments as well as many other applications.
Please take the necessary steps to ensure that you are up-to-date with all the required updates and changes and do not end up “in the dark”. (Internet terminology for not being able to connect to the Internet.)
* SHA stands for Secure Hash Algorithm. It is basically a formula (algorithm) that scrambles (encrypts) data sent from one place to another.
**A protocol is a set of rules between two communication points for the relay of digital information.