Never one to shy away from even the MOST ARCANE areas of payments… There is a firestorm in payments encryption right now.. SHA-1 is a hashing function (securing data for a counterparty without the use of public/private keys) that has long since been sunsetted by Microsoft, Google and others as “too weak” and “easily cracked”. Unfortunately hundreds of thousands of payment terminals rely on this technology and the these terminals rely on root servers to validate the certificates. Mozilla and others had planned to sunset the support of SHA-1 within their root CA servers but then had BANKs like Worldpay beg them for another extension.. as thousands of merchant POS terminals would stop working instantly.
- Feb 2016 – Security Magazine
- Worldpay SHA-1 Feb 2015
- Google puts security first – will block SHA-1 in 2016
The sunsetting of SHA-1 is over 5 years old.. and no one took action? My retailer friends have been at the receiving end of poor security press 99% of the time. This is the first time that banks (acquirers) have been caught with their “back door open” and the press is abuzz.