"The nShield devices have been easy to integrate into the new PKI and provide the resilience and scalability that will be critical as users migrate to BACSTEL-IP over the next two years."

Download in PDF »

NewBACS will be one of the largest PKI networks in Europe

BACS, one of the world’s largest and most established automated clearing houses, is still at the heart of the UK payments industry. With over 100,000 UK business customers including all of the FTSE 100, most people's salaries that get paid directly into their bank accounts pass through the BACS payment submission network. With the growing number of direct debit and direct credit payments, BACS processes more than 3.7 billion financial transactions a year. On a peak day it will handle some 60 million payments.

Owned by the major UK clearing banks and building societies, BACS is one of the world's leading and most successful organisations providing secure electronic funds transfer.

BACS is now undertaking a major technology renewal programme called NewBACS that is designed to meet the rapidly growing demand for even more efficient electronic payment services. The NewBACS programme will be introduced in four phases, the first of which includes an upgrade of the existing BACSTEL telecoms network and replacing it with sophisticated and proven Internetbased technologies called BASCTEL-IP. The BACSTEL-IP system is based on Internet protocols and uses an advanced PKI (public key infrastructure) to provide the highest levels of security. This important upgrade will not only be more secure but faster and more efficient. It will also give businesses greater control of the payment process, with the ability to track payments and update records online. For example, transaction reports, returned payment and payment message advice will be available within a few hours - instead of the next day.

This success is largely based on BACS’ ability to maximise technology for the benefit of banks, businesses and consumers. For the last 19 years, financial payments made through BACS have been processed through BACSTEL, a direct telecommunications link typically accessed from the paying business, bank or bureau via a stand-alone PC specifically configured with BACSTEL x.25-recognized software. With the upgrade to BACSTEL-IP, businesses can integrate this more standard technology with their other systems to allow integration of business processes and usability. As well, businesses connecting to BACS can either continue to use dialup modems or higher speed connections such as ISDN, from any PC.

By moving from a private telecoms network to shared IP networks, including the Internet, security becomes a critical issue. BACSTEL-IP, in providing an application for PKI-enabled businesses and in offering critical mass on deployment, represents a major endorsement for PKI security technology. In fact BACSTEL-IP will be one the largest applications for PKI in Europe.

The BACSTEL-IP, at its core, is a trust network allowing secure exchange of information between banks, their customers and BACS. To prove identity and prevent fraud, banks will issue digital certificates on smart cards to their customers enabling them to digitally sign documents and transactions and to provide a mechanism for BACS to prove the identity of individual customers and establish their legitimacy to make transactions. The use of a digital signature proves the authenticity of the transaction from the sender and also guarantees that the data exchanged has not been modified or tampered with.

All of these functions and the entire trust infrastructure rely on the integrity and secrecy of the private cryptographic keys used to issue certificates and encrypt information. Therefore, the storage and management of these keys is critical to the system’s overall security. If the keys are compromised there is the potential for large-scale fraud and confidence in the system would be damaged. That is why BACS has selected nCipher nShield HSMs (hardware security modules) to provide a secure and tamper-resistant hardware environment to store and manage the keys used to secure the PKI application provided by BACSTEL-IP.

The nShield devices are validated to the Federal Information Processing Standard (FIPS) 140 Level 3 that is the de-facto security standard required by the online financial services industries. Unlike software-based solutions where the keys are stored and managed on the server and can be easily stolen, keys used to sign messages and encrypt private information never leave the hardware modules unencrypted and are not vulnerable to attack. In addition to providing high levels of security, the nShield devices are able to accelerate the process of validating digital certificates and signing outgoing data, a process that could otherwise be a system bottleneck.

Unlike most standard PKIs, the BACSTEL-IP infrastructure effectively integrates a number of separate PKIs run by the individual banks, which issue their own digital certificates from different Certification Authorities. BACSTEL-IP provides a unique, realtime validation process for cross-trust schemes by using OCSP (Online Certificate Status Protocol) request-responder technology. The OCSP validation server uses keys stored and managed in the nCipher HSM. Each device is capable of validating up to 400 transactions per second – that will be important as BACS users migrate to BACSTEL-IP and transaction volumes increase. When fully up and running the BACSTEL-IP system will be able to process in excess of 60 million financial transactions in any single day.

The flexibility provided by this approach also means that the BACSTEL-IP network integrates with the Identrus Trust Network, the digital identity authentication platform set up by leading international banks to secure B2B e-commerce for financial institutions and their customers. Because BACSTEL-IP recognizes both Identrusissued certificates, as well as individual banks’ own certificates, BACS Member banks will be able to choose an appropriate trust services strategy without it impacting on how they or their customers access BACS.

“Protection of the keys underpins the integrity of the new BACSTEL-IP network and the nCipher HSMs provide the best combination of hardware security, key management capabilities and performance,” said Tim Lambertstock, Technology Strategy Manager at BACS. “The nShield devices have been easy to integrate into the new PKI and provide the resilience and scalability that will be critical as users migrate to BACSTEL-IP over the next two years.”

“BACS' decision to choose the nShield HSMs further reinforces nCipher’s position in the electronic payments and PKI markets,” said Colin Bastable, VP international sales at nCipher. “In addition to our long list of banking and financial services customers, nCipher is already an Identrus compliant solution provider and we are working closely with Visa and Mastercard to drive forward new secure online payment initiatives.”

“BACSTEL-IP provides major improvements for our business customers giving them greater security and control,” said Martin Wilson, NewBACS programme director. “Three quarters of BACS customers have already indicated that they plan to switch to BACSTEL-IP as soon as they are able to and we expect NewBACs to become the industry standard for secure financial transactions in the UK.”

Eight nCipher nShield devices have been deployed at two BACS centres to provide 100% failsafe facilities. Rollout and migration to the BACSTEL-IP service started in October 2002 and aims to have all BACS customers using the new Internetbased service by 2005.

About BACS
BACS Limited is one of the world's largest automated clearing houses. Established in 1968, BACS is owned by the UK’s major banks and building societies. BACS' business encompasses the Electronic Funds Transfer (EFT) processing of Direct Debit, Direct Credit, Standing Order, information advices and the management of inter-bank network services. Over 100,000 companies are currently registered users of the BACS service, including all of the FTSE 100.

BACS processes over 3.7 billion financial transactions annually with more than 60 million on a peak day. On an average day, more than 13 million Direct Debits and Direct Credits are processed. The use of BACS products and services has revolutionised the payments industry and enables more companies than ever to realise the benefits of making automated payments, including cost effectiveness, reliability, convenience and ease of use. For more information on BACS visit www.bacs.co.uk.

About nCipher
nCipher is redefining cryptographic security to protect points of risk across the enterprise – from network appliances to Web servers, to custom software applications and back-end databases. nCipher provides hardware and software solutions that enable organizations to implement best practice security by addressing the challenges of cryptographic key management and performance. Many of the world's leading organizations – from Microsoft and Barclays Bank to PricewaterhouseCoopers and the U.S. Navy – rely on nCipher to deliver a sound esecurity infrastructure. nCipher's products are particularly well suited to organizations with high volumes of security-sensitive transactions, such as banking and financial institutions, government departments, e-retailers and online service providers. nCipher is listed on the London Stock Exchange as a TechMARK 100 company (LSE:NCH) with offices in Cambridge, UK; Boston, Seattle, Paris, Hamburg, Singapore and Tokyo. For more information on nCipher, visit www.ncipher.com.