[cabfpub] Posted on behalf of customer

Dean Coclin Dean_Coclin at symantec.com
Tue Dec 13 05:40:27 UTC 2016

I have been asked to post this request to the CA/B Forum, and specifically
the browsers, to expedite visibility on behalf of a customer. Responses
should be addressed to the author, cc'd on this note:


First Data is returning to the CA/B Forum to again request an extension of
our SHA-1 certificates.  Over the last year and a half First Data has been
working diligently with our Partners and Clients to convert more than a
million and a half Clients to be able to use SHA-256 certificates.  Our
business has coordinated with its many Bank Partners, Joint Ventures,
Software Vendors, Independent Sales Organizations and Direct Merchants and
we have made incredible progress. This has been accomplished by intense
email and print mail efforts, outbound calling campaigns, software
certifications, proactive delivery of new terminals at no cost to the
Clients and a series of upgrades to servers that have in some cases have
forced Clients to upgrade.  First Data has utilized some of the Forum's
suggestions such as the pulled root solution to alleviate impact and for
Clients that this option works, we are limiting the length of time that this
will apply.  With all of these efforts we have narrowed down the list of
impacted Clients and are making continued best efforts to concentrate on
those most impacted.


Despite these efforts, we are very concerned about the impact of the
December 31 expiration. We believe that approximately 10% of the merchants
utilizing these platforms would not be able to process once our certificates
expire. The December 31 expiration offers little opportunity for us to make
sure that they have upgraded. These next few weeks, Merchants in our
industry are in the busiest and most intense period of the year with the
Holiday season at its peak between now and December 31st.  Software vendors
and Bank Partners not to mention First Data itself is in a period of a
system's freeze that extends into mid-January and for some software changes
are locked down and cannot be made.  With the current expiration of December
31, 2016 there will be significant impact to both Merchants and consumers
alike as they will be unable to purchase goods and services and make returns
from prior purchases not to mention this will have an impact on New Year's
Eve and New Year's Day activities.  


We believe that the disparate approach to First Data's requested extension
compared to the extension through February 9, 2017 that was granted to a
competitor was inappropriate. There was no technical basis for the
distinction. Nonetheless, by granting us a shorter extension the CA/B Forum
is essentially prohibiting those merchants that for whatever reason cannot
readily update to software that can accommodate a SHA-256 certificate from
using the services of First Data or the many banks and other processors that
are clients of First Data, while permitting those merchants to utilize the
services of our competitors.  

By granting First Data less time than it has our competitors, the CA/B Forum
is singling us out, granting to our competitors a critical advantage that it
has denied to First Data. While we (and the Banks and others that utilize
our platforms) have been reaching out to advise those Merchants that rely on
our services as aggressively as we can for some time, the expiration of the
certificates during the peak sales season puts us at a distinct disadvantage
and harms our Merchants. The impact will primarily be on small,
"mom-and-pop" Merchants that are both technically not sophisticated and
which can least afford a disruption to the sales that they rely upon. These
Merchants are much less likely to be responsive to our continued letters and
calls that we make to them during the peak season as they are focusing on
making the sales that they need to carry them through the year. 


Our request is to obtain an extension through February 9, 2017 that will
allow us to complete the conversion with as little disruption to these
businesses, consumers and commerce in general as possible.  There are
processors who are using SHA-1 certificates through May 2017. Singling out
First Data for a December 31 expiration  seem unreasonable given the
incredible progress we have made to date and the progress we feel can be
made after this busiest time of year, we feel it not only fair but prudent.
We welcome the CA/B Forum's response.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161213/aaabd0d6/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161213/aaabd0d6/attachment.p7s>

More information about the Public mailing list