LankaPay gets recertified on PCI-DSS to further enhance trust

Thursday, 22 March 2018 00:00 -     - {{hitsCtrl.values.hits}}

From left: TechSERT Information Security Engineer Anuruddha Hewawasam, LankaClear Network Operation Manager Dhammika Guruge, LankaClear Head of IT Dilantha Samarasinghe, LankaClear DGM IT and Operations Dinuka Perera, SISA Deputy Sales Manager Abjijeet Singh, LankaClear GM/CEO Channa de Silva, SISA Business Development SAARC Balaji E.M., TechSERT Chief Executive Officer Dileepa Lathsara, TechSERT Lead Security Engineer Nalinda Herath, TechSERT Information Security Engineer Priyankara Bandara



LankaClear, the operator of LankaPay National Payment Network, continued to build on the already established trust among the financial sector by successfully completing the recertification process of Payment Card Industry Data Security Standard (PCI-DSS), version 3.2. Last year, LankaClear became the first entity in Sri Lanka to obtain this certification, which is an annual audit process adhering to stringent conditions and guidelines. Certifying with PCI-DSS for a payment network is to reach the zenith of international data security standards and LankaPay has further demonstrated their commitment in adhering to highest security standards by completing the process once again. 

As a safeguard to the payment industry in the face of rising payment card data breaches the world over, the Payment Card Industry Security Standards Council (PCISSC), governing body of PCI-DSS, was established in 2006 by the world’s leading international card schemes joining together for this effort. PCI-DSS applies to entities that process, store, transmit or access cardholder information for major debit, credit, prepaid, ATM and POS cards. The Standard consists of 12 high level requirements across six categories. Some or all of the 12 may be applicable to an entity depending on the nature of their business as well as whether or not they store card data. PCI-DSS certification involves a rigorous and exhaustive audit process that encompasses entire operation of entities that store, process, or transmit cardholder data. However, any entity that shows consistent commitment to PCI DSS will prove how seriously they take the security of their customers’ cardholder data.

“Considering the alarming number of security incidents the world over, which is growing by the day, ensuring data security is of paramount importance to any organisation. Hence, obtaining an internationally acclaimed top most security standard, such as PCI-DSS, certainly signifies the organisation’s commitment towards minimising security risks against the backdrop of rising tide of data security breaches. The enormous cultural shift, in terms of people and processes, which our organisation went through to achieve this certification, is a clear testament to the brand promise of LankaPay as the ‘The Trusted National Payment Network’. Maintaining this exhaustive international benchmark, by getting recertified, is an ongoing process and the organisation has to be continually vigilant and ready to face any security eventuality,” said LankaClear General Manager/CEO Channa de Silva.

PCI-DSS is not in any way a static, but an evolving standard based on the continuously changing threat landscape worldwide. Hence, an organisation that achieves certification once cannot be complacent that their recertification is guaranteed at the next annual re-audit. Thus, obtaining the initial certification is only the beginning of a continuous journey and a stringent process where an organisation is subject to quarterly audits and an annual re-audit in order to confirm the recertification process. When an organisation continues to be certified, best security practices become embedded into their culture to maintain the highest level of standards throughout the organisation. Achieving PCI-DSS compliance may seem like an expensive, time-consuming process, but it encourages better security practices and thereby avoids the massive costs associated with major breaches.

Highlighting the importance of maintaining the highest level of security standards, Sri Lanka CERT|CC CEO Lal Dias said, “Cyber-attacks could come in many forms including Distributed Denial of Service (DDoS) attacks, website defacement and unauthorised access to systems etc. These unscrupulous acts are committed by a wide spectrum of individuals and organisations such as fraudsters, terrorist groups and even thrill seekers. As the single trusted source for providing guidance on the latest threats and vulnerabilities affecting computer systems and networks in the country, Sri Lanka CERT|CC understands the importance of adhering to international security standards. For organisations handling payment card related data, achieving such high standards is of paramount importance, and PCI-DSS is the highest available security standard in the payment card industry. Obtaining and getting the annual recertification for PCI-DSS is not an easy task, which requires commitment and dedication from the entire team. I would like to congratulate LankaClear for obtaining PCI-DSS rectification and would like to commend their tireless efforts to provide a secure online payment network in the country.”

LankaPay has been trailblazing and leading the way in driving the country towards a less cash society by introducing many cutting-edge technology based payment services in Sri Lanka. Some of the inter-bank services they provide are Cheque Image and Truncation, inter-bank ATM network, same-day bulk payments, real-time payments, mobile payments and USD clearing etc. Financial sector and the entire banking population utilises their services and depends on the security and the reliability of the national payment network for their daily financial transactions. Therefore, obtaining the PCI-DSS certification provides further assurance on the stability, reliability and trust of LankaPay national payment network, which serves as the backbone infrastructure of Sri Lanka’s entire banking and financial sector.