LankaClear, who operates the LankaPay Trusted National Payment Network, achieved another gigantic milestone by becoming the first entity in Sri Lanka to obtain the certification of Payment Card Industry Data Security Standard (PCI-DSS), version 3.2. The trust that they have built over the years was further boosted by this certification, which is at the zenith of international data security standards in the payment card industry. PCI DSS standard is very effective in reducing payment card related breaches, as LankaClear understood the intent behind each requirement and implemented it smoothly with the help of a good standing qualified security assessor (PCI-QSA) and the commitment from the LankaClear Board and Senior Corporate Management.
As a safeguard to the payment industry in the face of rising payment card data breaches the world over, the Payment Card Industry Security Standards Council (PCISSC), governing body of PCIDSS, was established in 2006 by the world’s leading international card schemes who joined together for this effort. Accordingly, the founding members of PCISSC aligned and improved their internal information security mechanisms to come up with a unified information security programme for the payment card industry, which saw the debut of the Payment Card Industry Data Security Standard (PCI-DSS), along with some of the other supporting standards such as PA-DSS, PCI-PIN, P2PE, etc. PCI-DSS certification involves a rigorous and exhaustive audit that encompasses entire operation of entities that store, process, and/or transmit cardholder data, including financial institutions, merchants and service providers, and the certified entities are subject to an annual audit. PCI SSC Executive Committee consist of American Express, Discover, JCB International, MasterCard and Visa Inc. and hence the best practices and standards of these institutions are incorporated into the PCI DSS standard. Further, when a security threats are identified globally, PCI-DSS is updated as required in order to ensure that the standard is always relevant and up to date. All of these controls ensure that the best possible international security standard is available in PCI-DSS and is fully endorsed by the key international card schemes mentioned above.
Expressing his view on this remarkable achievement, Mr. Anil Amarasuriya, Chairman of LankaClear stated “With the growing number of security incidents the world over, today, data security is of paramount importance. Although no organization could be immune to the rising tide of data security risks and the fact that vulnerabilities can’t be totally eliminated, obtaining an internationally acclaimed security standard such as PCI-DSS certainly signifies the organization’s commitment towards security, being true to its brand promise of becoming the country’s trusted national payment network. LankaClear is indeed proud to be trailblazing Sri Lanka’s payment industry to come on par with international standards, thereby providing a robust payment infrastructure for the banking and financial sector. This is vital for the stability and public confidence placed on the entire banking system.”
Operating under the guidance and supervision of the Central Bank, LankaPay has been providing a vital national service by convening domestic interbank payments and settlements. Therefore, obtaining the PCI-DSS certification provides further assurance on the stability, reliability and trust of LankaPay common payment network, which serves as the backbone infrastructure of Sri Lanka’s entire banking and financial sector.
“It is indeed a landmark achievement by LankaClear to obtain this world renowned certification, which is a testament to our commitment to maintain international standards for all our services. The rigorous process that the entire organization, people, process and culture, went through to achieve this envious status also encompasses a change in our DNA as to how the organization now views security as a whole. Maintaining such an exhaustive international benchmark is not a one-off activity, but an ongoing process and the organization has now laid an excellent foundation to be vigilant and ready to face any security eventuality. While acknowledging that no system in the world is 100 percent fool proof against all possible security threats, achieving this standard gets LankaPay several notches ahead in terms of maintaining the highest level of trust. True to its mission of being “The Trusted national Payment Network”, LankaPay, is steadfast to this cause and would do its utmost to exceed expectations of all our stakeholders” said, Mr Channa de Silva, General Manager/CEO of LankaClear.
PCI-DSS is not a static standard, but an evolving one based on the ever changing threat landscape worldwide. Hence, an organization that achieves certification status cannot be complacent that they would be automatically recertified at the next annual re-audit. Thus, obtaining the initial certification is only the beginning of a continuous and a stringent process where an organization is subject to quarterly audits and an annual re-audit in order to confirm the recertification process while consistently adhering to the updated PCI-DSS standard. Once an organization obtains the initial certification, security has to become a part and parcel of their culture in order to maintain the highest level of standards throughout the organization, where continuous enhancements are done to the people, process and technology practices.
SISA Information Security was the PCI Qualified Security Assessor (QSA) responsible for carrying out the stringent pre and post audits to confer the PCI-DSS certification to LankaClear. SISA Worldwide CEO and Founder, Mr. Dharshan Shanthamurthy expressing his views said, “Maintaining the safety of card data and banking systems should be one of the top priorities in card acquiring and issuing companies. We are glad to know LankaClear holds the same belief and is working hard towards it.” While, Mr. Nitin Bhatnagar, Head - Business Development, SISA (Sri-Lanka & SAARC Region) said, “PCI standard is very effective in reducing breaches, if we understand the intent behind each requirement and implement them smoothly with the support of a good standing QSA would help organizations to prevent themselves from such occurrence of similar breaches.”
Mr. Dileepa Lathsara, CEO of TechCERT while applauding LankaClear stated "We at TechCERT congratulate LankaClear on successfully achieving PCI-DSS V3.2 certification and becoming the first Sri Lankan Organisation to achieve this significant milestone. TechCERT, as the lead project consultant and the solution implementation partner, is proud to be part of this tremendous achievement. The effort that the LankaClear team has put in to provide a secure online payment infrastructure should be highly appreciated since they set up the first national level certification authority for Sri Lanka in 2009, in collaboration with TechCERT. We hope that LankaClear will continue to play an important role in driving the Sri Lankan digital payment industry towards utilising top-of-the-line secure payment infrastructure by implementing payment security regulatory and compliance requirements. This great achievement by LankaClear will set an example for all other Sri Lankan financial organisations who are currently in the process of implementing PCI security standards, as it is vital to their long-term success."
“PCI DSS certification has the highest security standard for payment card related data. LankaClear being PCI DSS ver. 3.2 certified creates the highest security standards for payment card related data within LankaPay Infrastructure. In addition LankaClear has gone the extra mile in adopting the same standard for bank customer account related data. It is noteworthy that the LankaPay National Payment Network uses a PADSS validated application. LankaPay from the inception adhered to the highest international security standards and this certification is a testament that we have our People, Process & Technology standards and practices fully geared to meeting the highest level of trust in payments for our participant banks, financial institutions and general public.” stated Mr. Harsha Wanigatunga, Deputy General Manager – IT and Operations of LankaClear.