LankaClear emerges as first Sri Lankan entity to be PCI-DSS certified

From left: IT and Operations of LankaClear Deputy General Manager Harsha Wanigatunga; LankaClear General Manager/CEO Channa de Silva; LankaClear Chairman Anil Amarasuriya; SISA Business Development Head Nitin Bhatnagar; TechCERT CEO Dileepa Lathsara; TechCERT Lead Security Engineer Nalinda Herath and TechCERT Information Security Engineer Samoda Abeydeera

LankaClear, which operates the LankaPay Trusted National Payment Network, achieved another gigantic milestone by becoming the first entity in Sri Lanka to obtain the certification of Payment Card Industry Data Security Standard (PCI-DSS) version 3.2. 

The trust that it has built over the years was further boosted by this certification, which rests at the zenith of international data security standards in the payment card industry. PCI DSS standard is very effective in reducing payment card related breaches, as LankaClear understood the intent behind each requirement and implemented it smoothly with the help of a qualified security assessor (PCI-QSA) and the commitment of the LankaClear Board and senior corporate management.

As a safeguard to the payment industry in the face of rising payment card data breaches the world over, the Payment Card Industry Security Standards Council (PCISSC), the governing body of PCIDSS, was established in 2006 by the world’s leading international card schemes, which joined together for this effort. 

Accordingly, the founding members of PCISSC aligned and improved their internal information security mechanisms to come up with a unified information security program for the payment card industry, which saw the debut of the Payment Card Industry Data Security Standard (PCI-DSS), along with some of the other supporting standards such as PA-DSS, PCI-PIN, P2PE, etc. PCI-DSS certification involves a rigorous and exhaustive audit that encompasses the entire operation of entities that store, process or transmit cardholder data, including financial institutions, merchants and service providers, and the certified entities are subject to an annual audit. The PCI SSC Executive Committee consists of American Express, Discover, JCB International, MasterCard and Visa Inc. and hence the best practices and standards of these institutions are incorporated in the PCI DSS standard. 

Further, when security threats are identified globally, PCI-DSS is updated as required in order to ensure that the standard is always relevant and up to date. All of these controls ensure that the best possible international security standard is available in PCI-DSS and is fully endorsed by the key international card schemes mentioned above. Expressing his view on this remarkable achievement, LankaClear Chairman Anil Amarasuriya stated: “With the growing number of security incidents the world over, today, data security is of paramount importance. Although no organisation can be immune to the rising tide of data security risks and the fact that vulnerabilities can’t be totally eliminated, obtaining an internationally acclaimed security standard such as PCI-DSS certainly signifies the organisation’s commitment towards security, being true to its brand promise of becoming the country’s trusted national payment network. 

LankaClear revealed it was proud to be a trailblazer in Sri Lanka’s payment industry, emerging on par with international standards, thereby providing a robust payment infrastructure for the banking and financial sector. This is vital for the stability and public confidence placed in the entire banking system.”

Operating under the guidance and supervision of the Central Bank, LankaPay has been providing a vital national service by convening domestic interbank payments and settlements. Therefore, obtaining the PCI-DSS certification provides further assurance on the stability, reliability and trust of the LankaPay common payment network, which serves as the backbone infrastructure of Sri Lanka’s entire banking and financial sector.

“It is indeed a landmark achievement by LankaClear to obtain this world-renowned certification, which is a testament to our commitment to maintain international standards for all our services. The rigorous process that the entire organisation, people, process and culture went through to achieve this envious status also encompasses a change in our DNA as to how the organisation now views security as a whole. Maintaining such an exhaustive international benchmark is not a one-off activity, but an ongoing process and the organisation has now laid an excellent foundation to be vigilant and ready to face any security eventuality. While acknowledging that no system in the world is 100% foolproof against all possible security threats, achieving this standard gets LankaPay several notches ahead in terms of maintaining the highest level of trust. True to its mission of being ‘The trusted national payment network’, LankaPay is steadfast to this cause and would do its utmost to exceed expectations of all our stakeholders,” said LankaClear General Manager/CEO Channa de Silva.

PCI-DSS is not a static standard but an evolving one based on the ever changing threat landscape worldwide. Hence, an organisation that achieves certification status cannot be complacent that it will be automatically recertified at the next annual re-audit. Thus, obtaining the initial certification is only the beginning of a continuous and stringent process where an organisation is subject to quarterly audits and an annual re-audit in order to confirm the recertification process while consistently adhering to the updated PCI-DSS standard. 

Once an organisation obtains the initial certification, security has to become part and parcel of its culture in order to maintain the highest level of standards throughout the organisation, where continuous enhancements are made to its people, process and technology practices.

SISA Information Security was the PCI Qualified Security Assessor (QSA) responsible for carrying out the stringent pre- and post-audits to confer the PCI-DSS certification on LankaClear. SISA Worldwide CEO and Founder Dharshan Shanthamurthy said: “Maintaining the safety of card data and banking systems should be one of the top priorities in card acquiring and issuing companies. We are glad to know LankaClear holds the same belief and is working hard towards it.”  Meanwhile, SISA (Sri-Lanka & SAARC Region) Business Development Head Nitin Bhatnagar said: “The PCI standard is very effective in reducing breaches. If we understand the intent behind each requirement and implement them smoothly with the support of a good standing QSA it will help organisations to prevent themselves from the occurrence of similar breaches.”

TechCERT CEO Dileepa Lathsara, while applauding LankaClear, stated: “We at TechCERT congratulate LankaClear on successfully achieving PCI-DSS V3.2 certification and becoming the first Sri Lankan organisation to achieve this significant milestone. TechCERT, as the lead project consultant and the solution implementation partner, is proud to be part of this tremendous achievement. The effort that the LankaClear team has put in to provide a secure online payment infrastructure should be highly appreciated since they set up the first national level certification authority for Sri Lanka in 2009, in collaboration with TechCERT. We hope that LankaClear will continue to play an important role in driving the Sri Lankan digital payment industry towards utilising top-of-the-line secure payment infrastructure by implementing payment security regulatory and compliance requirements. This great achievement by LankaClear will set an example for all other Sri Lankan financial organisations which are currently in the process of implementing PCI security standards, as it is vital to their long-term success.” “PCI DSS certification has the highest security standard for payment card-related data. LankaClear being PCI DSS ver. 3.2 certified creates the highest security standards for payment card related data within the LankaPay Infrastructure. In addition, LankaClear has gone the extra mile in adopting the same standard for bank customer account related data. It is noteworthy that the LankaPay National Payment Network uses a PADSS validated application. LankaPay from the inception adhered to the highest international security standards and this certification is a testament that we have our people, process and technology standards and practices fully geared to meeting the highest level of trust in payments for our participant banks, financial institutions and the general public,” stated LankaClear IT and Operations Deputy General Manager Harsha Wanigatunga.