An Epic Encryption to protect card payments

Payment Card transactions have become the most preferred, efficient and  effective payment method among the majority which is justified with a staggering  1.77 billion cards in use globally with over  37 million acceptance devices are installed world-wide.

Despite its growing popularity, the card industry is also recording an exponential growth of frauds. Unfortunately, Sri Lanka and the region are cited in international watch lists which drastically reduce the usage of cards. At a time where the country is expecting a rapid growth in tourism in this post war era, reluctance of foreigners to spend through the most popular payment mechanism hinders the true earning potential. Moreover, losses incurred by both the local card holders and banks and resources wasted are substantial.

As a socially responsible organisation, Epic Lanka commenced a dialogue with the key stakeholders from scratch. And the premier software solutions provider in the country now announces that they have been successful in their efforts as a timely policy guideline by the regulator is now in place mandating banks to take protective measures and a world class solution developed by Epic is being installed at major banks at present. A journalist of our newspaper interviewed the architect of this solution. He is Viraj Mudalige Director/General Manager of Epic Lanka who is a chartered engineer and a member of the expert panel on electronic payments appointed by His Excellency the President. The excerpts of the discussion are as follows.  

Q: You raised your voice for corrective measures before the key stakeholders do so. Any progress in this regard?

A: I am happy to say that we could start a very valuable dialogue with the key stakeholders. Sri Lanka Bank Association created awareness. The regulator namely the Central Bank of Sri Lanka came forward with a timely guideline. As a leading software solutions provider in the region Epic Lanka came up with a world class solution which is far ahead with few other international solutions. We organised a symposium in February this year where key decision makers of banks and financial institutions were invited for a live demonstration. Moreover, we offered the solution for free trial runs with no commitments and obligations. Almost all the leading banks came forward for trial installations where they could thoroughly test the product. They are extremely happy with the solution that adheres to the guidelines of all major global card operators, its performance and value added features. And we are now in the process of installing in Epic TLE at several major banks in the country.

Q: Are threats prevailing in the credit card industry unique?

A: Threats do exist in any industry. What matters is how we are addressing our vulnerabilities. For an example, lightening outside is a threat and not having a proper earthling system can make your place vulnerable. The technology what we use in the domestic card payment industry is 30 years old and that itself speaks about the vulnerabilities in the digital age.  

Q: Do you mean to say that card information in transit is at a risk?

A: Obviously. Wire/Line tapping is the method hackers use to steal information from credit cards. It is a known fact that various wire tapping devices are now available in the market in this region. For the information of the readers some of the frauds related to wire tapping are eavesdropping, host spoofing, ghost terminals and replay attacks. As at present, your card information goes digitally from one place to the other in plain text format where the vulnerability is very high.

Q: How do you suggest protecting information?

A: We have developed locally a world class solution known as epic Terminal Line Encryption which has been thoroughly tested by major banks. Here, the information is encrypted at the merchant terminal and it is decrypted at the bank. As you know an encrypted message is totally rubbish for an unauthorised receiver. We use encryption, authentication and a key management process in securing the information in transit.

Q: What made you to develop this solution?



A: Epic Lanka over the past 12 years has developed core competencies in the two major complementary domains of Secure Electronic Payments and Information Systems Security. We have developed award winning, internationally acclaimed ICT solutions which are being used by major local and international banks. As a responsible technology partner in the banking industry we started carrying out extensive research in the area of electronic payment frauds with the intention of developing an appropriate solution unique to our conditions. In the process we studied many models adopted in other countries and also interacted extensively with local banks and key stakeholders. So, we finally came up with a product co-created to suit the local conditions.

Q: How did you start developing this world class solution?

A: Well, we first identified the following ways through which frauds can take place. They are Card Skimming, Eavesdropping, Ghost Terminals, Host Spoofing, Line tapping and Replay attacks. This could happen by copying payment card information from a genuine card and steeling information while in transit from the merchant location to the processing center and back. We believe by migrating from magnetic stripe base cards to Smart Cards ( EMV) , the fist issue can be addressed. A comprehensive channel encryption is the solution for the latter.  

We thoroughly studied few major solutions available globally and developed a better solution to suite the local conditions. Nobody knows our infrastructure and situations better than local firms like us. We bench marked the best and ended developing a more advanced, feature rich and cost effective solution that adheres to guidelines of all major global card operators.

Q: Why do you say your solution is appropriate for local conditions?

A: As discussed, resources, constraints, threats and vulnerabilities were studied in the local context. Therefore, with no major changes in the existing national and institutional technology infrastructure, banks can implement our solution. It is robust and user friendly. Unlike a foreign solution, Epic TLE is specifically developed to withstand the local contexts. It comes with many added features compared to latest international solutions yet at a fraction of the cost of an imported ICT solution. Moreover, our solution was given to local and international users to experiment. It was a unique offer where we did not ask for any commitments. All the users were happy with the solution. We further improved the product with end user suggestions. So, it is now a world class co-creation by Epic with major stakeholders.

Q: Does this solution conform to prevailing regulations?

A: Yes. Our TLE solution adheres to latest guidelines of major global credit card operators. Further, it complies with the highest international standards in electronic payments and security. The solution ranks at the highest level in terms of international guidelines published and banks and other stakeholders have total access to such evaluations and ratings.

Q: What is the way forward?



A: As a country, we have developed local talents and Sri Lankans are capable of addressing our own national requirements. Policy makers and corporate firms should rely on local expertise in implementing national solutions. This will help the country to save foreign currency, give value to local expertise, reduce brain drain and more importantly the over dependence of the economy on the remittances made by unskilled migrant workers. Neglecting local talents and continue to buy foreign goods will take us nowhere near the   planned development goals.