Central Bank of Sri Lanka (CBSL)

Being the apex regulating institution in the financial sector in Sri Lanka, the Central Bank of Sri Lanka (CBSL) played an instrumental role in regulating Terminal Line Encryption (TLE) way back in the year 2012 to all financial institutions operating, facilitating or providing payment card acquiring services through Electronic Fund Transfer Point of Sale (EFTPOS) Terminals.

The evolution of the electronic transactions happened quite fast during the last two decades with the rapid growth of telecommunication infrastructure and other information communication technologies. Today, electronic payment cards have become popular and very convenient instruments for payment transactions almost everywhere in the world. However, the use of payment cards in massive scale has exposed users to greater risks such as skimming, cloning of cards, and identity thefts. With technological advancements, fraudsters have invented numerous methods to skim and clone payment cards. More often, in point of sale infrastructure, attackers tap the transmission medium, gain access to transaction data packets that are being transferred from the terminal to the back-end host and then direct the transaction data packets to a fraudulent host for unauthorized approvals (Host Spoofing). Furthermore, unauthorized POS terminals placed by fraudsters (Ghost Terminals) often skim data held in the magnetic stripe of a payment card each time the card is swiped and use such data to create counterfeits. Subsequently, they use the skimmed data to carry out unauthorized and fraudulent transactions causing severe confusions and damages to the cardholders, acquirers, and card issuers. Such frauds also create various risks while causing financial losses.

We kicked-off the initial journey amongst the first four TLE Solution providers in the region during the year 2012. Yet, in the present stage, we have eventually turned out to be a Trend Setter in the region. The fact that Ingenico, being the global leader in the EDC/POS industry recently joining hands with EPIC to function as a distributor/reseller for EPIC TLE Solution is an overwhelming testament to this. The latest version of the EPIC TLE Solution is now successfully implemented at a handful of Banks in Sri Lanka, Maldives, and Malaysia.

We saw the threat, educated the regulators, designed the architecture, co-created a world-class robust solution which was offered for trial runs to banks with no commercial obligation resulting in the majority of banks using it for several years since then. And the impact to the economy, banking industry, and individuals is immeasurable!

What were the reasons that prompted to embark on the development of the latest EPIC TLE Solution Version 5.0?

With the evolution of security technologies, the need for timely and proactive system upgrades is essential to ensure durability and growth potential. Our prime centricity on our partners and our constant pursuit for excellence instilled us in upgrading the existing solution to adapt to future demands while improving the stability and performance.

What’s new in EPIC TLE Solution Version 5.0?

The latest version is strategically positioned to deliver immense value proposition to our clients’ with a differentiating level of security while meeting the evolving technological needs and future business objectives. With the upgraded version, TLE Server is also engineered to function as a Digital Receipt Repository and also comes with an all-inclusive risk management service. It includes the most stable and up-to-date versions of the underlying technologies along with some disruptive features. From an administrative perspective, an all-new Web Application is provisioned incorporating the latest UI/UX guidelines for simplicity and usability.

EPIC TLE Solution Version 5.0 is applauded as Asia’s first-ever TLE application to be certified with the latest Version 3.2 of the Payment Application Data Security Standard (PA-DSS) guidelines and specifications, which is the highest acclaimed security standard governed by the Payment Card Industry Security Standards Council (PCI SSC) towards software vendors developing secure payment applications. Moreover, it also addresses the vulnerability findings of IT security auditors to be more stringent in aligning with international as well as banks’ internal security policies.

Would SSL encryption mechanisms suffice for POS transaction ecosystems as an alternative to Terminal Line Encryption practices?

In our two decades of excellence demonstrated in secure electronic payments and information systems security verticals, we firmly attest that SSL channel level encryption seems to be inadequate to ensure comprehensive security and privacy for payment card transactions and would not be of any use to confront especially the Ghost Terminals, Host Spoofing, and Replay Attacks. Importantly, POS transactions function on a dual messaging system unlike the single messaging system operational in ATM-based transactions. Therefore, all sensitive transaction information resides in the POS Terminal up until the merchant performs the settlement which clearly portrays the space available for frauds to take place even without the transmission of data packets to the back-end host.

Epic Lanka