You are on page 1of 6

24th National Information Technology Conference - CSSL -2005, Colombo, Sri Lanka

Secure Electronic Payment Mechanisms

Priam Kasturiratna MBA (Sri J); AIB (Sri Lanka) PG Dip. in Bus.& Fin. Admin (ICASL); Dip. in Credit Mgt.(ICMSL) ABSTRACT
Secure Electronic Payment Mechanisms provide a key foundation on which cashless society and ECommerce is built. Sri Lanka Inter-bank Payment System (SLIPS) implemented in 1988 can be regarded as the first Secure Electronic Payment Mechanism in the country. Similar Mechanisms operating today are Point of Sale Networks, ATM Networks, Phone Banking, Internet Banking, Credit Card Payment Gateways, GSM based Mechanisms to SWIFT and Real Time Gross Settlement Systems. Advancement of technology and internet penetration has helped to accelerate development of Secure Electronic Payment Mechanisms during the last decade. Secure Electronic Payment Mechanisms are used in almost all businesses domains for collecting payments and making payments. Banking, Billing, Sellers of Products/ Services, Subscription Collections and Remittances rank among the most popular business applications. Secure Electronic Payment Mechanisms mainly rely on instruments such as Credit Cards, Debit Cards, Internet Banking Accounts and Virtual Cards for obtaining payments. Today, Secure Electronic Payment Mechanisms have grown to such an important state where understanding them has become a core knowledge area, irrespective whether someone is a Business Strategist or a Systems Architect. This paper will analyse and elaborate on employing Secure Electronic Payment Mechanisms for setting-up and developing sustainable business frameworks that support Sri Lankas economic growth. ii. iii. iv. Transfer of Value between two parties Implemented with security No involvement of hard currency

The key focus of this paper is present day business use of SEPM in Sri Lanka. The objective of the paper is promoting SEPM use within the country by understanding the features, implications and exploring ways to implement technically sound SEPM frameworks for the benefit of business ventures.


SEPM we use in Sri Lanka can be broadly divided into two categories.


SEPM operated by Authorised Institutions

The SEPM is accessible only to a Bank, Financial Institution or other Authorised Institution. All early SEPM belong to this category. The SEPM falling within this category are, i. ii. Point of Sale (POS) Systems Sri Lanka Interbank Payment System (SLIPS) iii. Society for Worldwide Interbank

Financial Telecommunications (SWIFT) iv. Real Time Gross Settlement System (RTGS)


Self-Service Type SEPM


Success and stability of SEPM Operated by Authorised Institutions has led to the birth of SelfService type SEPM Systems. Self-Service type SEPM systems popular in Sri Lanka are, i. ii. iii. iv. Phone Banking and SMS Banking Internet Banking Automated Teller Machines (ATM) Internet Payment Gateways

Definition or the salient features of Secure Electronic Payment Mechanisms (SEPM) for the purpose of this paper will be, i. Use of electronic equipment or methods

3 3.1


using Bank Drafts, are now handled more efficiently by SLIPS System. Annual Report of Central Bank of Sri Lanka (2004) reports 2,411,000 SLIPS transactions amounting to Rs. 60. bn during last year. Cost of a SLIPS Transaction is very low, and there is no limit to the value of a transaction. Considering its economic potential, SIPS could be put to more and more commercial use than today. Direct Debit, which is the reverse of SLIPS, is a less known and less used SEPM available within the same SLIPS framework. Direct Debit caters to requesting a Payment (Debit) from an account in another bank, in order to credit originators account held with the requesting bank. Direct Debit systems are widely used in some countries for Bill Presentment Services. Although some local utility providers are using Direct Debit for their collections, its usage is comparatively low in volumes. Similar to SLIPS, lot of business use opportunities exist for Direct Debit.

POS Network Terminal is the most common application of SEPM in Retail Business sector. The POS machine reads Data from the Magnetic Stripe in Credit/Debit card and then transmits data to the transaction acquirer. Data is encrypted before transmitting over a voice grade telephone line. Success or failure of the transaction is communicated back to the POS via the same method. Both Credit and Debit Cards can be used in POS networks. A single POS machine is capable of processing cards issued by different card issuers, and/or directing transaction requests to different acquirers according to business rules. Supermarkets, Shopping Malls, Tourism Industry, Billing/Utility Companies are heavy users of POS technology in their day-to-day business. According to the Annual Report of Central Bank of Sri Lanka 9,759,000 Credit Card Transactions amounting to Rs. 33.3 bn. have been recorded in Sri Lanka in 2004. Naturally, majority of these transactions originate at a POS Terminal.




Sri Lanka Inter-Bank Payment System (SLIPS)

Sri Lanka Interbank Payment System (commonly known as SLIPS) facilitates Account-to-Account transfers between banks. Direct access to SLIPS is limited to Commercial Banks participating in the cheque clearing. A SLIPS transaction originate when a Bank Customer request his/her banker for a Inter-Bank account to account transfer. A SLIPS request could be oneoff or recurring in nature. Value is given to the Beneficiary Account within two days from presenting to Lanka Clear (Pvt) Ltd., the Clearing House. The system uses a proprietary encryption for data security. Applications of SLIPS range from Standing Orders, Salary Payments, Raw Material or other Supplier Payments, Interest/dividend Payments, Insurance Premiums and Loan Repayments. Transactions, which were traditionally handled by

Sri Lankan Banks are connected to banks in other countries via SWIFTNet FIN. Connection to SWIFTNet FIN is technically a Dial-up with Public Key Infrastructure. SWIFTNet FIN facilitates electronic exchanges of Financial Transaction/Data between Banks in the network. Primary use of SWIFT is for Country-to-Country Transactions. Commonly used SWIFT transactions are Payments under Letters of Credit, Document Collections, Investments, Remittances and Loan Repayments. SWIFT transactions are costly, but it remains the most secure and reliable method for country-tocountry transactions.


RTGS / Lanka Settle

Real Time Gross Settlement System (RTGS, or Lanka Settle) also operates through SWIFTNet FIN infrastructure. RTGS is primarily meant for

Real Time Payments between Local Banks, which are also members of SWIFT network. RTGS is extensively used for Same Day Value Transactions, high value commercial transactions, investments, Central Depository System Settlements, transactions between Commercial Banks and Central Bank, Bank-to-Bank Payments, and transactions between Primary Dealers. Annual Reports of Central Bank of Sri Lanka reports 138,119 RTGS transactions worth Rs 13,701 bn. in year 2004.


Internet Banking Systems

Internet Banking facilitates secure access and transactions on banking accounts over the Internet. Although Internet Banking received so many doubts about security, it offers more features, user friendliness and user interaction compared to ATM and Phone Banking. Major limitation in Internet Banking is that it focuses only on clients with internet literacy and access. Despite security concerns and limited target group, Internet banking has well established itself during the last few years. Concerns on security have more or less died down due to reliable operational history of Internet Banking Services. As a SEPM, Internet Banking facilitates Personto-Person Payments, Utility Bill Payments, eCommerce transactions, settling Credit Card dues, Share Brokers, Insurance Premiums, School Fees, donations and doctor Channelling over the Internet. Annual Report of Central Bank of Sri Lanka (2004) records 439,000 Internet Banking transactions worth Rs 110 bn. during 2004. According to these statistics, Internet Banking has recorded the highest value in transactions within the Self-Service Type SEPM.


Automated Teller Machines

Commonly known as ATM, cash-dispensing technology has been in Sri Lanka since mid 1980s. However, ATM was not used as a SEPM in Sri Lanka until a few years ago. Presently, more banks are positive on using ATM as a SEPM, where key focus is on facilitating Bill Payments and Credit Card Settlements. ATM Cardholders can use their own banks ATM network for making payments.


Phone Banking and SMS Banking Systems

Phone Banking provides secure online access to Current or Savings Accounts of the customer. The service relies on voice grade phone lines, including mobiles. SMS banking uses SMS features available in mobile phone networks. Phone Banking became popular within a short period, main reasons being simplicity of operation and rapid expansion of fixed and mobile phone networks during mid 1990s. Phone Banking provides payment of Utility Bills, Settling Credit Card dues and making payments to pre-defined Third Party Accounts. As per the Annual Report of Central Bank of Sri Lanka, Phone Banking users have transacted 64,000 times in the year 2004, transactions totalling to Rs. 4.7 bn.


Internet Payment Gateways

Internet Payment Gateway is an Infrastructure Setup that links web sites with Credit Card and Banking Systems. Payment Gateway services are mandatory for todays e-commerce enabled web sites. A Gateway can process payment requests from Credit Cards, Bank Accounts (Debit) and Virtual Cards (a version of Credit/Debit card which can only be used on Internet Payment Gateways). The surfer does shopping on the sellers website and taken to the Payment Gateway only for making the payment. Once the user is within the Gateway, Secure Socket Layer Encryption (SSL) gets activated between the users browser and the Gateway. Sensitive data like Card Numbers, Account Numbers, Verification Codes, Names etc. are exchanged within the secure connection to ensure data security. None of the sensitive details

are divulged to the web site, except the value of transaction, successful/unsuccessful status and a unique transaction reference code. Most common applications of Internet Payment Gateways are Bill Payments and Buying goods/services. Internet Payment Gateways in Sri Lanka are also used for Retail Sales of Home Appliances, Books, Magazines/ Newspapers, Electronic Entertainment, Hotel Bookings, Airline Tickets, and Doctor Channelling etc. A unique application of Payment Gateways is facilitating donations to charities like Temple of Tooth-Kandy and Jaya Sri Maha BodhiAnuradhapura. Interestingly, a large volume of private donations for Tsunami assistance was received through Internet Payment Gateways.

Transactions are created at the Corporate Customers desktop and then electronically transmitted to the Bank. Encryption and other procedural mechanisms are used to ensure security. Credits to other bank accounts are forwarded to SLIPS by the Corporate customers Bank. This framework is successfully used for Salary Payments, Raw Material Supplier Payments and Interest/dividend payments.


Mobile POS

A POS unit connects to the Transaction acquirer via a mobile phone (GSM) connection. Traditional POS is enhanced with mobility. This technology helps field or other personalised sales situations where seller goes to the buyer. Mobile POS technology is relatively new and still operating as pilot implementations in Sri Lanka.

4 4.1



This is a scenario where two SEPM systems are combined to provide enhanced service. One such application is initiating Inter-Bank transfers from Internet Banking and then linkingup with SLIPS for directing the transfer to the recipient bank. This service is widely used for self service/customer initiated Bank to Bank transfers and Credit Card Settlements.

Technically speaking, SEPM is simply a collection of Hardware, software and processes. Integrating SEPM within a business environment needs firstly, understanding the basics of SEPM; secondly, comprehensive understanding of the business; and finally matching the two areas to create a business application. Recommended areas to consider when integrating a SEPM with a business need are,


SLIPS and Phone Banking


Customer initiates a transaction via Phone or SMS Banking and transaction gets routed through SLIPS to reach the recipients Bank. Popular uses of this service are self service/customer initiated Bank-to-Bank transfers and Credit Card Settlements.

Identification of the need and the Target Market

Identify and understand the needs of the Target Market. This activity is identical to the steps followed for planning a new product, or improving an existing product.


Business Strategy


Extending SLIPS to Corporate Customer Desktop

Evaluate whether SEPM supports the Strategy of the Business. Where will the business and the industry be in five years. Ensure that the Senior Management of the business is committed to integrate SEPM into its processes.

This facility accommodates one-to-many bulk payments directed to the credit of accounts spread over a number of banks.


Cost & Feasibility

Evaluate the business volumes, expected profits as a result of integrating with SEPM. Check whether the investment on SEPM integration is feasible. There could also be exceptions; sometimes the business may need a Strategic Investment, although it is not financially feasible in the short run.

Specially, Credit Card acceptance makes the business vulnerable for issues arising from fraudulent use of Credits Cards, Phising and Skimming. Although E-Commerce websites should be more prepared for on-line issues, as a practical rule, more frauds or Credit Card Related issues have been reported due to off-line vulnerabilities. For example, mis-handling Credit Card Sales Slips could lead to misuse of credit card numbers etc.


Ease of Use


Legal and Regulatory Framework

SEPM system should offer high level of operational convenience, ease of use and user friendliness when it interacts with clients as well as internal staff. Considering change management and training aspects; ease of use reduces costs and efforts needed for both.

This is a fast developing area for Sri Lanka. Whenever changes are initiated, risks could increase due to changing rules, regulations. Therefore, through and continuous emphasis should be given to legal/ regulatory aspects of SEPM operations. Legislative changes needed for RTGS has been implemented in 2002, as amendments to Monetary Law Act. Central Bank of Sri Lanka is presently working on Payments and Settlement Systems Law, which is expected to be completed by the end of year 2005. Laws that govern SEPM Transactions, their enforceability and validity could be different from jurisdiction to jurisdiction. Such implications may adversely affect transactions over the internet, by non-nationals or performed outside Sri Lanka.


Managing Risks

Risks can be internal, external or a combination of both. Find out ways to Mitigate Risk, costs applicable in doing so and viability of implementing risk mitigation measures. Seek ways of integrating risk mitigation actions within the business processes. Formal Business Continuity Planning should be considered in case of large organisations, or depending on the Business Impact.


Industry Standards & Global Trends


Look for standards adopted within the industry. Attempt to identify the Global Trends in the industry. For an example, a tourist hotel may consider a POS service as a mandatory need in its industry, but a Newspaper Stand can survive well without a one. At the same time, fuel stations in some countries use self service pumps integrated with SEPM. Today, Sri Lankan fuel stations can consider the same as a Global Trend to follow.

As of today, ownership of core SEPM systems remains with Financial Institutions. Therefore, maintaining, developing and securing SEPM are responsibilities of Financial Institutions. However, in discharging these responsibilities, the Financial Institutions are justified in not forgetting their primary business objective, expecting a sufficient level of return on their investments in SEPM. Role of the Government is much broader. The Government acts as a regulator and promoter of SEPM. Governments role is instrumental in promoting SEPM in all sectors of the economy. In addition, the Government is also responsible


Off-line and Online Security Issues

Security incidents could occur online or off-line.

for having Laws, Regulations and policies that foster, nurture and secure SEPM growth.


E-commerce will cease to exist if SEPM component is taken out. Majority of the supermarkets, if not all would not make half of their daily sales without a POS Terminal alongside the cashier. Looking from a broader perspective, Business to Consumer transactions have shown a huge growth, while Business to Business and Business to Government sectors are comparatively slow in responding to SEPM. In the medium-term future, the planned EGovernment initiatives will emulate use of SEPM in Government transactions during the next decade. If one would try to foresee ten years ahead, by 2015, utility companies would heavily depend on SEPM for collecting their receivables; thousands of Sri Lankan entrepreneurs will successfully engage in E-commerce and would sell to the global market. Government institutions will install SEPM for routine transactions and probably accept Credit Cards as well. Business to Business sector SEPM will complete its growth and become a vital payment mechanism in the economy. Finally applying business sense, the facts, trends and technological capabilities discussed above should be sufficient to inspire a businessman, regulator, policy maker or a systems architect to start thinking of SEPM strategies.

As outlined above, SEPM is a convenient method for making and receiving payments in both commercial and personal transactions. In a SEPM transaction, the payment to the seller is guaranteed. Cash is not involved as transaction proceeds are directly credited to the sellers bank account. Cost of insurance/security against theft of cash is minimised. Consumers transact without hard cash and also capable of obtaining credit from their card issuers/banks. This makes the consumer to free himself from the burden of carrying cash, while at the same time being less concerned about loosing buying power. In certain social contexts, SEPM also acts as a status symbol of the buyer. The consumer feels economically safer and mentally more at ease, leading to better living atmosphere. During the last decade, Internet has bridged the gap between the vendors and buyers, encouraging them transact without ever seeing each other, or the merchandise being sold. Today, sellers get more sales as a result of opening themselves up to global market, while the consumer gets a wider range of buying options with competitive pricing. Manufacturers have more raw material sourcing options with increased number of alternatives between the quality and the price. Fierce competition in Pricing allows only the fittest few to survive. In a nutshell, human behaviour, commerce, internet and SEPM have been merged to put together a commercial framework that facilitates transactions with convenience, trust and borderless in nature.


1. Bank for International Settlements, General guidance for payment systems developmentConsultative Report, May 2005. 2. Central Bank of Sri Lanka, Annual Report 2004, Central Bank of Sri Lanka Publication, 2005 3. Central Bank of Sri Lanka Website 4. Information and Communication Technology Agency of Sri Lanka Website. 5. Society for Worldwide Interbank Financial Telecommunications Website


SEPM have spread into most industries and organisations. Today, consumers, business organisations and governments have joined hands in sponsoring SEPM.