The Payment Industry in Sri Lanka has evolved towards greater efficiencies and customer centricities, which has resulted in high reliance on advance technology. The use of the Internet and electronic transactions has evolved rapidly in Sri Lanka facilitating greater customer convenience and attracting new customers, irrespective of their demographics. This is very evident by the high use of SLIPS (Sri Lanka Interbank Payment System) and other electronic payment systems and the growth in the use of Internet Banking.

Though advance technology brings about many advantages to financial institutions and its customers, it also brings in great risks of information security and electronic fraud. Therefore as the use of electronic payments (e-payments) increases, the need for advanced IT security infrastructure becomes critical in order to prevent the risks associated with information security and unauthorized access.

Authentication is a critical issue for users of electronic commerce. Banks must have confidence in the authenticity and the integrity of an electronic transaction received from another bank. This can be achieved through the use of Digital Signatures. Digital Signatures are aimed at achieving a higher level of trust where physical signatures are not possible. Digital signing helps the recipient of the electronic transaction to know with certainty that it was originated by the party who claims who they are and that no changes have been made after the transaction has been signed.

Recognizing this need the Central Bank of Sri Lanka requested LankaPay (Pvt.) Ltd. (LCPL) to be the financial sector Certification Service Provider (CSP). LCPL launched Sri Lanka's first Certification Authority under the brand name LankaSign in accordance with the Electronic Transaction Act, No.19 of 2006 on May-22-2009. A CSP is an authority on a network that issues and manages security credentials and public -private key pair's for message signing and encryption. As part of a public key infrastructure (PKI), a CSP checks with a Registration Authority (RA) to verify information provided by the requestor of a Digital Certificate. If the RA verifies the requestor's information, the CA can then issue a Digital Certificate that can be used for the purpose of signing and encrypting electronic transactions.

LankaSign in its first phase started providing digital certificates to Banks to be used in financial transaction clearing systems, such as SLIPS and CITS (Cheque Imaging and Truncation System), where the CSP and Public Key Infrastructure (PKI) was made available on LCPL's Virtual Private Network (VPN).

On 9th February 2011 LankaSign launched its second phase of providing digital certificates for all financial sector enterprise applications, SSL Certificates and end Users (E-mail/Document signing Certificates) on both private and public networks. This adds great value to the financial sector in Sri Lanka as using digital certificates of Lankasign will save the country its valuable foreign exchange where the other alternative is to procurer Certificates from foreign CSPs at a much higher cost. With LankaSign’s expansion it is now providing a customer focused local service and solutions to reduce document management overheads associated with managing physical documents, as well as promoting Green initiatives.

Currently LankaSign is widely used in almost all financial sector organizations as well as few other sectors for automating their documentation process by digitally signing electronic copies of documents and adding high security for electronic documentation exchange process. As the next phase in their expansion plan, with a major upgrade to their system, LankaSign is now capable of providing digital certificates in real-time for mobile based payment applications for digitally signing and authenticating electronic documents. This has been enabled by a common API developed by LankaSign, which can be easily integrated with such mobile payment applications via a Software Development Kit (SDK) that is freely distributed to such developers.

Aligning with the Electronic Transaction Act, No.19 of 2006, LankaSign follows a stringent process on validating the certificate users and their respective organizations before issuing a digital certificate. Due to its high security standards, LankaSign was able to obtain certification on ISO 27001:2013 for its Information Security Management System in the year 2015.

LankaSign is not only a significant milestone in the ICT industry of Sri Lanka, but also encourages more institutions in all sectors to adopt cost effective digital certificate based technology to achieve a greater level of information security for all their electronic communications and transactions.

• LankaSign Introduction Video 01
  
  
• LankaSign Introduction Video 02
  
  
• LankaSign for Sri Lanka Customs Introductory Video
  
  

• Document Signing Certificates
• Application Certificates
• Certificates for LankaSign Certified Apps
• HSM/API for System Integration Purposes

1. Is digital signature recognized by Sri Lankan court of law?
Yes, it’s recognized according to Electronic Transactions Act No.19 of 2006 amended by Act No.25 of 2017

2. If a printout of the digitally signed document is given, can we verify whether it is digitally signed?
No. The document must be in original soft form to verify the digital signature.

3. Can a scanned document/image be digitally signed?
Yes. Any document in soft form can be digitally signed.

4. What will happen if I change a digitally signed document?
The existing digital signature will not be valid anymore and it will be indicated that the document had been modified.

5. What will happen if someone else changes the content of a digitally signed document?
Original signature will not be valid anymore and it will be indicated that the document had been modified.

6. Can I remove the digital signature from a document?
Yes but then the document cannot be considered as valid.

7. What is an electronic signature?
It is only an image of a signature that can be added to any document. An electronic signature can be copied and pasted and attached to other documents by anyone. An electronic signature doesn’t provide any document security and it doesn’t have a document verification process, or any tracking for changes made to the documents content after signing.

8. How is digital signature different?
Digital Signature is based on cryptographic technology which offers greater document security and signer authenticity. Each digital signature is unique to the signer and the document, you cannot copy and paste the signature from one document to another. If any changes are made to the document or the signature after signing is complete, this will be indicated in the document rendering the document invalid..

9. Between electronic signature and digital signature, which one is recommended?
There is some confusion regarding the difference between electronic and digital signature technology with people thinking the two are the same thing. However, the two signature types are different and it is important to understand how, otherwise your business could be exposed to additional risks. Digital signatures provide the necessary security controls and hence is the recommended solution.

10. What are some use cases of LankaSign digital certificates?
LankaSign digital certificates has broad uses including document/email signing, systems/applications integrations, mobile integrations, etc.
LankaSign document/email signing certificates can be used to sign/approve any digital document.

11. What will happen if I give my USB token and disclose the PIN to a third person?
He or She can (fraudulently) affix your digital signature.

12. What shall I do if I lose my USB token?
Immediately notify your organization and CSP (LankaPay Helpdesk)

13. What shall I do if I forget my PIN?
Contact your CSP to re-set your PIN.

14. What will happen if I try a wrong PIN multiple times or try the Admin PIN?
Security token PIN is known only to the user. If the user forgets the PIN by any chance, they can only attempt an incorrect PIN a limited number of times. After that the token gets locked and can only be unlocked by using an admin PIN after sending to LankaPay. Admin PIN is only for use of LankaPay. If the user attempts the admin PIN incorrectly, the security token will be permanently locked and unusable. This is intended behavior to ensure the security of digital certificate, so that it cannot be misused.

15. What shall I do if someone else gets to know my PIN?
Change your PIN

16. Do I need to change my PIN after receiving it from CSP?
Yes, it is recommended.

17. Can I take printouts of digitally signed documents and store them?
Cannot verify the digital signature validity if it is stored in printed format.
It must be stored in electronic format to be able to validate same..

18. What is the benefit of storing the digitally signed document?
Saves paper, saves space, cannot do unauthorized changes, very convenient and saves time

19. How can I obtain a digital certificate?
It should be obtained from an authorized/licensed Certification Serviced Provider (CSP) in Sri Lanka.

20. Can I use your digital certificates to automate my document management system or other workflow system?
Yes, you can. We will provide the digital certificates and general guidelines.

21. What is the recommended use of digital certificates within an automated system?
The certificates can be used in anyway within the application the developer and product owners wishes at the discretion of developer and product owners as per product, compliance, legal and other requirements as long as such functions does not violate rules and regulations of LankaSign CSP. LankaSign provides only the certificates and related token driver software and does not provide any other software/application related services or support.

22. How is my digital certificate provided to me?
It is provided in a security token which can be plugged to the USB port.

23. What’s the cost to obtain a digital certificate?
The security token is a one-time purchase and the digital certificate needs to be annually renewed. The security token and digital certificate should be purchased per user.

24. Why should I choose LankaSign CSP?
LankaSign is Sri Lanka’s first and the only Certification Authority established in accordance with the Electronic Transaction Act, No.19 of 2006 on May-22-2009. LankaSign complies with all the international requirements for commercial Certification Service Provider facilities along with ISO 27001:2013 certification.

25. How should I proceed to obtain a digital certificate from you?
Please refer to our How to Obtain Digital Certificates section for all necessary instructions and reach out to our helpdesk on helpdesk@lankapay.net or 0112356999.

26. Should each new customer sign an Agreement with LankaPay in order to be eligible to apply for a digital signature?
Yes

27. Is the above mentioned Agreement a standard Agreement for all new customer who wish to apply for a digital certificate?
Yes

28. Is it possible to amend the above mentioned Agreement to suit each customer? who wish to apply for a digital certificate?
No, it is a standard Agreement. However, LankaPay reserves the right to update the Agreement from time to time.

29. Is there a different Agreement to be signed based on the purpose for which each customer may want to use the digital certificate?
No. There is one standard Agreement for all new customer who wish to apply for a digital certificate

30. Is the Agreement available as a download?
Yes.

• LankaSign – Summary Certification Practice Statement
• LankaSign – Summary Certificate Policy

1. Click here to download your Digital Certificate Revocation Form

1. Click here to download the user manual
2. Click here to watch the sinhala instructional video guide
3. Click here to watch the english instructional video guide
   

Please contact LankaPay through our hotlines 011 235 6900 / 011 235 6999 for any assistance

1. Click here to download email signing & encryption document

Pre-requisites for Support

LankaSign CSP provides LankaSign digital certificates, validation services for issued certificates and any support related to same. LankaSign CSP does not provide integration services, software development or coding support.

1. Investigate and ensure the issue or problem is certificate or token related.
2. Ensure the issue is not covered by provided guidelines
3. Ensure the request is not related to coding or software development

Additional Support Services (incur professional charges on per hour basis)

1. PC or non-related support services
2. On site support services
3. On site training
4. Consultancy
5. Other special support requests