Consumer uses get most of the attention, but smart cards have a big role to play inside banks.
The technology has shown promise in improving the security of buildings and other facilities as well as of communications and transactions.
BankAmerica Corp.'s interactive banking division is using chip cards for access security at its San Francisco offices. The cards are coded according to where each cardholder is authorized to go. The card also incorporates other types of identification such as a photo of the employee and a digital signature.
"This technology gives us flexibility that we didn't have before," said Bette A. Wasserman, vice president and manager of smart card development in the interactive banking division.
Though employees at Bank of America's Clock Tower building use the technology only for access, other applications will be added. They might include stored value or other functions appropriate to an internal corporate environment.
"There are a lot more options with these cards because of the higher computing power," Ms. Wasserman said.
Also in San Francisco, Wells Fargo & Co. is looking into the potential of bundling access capabilities with a stored value application. As part of the "lab year" of Mondex, the smart card payment system it has championed, the bank is looking to conduct a pilot in a closed environment like a corporate or college campus, said Wells spokeswoman Janet Otsuki.
Aside from building access, the card could control personal computer or network access, Ms. Otsuki said. "It would test the fact that Mondex is ubiquitous in both the physical and virtual worlds," she said.
Some of the more advanced smart cards are already able to generate the public and private encryption keys necessary for secure messaging and on-line commerce. Cards have the advantage of portability over software- based solutions - assuming the requisite reader locations are available.
Unlike software-only encryption and authentication, a card "can provide you with a high degree of certainty that it hasn't been tampered with," Ms. Wasserman said.
Smart cards also can replace the automated tokens that many banks use to generate one-time passwords in sensitive operations like money transfer. "The authentication string or key can be longer (with chip cards) because no one has to type it in," said Joel B. Jacobs, vice president at Concept Five Technologies Inc., an information systems engineering and technology company.
"I don't think you can overestimate the importance of having a secure encryption device that can be used whenever it is appropriate," said William Barr, vice president of the Smart Card Forum and executive director of information networking at the Morristown, N.J.-based Bellcore.
These cards could protect internal as well as external electronic communications. With digital signatures, it is possible "to make sure that the communication originated from the person who claims to have originated it," Mr. Barr said.
"The market for smart cards is in the communications environment," said Jerome Svigals, an electronic banking consultant in Redwood City, Calif.
Trading and wire transfer operations may benefit from the added security of smart cards. These are among the "higher-risk areas that are looking the hardest at smart cards for authentication," said Harriet G. Goldman, the Massachusetts-based director of electronic commerce at Concept Five Technologies of McLean, Va. "The risk to the bank is monetary, which is so great that the cost involved can clearly pay for itself."
Smart cards combined with public key cryptography can answer another corporate security challenge - protecting banks' computer networks.
Computer security companies are actively promoting smart cards as secure tokens. Security Dynamics Technologies Inc. and Vasco Data Security Inc. have added smart cards to their lines of tokens.
Part of the security threat arises from allowing employees to dial in to the corporate computer network while away from the office. "There has been an explosion in supporting remote-access users in the world of business," said Dave Power, senior vice president of marketing and corporate development at Security Dynamics Technologies Inc., Bedford, Mass.
"It becomes possible for corporations to just give an employee a smart card, have them stick it in their pocket, and that employee from any location can quickly and easily access even the most sensitive information securely," Mr. Barr said.
Another problem comes from the rise of intranets, corporate networks built on open - and inherently insecure - Internet technology, Mr. Power said. "In the long run, the only way to provide security over the Internet is to encrypt your messages."."
Netscape Communications Corp. sees the promise of smart cards as a security mechanism. The Mountain View, Calif.-based Internet software company plans to integrate public key cryptography protocols into all its products, said David M. Andrews, senior security product manager at Netscape.
Banks could use the cards to personalize access to different parts of computer systems and data bases, Mr. Andrews said. With a digital certificate on the card, "you can partition information based on who you want to view it and who you don't."
But these visions will take time to be realized. Large-scale implementations of smart card technology for security are not anticipated until 1998 at the earliest.
Many organizations find it hard to justify the expense of adding cards and reading devices to their infrastructures.
"In the corporate arena, smart cards may not be a very good solution because they require a higher degree of investment," said John C. Haggard, president of Lombard, Ill.-based Vasco Data Security. "You have to associate a smart card reader with every machine that a particular corporate user can access."
Beyond that, "the software needs to be able to understand and communicate back and forth securely with the card," said Kathy Lawton, vice president of consumer banking systems at Chase Manhattan Corp. and chairman of the Smart Card Forum financial services group's security subcommittee.
"Once the industry can start putting some smart card readers on PCs, then the world changes," said Gerald Hergenroeder, a senior consultant with Speer & Associates in Atlanta.
