The Web's pervasiveness makes a strong argument for the Internet's becoming the de facto network for business transactions.
As e-commerce grows by leaps and bounds, the ability to exchange information securely over this open network is crucial. At the most basic level, secure communication over an open network requires trust in two things: integrity of the data and identity of the parties.
Public key infrastructure, or PKI, is the framework that has been offered to meet the demands of authenticating parties in an electronic transaction over an open network.
PKI relies on two basic sets of electronic data: a digital signature, which creates a unique record that identifies a person with a transaction, and a digital certificate, which connects the person creating the signature with an identity - a sort of a passport for the digital age.
Digital signatures, and the certificates that validate them, will be essential to the continued growth of Web-based commerce, particularly in the business-to-business market.
Before rushing to build a PKI - or to buy into one - financial institutions should examine certain factors from a business perspective. Aside from the costs of developing, installing, and managing the software and hardware required by PKI, the technical and business obstacles that companies face when adopting such an infrastructure include certificate issuance, certificate access, cross-certification, and liability issues.
The crucial point to remember in all this is that digital certificates are not really a form of authentication in themselves; they only represent the process that someone else uses to validate that certificate holders are who they purport to be.
PKI, as it exists today, hinges on the issues of certificate access and issuance. Encryption technology may enable transactions to be layered with more security than even the best hackers could imagine. However, all this robust security still relies on both the identity verifications by which end users are issued certificates and the procedure by which they gain access to, or digitally sign, a document.
Without establishing trust in these two areas, PKI is relatively worthless; it is only as strong as its weakest element.
Many financial institutions are assessing the role of PKI in the marketplace and their own parts in building it. Considering the cost and security needed to build and manage an effective PKI, most institutions only plan to offer digital certificates to their corporate customers. This is one area in which retail bank customers will not be the testing ground for commercial clients.
Global Concepts questioned 20 financial institutions that are not using PKI technology today about their plans for it and their retail customer base. Though most agreed that certificates for corporate clients are plausible, fewer than half the banks in the study intend to offer their retail customers digital certificates, and only two had adopted timelines for doing so.
For all the worry behind PKI strategies, financial institutions are positioned as well as - if not better than - others to authenticate their customers, issue certificates, and grant access.
The issues of certificate issuance, user authentication, and end-user certificate access should not be taken lightly, though. It is nearly certain that some form of PKI will be used to accommodate the burgeoning realm of electronic commerce and secure data exchange over public networks.
But banks should consider the possibility of offering one or more of various degrees of "PKI robustness," based on the needs of the parties involved.
Financial institutions are faced with deciding which strategy is right for their customers. Some banks have built their own public key infrastructures. Others have banded together to form a global PKI in common, and many are still evaluating the possibilities and pitfalls. Each bank's customer focus and customer base is different, and the main goal of PKI is to enable secure e-commerce.
The degree of infrastructure required depends on the needs of the end users. Services appropriate for companies that are already comfortable doing business with one another and only want to move transactions and information exchanges to the Internet will be totally different from the level of security demanded for large-dollar transactions involving two parties relatively unknown to one another.
The daunting task is deciding which services to offer and how to go about offering them.
Mr. Anderson is a director at Global Concepts Inc., an Atlanta banking and payment systems consulting firm.
