Growing sentiment among Internet security experts is that the biggest issue facing banks and other proponents of electronic commerce is largely a perceptual one. Super-strong encryption has made typing a credit card number
on-line, via a secure encryption-enabled browser, safer than handing it over to sales agents on the telephone or waiters in restaurants.
And though the technology itself may secure financial data on the Web, banks' back-end systems that run encryption applications may fall short. And the systems that don't fall short may cost too much to justify their expense.
Banks today use standard NT or Unix servers to run encryption applications; and the processors within are certainly powerful enough to handle them. But as the number of transactions grows, the number of servers required for security may double or triple, forcing bank executives to spend a large chunk of their budgets on machines that may be used only for encryption. "The underlying technology to handle a digital signature involves a substantial amount of mathematical processing, for which typical processors are not really designed," says Stephen N. Cohn, president of U.S. operations at nCipher Inc., a security company headquartered in Cambridge, England.
To address the problem, security companies like nCipher and Atalla offer products that, through a combination of hardware and software, offload encryption to a separate component. Cohn says nCipher's recently launched line of nFast cryptographic accelerators, which contain between two and five processors, ranging in price from $3,000 to $10,000, can cut down the number of servers needed for on-line commerce. Atalla's WebSafe2 and PayMaster product, designed specifically for SET, work similarly.
When volume grows-and that's when, not if, according to Gary Lefkowitz, director of product marketing for San Jose-based Atalla-banks will need to get transaction processing capacity up somewhere comparable to the ATM network-which processes more than two trillion transactions every day-in or risk cryptographic overload.