Bankers expressed satisfaction with the Clinton administration's move to permit the export of financial software using the most advanced data security technology.
"It appears that all barriers to exploiting and supporting cryptography have been lifted" for financial institutions, said Stephen R. Katz, chief information security officer for Citicorp.
Visa International said it would be a boon to the Secure Electronic Transactions protocol it and MasterCard are promoting for Internet commerce.
The policy change, announced last week by the Commerce Department's Bureau of Export Administration, will permit banks to utilize encryption tools stronger than those previously permitted for export.
The export rules are important even for domestic purposes because they set a standard for what software companies offer and what multinational companies can implement across borders.
"This is a major step in making our lives a lot simpler," said Charles Blauner, vice president of J.P. Morgan & Co.
Currently, exportable encryption algorithms can have data-scrambling keys of no more than 56 computer digits, or bits. The longer the key, the harder it is for a high-speed computer to break the code. The U.S. government put limits on key lengths to preserve its ability to break in for law-enforcement or military reasons.
Mr. Blauner said that while 56 bits are considerably more secure than the historical 40-bit limit for nonfinancial purposes, 56 is still too risky for many financial transactions.
Longer keys "will allow us to communicate data over the Internet, which we would have done under no circumstances before," Mr. Blauner said.
The administration was sensitive to "the special nature of the financial industry" and the fact that it cooperates to help solve financial crimes, said William A. Reinsch, under secretary of the Bureau of Export Administration.
But many bankers had been wary of the administration's decision last fall to begin liberalizing encryption exports with a key recovery component, giving authorities a "back door" into secure messages when warranted.
Mr. Reinsch said banks will be able to use international versions of home banking and other financial software with unlimited key lengths and without key recovery.
"I am happy that there will not be mandatory key recovery," said Mr. Katz at Citicorp. "Banks will be able to export cryptography for all transaction-related ex-changes with customers, other banks, and within our bank."
The regulations, which are not yet formally promulgated, will also permit banks to use high-powered general-purpose software-such as Netscape's Communicator-provided that the embedded encryption can support key recovery.
The devil could still be in the details, bankers said, but they were hopeful that the new regulations will promote commerce on the Internet. And if the Internet becomes a preferred "highway," then banks could eliminate many of the costs of their private networks.
"We have intentionally not made any direct movement on the Internet until we could meet or exceed customer expectations" about security, said Mr. Katz. "We will certainly look at it with a much better eye."
But the easing does not yet apply to Internet browsers, which could be necessary for a mass-market impact. "This is going to have more impact on the back office than the consumer," said Scott Schnell, vice president of RSA Data Security Inc., Redwood City, Calif.
