LloydsTSB to offer smartcard security

Lloyds TSB is set to offer smartcard technology to business customers as part of a major review of its security architecture for online services.

The bank is looking at integrating public key infrastructure (PKI) into existing legacy systems following the completion of a year-long 'Key Online' trial of 60 business customers using smart cards to digitally sign account transactions.

Talking exclusively to vnunet.com, Sam Rushton, head of channel management for business banking at Lloyds TSB, said that PKI will offer extra security for high-value transactions.

"We are particularly focused on creating a multi-level security architecture that allows users to move between applications which have different levels of risk attached to them," he explained.

"For example, high value payments would need a security token of some kind whereas information services could be made available with just user name and password. PKI will fit within that security hierarchy."

The bank's IT department is evaluating how the Key Online technology can be integrated into mainstream online channels such as Lloydslink, Success4Business and Online4Business.

During the pilot, business customers used a smartcard in conjunction with a password. The Lloyds TSB certificate authority then verified the customer's digital certificate and authorised access to the account.

Smartcards and readers were supplied by Schlumberger and the PKI software by Entrust, with Accenture working as consultants.

The main problem with the trial was a 10 per cent failure rate with the installation of the hardware and software at the customer's site, but Rushton insisted that this can be addressed with adequate support.

"It is naive to think that with current technologies no customers will have problems loading software onto their machine, so you do need to have cost effective support for them," he said.

Key Online was initially intended to launch as a standalone service after the pilot, but the bank decided that this was not practical.

"Migrating customers who are happy with their existing services to a whole new electronic banking platform is not an option," said Rushton.

The bank's own research found that about three quarters of its 700,000 business customers would like to use a service with that level of extra protection.

Ovum security analyst Graham Titterington maintained that banks are increasingly looking at PKI only for services specific to their own customers.

"This is indicative of the lowering of expectations for this technology, compared to a few years ago where it was thought of as a panacea for all security problems," he said.

Titterington explained that the main technology issues will be physically distributing the hardware - the smartcards and the readers - to customers.