"You can't do the implementation in less than three months and if you do, that's a recipe for disaster," warned Smith recommending at least a minimum six-month window.

The NCUA rules deal with extra security procedures to verify home banking users and protect against fraud. His own CU had previously teamed up with Cyota, an anti-fraud firm, to handle the CU's authentication program.

Underscoring the newfound importance of IT security in a growing market, Cyota, said Smith, has since been "bought and sold several times" and was finally acquired last fall by RSA Security Inc. of Bedford, Mass., a firm which has Bank of America and other large banks as clients.

Multi-factor authentication, declared Smith, requires two independent ways for online users to establish identity and privileges and these can include biometric applications, tokens and smart cards.

The PSECU CEO stressed the importance of marketing and educating members on what to expect as CUs come up with fraud protection programs.

Some CUs "with technologically savvy members may like the tokens" as well as the smart cards, but PSECU in its partnership with Cyota/RSA has ruled them out in addition to biometrics, favoring instead a system known as "e-sphinx."

That product, he said, scans members' usage patterns for a two to three month period to build a database.

Under the system, "high risk transactions or nonfamiliar access triggers a screen pop-up and phone call to the member for code verification," said Smith.

In turning aside smart cards, tokens and biometrics, PSECU sought to minimize members being redirected off of the PSECU Web site, he said.

Cyota/RSA, he said, is providing the CU anti-phishing services as well as anti-pharming and ISP blocking of known phishing e-mails and Web sites as part of the package at no additional cost.

PSECU, with 310,000 members, is also providing users an online "guarantee" of fund reimbursement if the CU system is compromised with a stipulation, however, that members must follow all CU rules.