post-1.6: Online-Banking in Germany: HBCI

Christian Stimming
Fri, 25 May 2001 23:12:10 -0700


This is a post-1.6 (maybe even post-1.x) discussion.

The online banking world is far less globalized than one would believe. 
How many competing standards are there in the US? I read about OFX vs. SET 
vs. Gold vs. IFX ... Now how will the situation change if we go to another 
country? Right, each will have their own set of funky standards. 

Since I am going to live in Germany for the next years, I am interested in 
the German standard for online banking. It is called "HBCI" (Home Banking 
Computer Interface...?). The specifications are publicly available, as 
well as two reference API implementations for Windows in C, C++ and Java. 
Of course, none of them are GPL or comparable. 

HBCI uses a "delimiter syntax" (i.e. *not* XML) that's derived from 
another standard called UN/EDIFACT (maybe a European thing?). It uses 
TCP-Port 3000 for its communication (i.e. *not* http and/or SSL). It comes 
with RSA signatures/encryption algorithms. The user's secret key has to be 
saved on a "secure medium" which, in the long term, is a smartcard that 
requires the user to own the appropriate reader. As a migration path, the 
user can store the secret key on a floppy disk (no joke, works even under 
Linux). The documents are in German and there are some english documents 
available, but beware of horrible translations... is a 40-page overview but a 
bit outdated. is the hompage of the 
standarization commitee and it has the most horrible translation I've seen 
in quite some time :) 

There are some efforts on a European harmonization in terms of online 
banking standards, but it seems there's no standard 
coming up soon.

A search for hbci on sourceforge reveals two projects which try to create 
a Open Source API for HBCI. Both are still in the "planning" stage and 
haven't released any files yet. I've contacted the developers - if I hear 
anything back, I'll follow up here.

Version: GnuPG v1.0.4 (GNU/Linux)