post-1.6: Online-Banking in Germany: HBCI

Christian Stimming stimming@tuhh.de
Fri, 25 May 2001 23:12:10 -0700 

-----BEGIN PGP SIGNED MESSAGE-----

This is a post-1.6 (maybe even post-1.x) discussion.

The online banking world is far less globalized than one would believe. 
How many competing standards are there in the US? I read about OFX vs. SET 
vs. Gold vs. IFX ... Now how will the situation change if we go to another 
country? Right, each will have their own set of funky standards. 

Since I am going to live in Germany for the next years, I am interested in 
the German standard for online banking. It is called "HBCI" (Home Banking 
Computer Interface...?). The specifications are publicly available, as 
well as two reference API implementations for Windows in C, C++ and Java. 
Of course, none of them are GPL or comparable. 

HBCI uses a "delimiter syntax" (i.e. *not* XML) that's derived from 
another standard called UN/EDIFACT (maybe a European thing?). It uses 
TCP-Port 3000 for its communication (i.e. *not* http and/or SSL). It comes 
with RSA signatures/encryption algorithms. The user's secret key has to be 
saved on a "secure medium" which, in the long term, is a smartcard that 
requires the user to own the appropriate reader. As a migration path, the 
user can store the secret key on a floppy disk (no joke, works even under 
Linux). The documents are in German and there are some english documents 
available, but beware of horrible translations... 
http://www.sixsigma.de/dokumente/hbcicomp.pdf is a 40-page overview but a 
bit outdated. http://www.hbci.de/english is the hompage of the 
standarization commitee and it has the most horrible translation I've seen 
in quite some time :) 

There are some efforts on a European harmonization in terms of online 
banking standards, http://www.ecbs.org but it seems there's no standard 
coming up soon.

A search for hbci on sourceforge reveals two projects which try to create 
a Open Source API for HBCI. Both are still in the "planning" stage and 
haven't released any files yet. I've contacted the developers - if I hear 
anything back, I'll follow up here.

Christian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)

iQCVAwUBOw9JPWXAi+BfhivFAQGV1QP/VSc6tKsm9Wle0v9JH+JKZWHK7sWLl2eB
Ts9jxO31Sjje7CnG2sNlT+OBTnnddNrihv1YGjoJXwBfBankVw1WUSe6GI/Sr4dw
mYPRhexgnAGKdlHkwwuiqdc5Hbex1xo9gn7ftW550IJusm/EYI3OKabIGffStKpe
dcNSrEMkSAU=
=Yu6o
-----END PGP SIGNATURE-----