I am a programmer.  I want to learn how to write programs to automate
banking transactions over the Internet.  The challenge is to make
these programs entirely secure even though they must operate without
any human supervision.  An important issue in this problem is that the
executable itself can be a security liability, should an intruder get
a hold of it.  How should these programs be written to minimize the
exposure from such an intrusion event?

OK, so I am looking for titles of books devoted to the topic of
writing secure computer programs to conduct *automated* banking
transactions over the Internet.  (By "automated" I mean that these
programs are supposed to run with no human supervision.)  I am
interested only in books aimed at programmers.

---

Clarification of Question by gerbil-ga on 23 Feb 2004 02:20 PST

Example #3 is closest to the type transaction I'm most immediately
interested in: potentially large, requiring no direct human input or
supervision, and occurring between institutions.

At the moment I am definitely not interested in interactions like
those in Example #1.

Those represented by Example #2 are of secondary interest at this
time.  A book that discussed this sort of transaction, but not those
represented by Example #3 is of no interest to me at the moment, but
one that discussed both #3 and #2 would be better than one that
discusses #3 alone.

---

Request for Question Clarification by aht-ga on 23 Feb 2004 09:23 PST

gerbil-ga:

To get you started, here is a good overview of the entire process
described by #3. Incidentally, #2 is simply the manifestation for the
client of the capabilities delivered to the banks by #3.

http://www.affirmativeusa.com/electronic_funds_transfer.htm

What you may find of most interest is the product described here:

http://www.affirmativeusa.com/financia_institution_achhub.htm

I will see what books I can find for you on this topic; until then,
please give the above links a look so that you have some of the
background material even before you read any books.

Regards,

aht-ga
Google Answers Researcher

---

Request for Question Clarification by aht-ga on 23 Feb 2004 09:51 PST

gerbil-ga:

So far, I have not come across any books that specifically discuss how
to write programs to automate banking transactions over the Internet.
I *have* found several useful books on secure programming for online
transactions, a technical guide to using the protocol designed for
payment card transactions, and guides to programming for e-commerce
using APIs.

I have also found an off-the-shelf ACH-interface solution that
features documented APIs. However, the documentation is only available
as part of the purchase of a complete license, meaning that this is
priced well beyond a reasonable level for personal education.

Please advise if you would like the books listed as an Answer, even
though no single book addresses the entire topic. Please also advise
if you would like the information regarding the off-the-shelf
interface included in the Answer.

Regards,

aht-ga
Google Answers Researcher

---

Request for Question Clarification by aht-ga on 25 Feb 2004 13:27 PST

Hi gerbil-ga:

Just wondering if you are still looking for an Answer, and have a
chance to consider my request for clarification above.

Regards,

aht-ga
Google Answers Researcher

---

Clarification of Question by gerbil-ga on 26 Feb 2004 07:41 PST

I was waiting in the hopes that someone would find something closer to
what I had in mind...  (I'm assuming here that it is OK for more than
one researcher to compete on a question at one time; this may not be a
correct assumption.)

Doesn't look like this will happen anytime soon, so I'll accept
everything you have as an adequate answer.

Thanks.

gerbil-ga

---

Request for Question Clarification by aht-ga on 26 Feb 2004 08:57 PST

gerbil-ga:

As long as we are still in the Question Clarification stage, the
question remains open to any Researcher; usually, though, if any one
particular Researcher is engaged in a dialogue with a client, the
other Researchers will leave the Question alone out of professional
courtesy (otherwise, you can picture in your mind yourself walking
into a room, asking your question, then being completely overwhelmed
as 500+ people start shouting out!).

By posting your Clarification asking if others have come across
anything more specific to your needs, and by my post here, it should
become clear to the other Researchers that their input is requested.

I will wait with you for a day or two to see if anyone comes across
something more specific to your needs. While the books I have found
collectively deal with the subject, that's a lot of reading and mental
integration to do for the reader. Let's see if someone else finds
something that is more concise.

Regards,

aht-ga
Google Answers Researcher

---

Clarification of Question by gerbil-ga on 26 Feb 2004 12:05 PST

I see.  OK, if no other researcher posts anything by noon (PST) this
coming Saturday (2004.02.28), go ahead and give me everything you
have.

Thanks,

gerbil-ga

gerbil-ga:

I waited until today to post this Answer, to provide more time in case
any other Researchers wanted to tackle this topic. It appears that
they did not have any greater success than I did, so here are my
findings.

The topic you inquired about, namely information on writing software
for automated inter-bank banking transactions, is both broad and
specialized at the same time. It is broad, because it draws upon the
same methodologies and requirements as any form of secure transaction
processing, yet it is specific because the exact protocols and coding
is tightly controlled and mandated by the financial institutions.

Settlements between banks and other financial institutions are handled
primarily through automated clearing houses. So, no matter whether the
institution is a credit card issuer, or a large investment bank,
electronic funds movements must still match the requirements
established by the industry for automated clearing houses (ACH).

While the majority of ACH's in the US are operated by the Federal
Reserve Banks (see: http://www.federalreserve.gov/paymentsystems/fedach/default.htm
), there are also private operators. Each financial institution that
processes settlements electronic is a client of one or more ACH's.

-------------------
To start exploring this topic, it is necessary to start from two
separate yet related starting points. The first is secure transaction
processing, the general topic. Here are some resources that provide an
introduction into the techniques associated with this:

Secure Electronic Transactions: Introduction and Technical Reference
by Larry Loeb 
http://www.amazon.com/exec/obidos/ASIN/0890069921/

 - Secure Electronic Transaction (SET) protocol is the most recent
advancement in the development of standards for electronic financial
transactions, and is used for settlements involving Visa and
Mastercard's issuing banks.


Secure Coding: Principles and Practices
by Mark G. Graff, Kenneth R. Van Wyk 
http://www.amazon.com/exec/obidos/ASIN/0596002424/

 - many regard this as THE bible for developing good, secure code


Secure Programming Cookbook for C and C++
by John Viega, Matt Messier 
http://www.amazon.com/exec/obidos/ASIN/0596003943/

 - an equally useful book, focusing on the pitfalls and security risks
inherent in C and C++ languages


Java Web Services Architecture
by James McGovern, Sameer Tyagi, Michael Stevens, Sunil Mathew 
http://www.amazon.com/exec/obidos/ASIN/1558609008/

 - in case you prefer to develop in Java instead, this book will
provide you with a detailed look at using Java and XML for
network-based transactions


SSL and TLS: Designing and Building Secure Systems
by Eric Rescorla 
http://www.amazon.com/exec/obidos/ASIN/0201615983/

 - optionally, a useful text on using SSL and TLS (if your program
ends up having to work with remote systems through APIs)

-------------------
The second part of your personal education will have to centre on the
standards and requirements for transactional software, as required by
the banks themselves. A good place to start is to review the
information made available by the organizations representing the
banks.

NACHA, The Electronic Payments Association, represents the private
operators and users of automated clearing houses (ACH). Through their
website, they make available for purchase many specific books and
texts on using and developing software for use with ACH's.

NACHA - ACH101
http://pubs.nacha.org/ach101.html

 - a starter package containing all of the basic ACH texts and information

NACHA - Operations
http://pubs.nacha.org/operations.html

 - contains purchasing links for information on ACH's, as well as
books on developing your own originating transactions

NACHA - EDI
http://pubs.nacha.org/edi.html

 - links to books and guides to developing electronic data interchange
services for financial use


You may also wish to consider using a commercially available API that
makes it easy to get up and running. Here are some companies that
offer commercial-available APIs for financial transactions:

WebtoCash powered by Ventanex
http://www.webtocash.com/

"Web to Cash? is a hosted, browser-based secure application developed
by Ventanex that allows users to enter and track ACH transactions
using a web browser and an Internet connection.
With Web to Cash, companies can collect funds from customers and send
money to vendors."

 - WebtoCash, besides providing their web-based interface, also sells
'ACH Anywhere', an API that you can interface with programmatically:

  http://www.webtocash.com/sales/brochures/ACHAnywhere%20Brochure%20PDF.pdf


ClearCommerce
http://www.clearcommerce.com

"ClearCommerce is the leading provider of fraud prevention and payment
processing solutions for online retail, serving more than 65,000
businesses worldwide. Our highly reliable, scalable, and feature-rich
solutions enable merchants and service providers to reduce the risks
and costs of fraud, increase revenue, and improve profitability of
card-not-present sales channels."

 - ClearCommerce provides easy-to-integrate solutions for companies
that need to send a lot of transactions through online systems to
their financial institutions. A key offering from them is
ClearCommerce Payments:

  http://www.clearcommerce.com/solutions/payment.html


oPAYc (Open Payment Connectivity Drivers)
http://www.opayc.com/

"oPAYc is a standardized way to do payment processing to a large
number of different payment processing companies. oPAYc supports all
of the major processing companies and can be implemented into most web
sites using common programming languages. It has been built to be easy
to integrate into any web based application."

 - oPAYc is also geared towards payment processing; while its drivers
work with the ACH's, I am providing this link more for your reference
than as a direct resource.

-------------------

While no single one of these resources can completely fulfill your
stated desire to learn about electronic financial transactions between
financial institutions, the collection of books and online resources
should be able to provide you with the knowledge you seek.

I hope this information helps!

Regards,

aht-ga
Google Answers Researcher

aht-ga not only did a great job on a difficult question, I very much
appreciate the fact that aht-ga did not post a not-quite-perfect
answer without making sure that it would be OK with me.

It may help if you can describe what you mean by "automated banking
transactions", by giving some examples of these transactions.

Several different types of banking transactions that come to mind right now, are:

1. Online banking through a web portal, where a client can transfer
funds between accounts, pay bills, check balances, and conduct simple
customer service requests;

2. Automatic transactions configured by, or for, a client for matters
such as pre-approved recurring bill payments, automatic paycheque
deposit, automatic fund transfers between accounts/account holders;

3. Electronic funds transfers between financial organizations for
inter-bank settlements;

So, if you can clarify which type of transactions you are thinking of,
that would help immensely!

Thanks,

aht-ga
Google Answers Researcher