Monday, April 07, 2008

I stand corrected (again)

In comments a post of mine on Xero, Xero representatives correct my (mis)characterization of how Xero pulled bank data
Xero absolutely does NOT ask for customers' bank login. Xero customers must submit signed authorization to their banks.

We are working on secure host-to-host connections with the banks, similar to the model you describe. That means with Xero you get a great web 2.0 experience that's backed by uncompromising host-to-host security.
as you said, asking customers for their internet banking credentials is a bad model and this is not how Xero works.

Xero's bank feeds are setup by the customer giving authority directly to their bank, requesting their data to be provided to Xero.

Still curious as to the form the authorization takes. Does the bank account owner pick from a list of 'Authorized Requestors'? Is the actual data flow push or pull? If pull, does the bank log who initiated the request. Does 'host-to-host security' mean SSL?

Xero offers a free 30-day trial. I'd be tempted if not that it seems pretty Kiwi/UK centric. On that note, I wonder if Xero is aware of the New Zealand governments commitment to identity standards that would serve their use cases very well.

No comments: