All those credit card payment API have in common to use some kind of HMAC signature to ensure integrity on the exchanged message with the bank server. SPPlus also use DES enciphering of the HMAC key, but the ciphering key is hidden in the source code of the kit which is stupid. ATOP/SIPS seems to use the DES symetric cipher but as the source code is not available we can not tell if it used for confidentiality of the messages.
Transaction id is automatically generated to conform to the different API constraints (some accept 6 digits, other 20 alphanumeric characters). The transaction id is made to be unique for a given day.