November 17th, 2020
Now more than ever, security is a top priority for businesses. This holds especially true when it comes to EDI, as the business data exchanged between trading partners must be sent securely and reliably. That’s where communication protocols, also known as EDI messaging protocols or file transfer protocols, come into play, ensuring that critical data is sent and received through a secure communication channel.
Among others, the AS2 protocol reigns supreme in the retail space and is one of the most secure and widely used communication methods across many industries.
But what exactly is this communication protocol and why is it so popular?
What Is AS2?
AS2 (Applicability Statement 2) is a communication protocol designed to transmit business data securely from one system to another over the internet.
EDI via AS2 was introduced for the first time in 2002 as a direct extension of its predecessor AS1 (Applicability Statement 1), which was created in the early 1990s. The main difference between the two protocols lies in the transportation methods they use. While AS1 transfers data via email using the Simple Mail Transport Protocol (SMTP), EDI AS2 style uses HTTP/S (Hypertext Transport Protocol Secure), enabling real-time communication.
Back in the 2000s, the AS2 EDI standard gained immediate popularity in the retail sector. This is mainly because Walmart, followed by other major industry leaders, mandated the adoption of AS2 for all suppliers. In other words, if you are a supplier and want to send an order to Walmart, it must be an AS2 message.
This protocol soon became one of the most popular standards in industries outside of retail. This is due to the fact that an AS2 message combines the best aspects of all other communication protocols with the addition of some unique security features. For example, a trading partner can optionally request a Message Disposition Notification (MDN). AS2 MDNs help to enforce data integrity, ensuring that the documents are sent securely and reliably.
Some of the features that make AS2 stand out when compared to other protocols include:
- Encryption – By using public certificates and private certificates, the sender encrypts the message to make sure the business data is transmitted securely. Digital certificates and encryption ensure that only the intended recipient will be able to decrypt the file. In this way, AS2 creates an envelope that is really, really hard for the wrong person to open.
- Digital Signatures – Typically used for authentication, message integrity, and non-repudiation, digital signatures ensure that both the sender and the receiver verify their identity before they can access the content of the file.
- Non-Repudiation – As mentioned earlier, receipts like the Message Disposition Notification (MDN) are used to indicate that a message was successfully received, decrypted, and verified by the intended recipient. It is possible for this to be a synchronous or an asynchronous MDN.
How Does AS2 Work?
First things first. In order to establish a connection, the sender and the receiver both need an internet connection and a communication software (AS2 EDI software). Only then can the file can be transferred from one system to the other (the client and the server). Here is an (over)simplified version of what the typical process looks like:
- The sender prepares the document. The document may be compressed to reduce the size of the file that needs to be transported.
- The sender signs the file with its private key and encrypts it using a public SSL (Secure Sockets Layer) certificate. The encrypted document also contains a request for the receipt that the receiver will need to send back.
- The file is sent through an HTTP/S connection and delivered to the intended recipient.
- The receiver decrypts the file using his private key and verifies the signature of the sender using the sender's public SSL certificate. If the document was compressed, it will be decompressed.
- The receiver creates a Message Disposition Notification (MDN) delivery receipt and signs it with his private key. The receipt also contains a cryptographic hash of the received file to prove that the recipient validated and decrypted the file and that it hasn’t been altered.
- The receiver sends the MDN to the sender. The receipt can be sent either using the same HTTP/S, using a new HTTP/S connection, or via email.
- The sender verifies the MDN signature against the receiver’s private key and cryptographic hash.
One thing to note is that AS2 can be used to transport any type of document, but EDI X12, EDIFACT, and XML are most common.
AS2 vs. AS4
New iterations of the AS2 protocol—AS3 (Applicability Standard 3) and AS4 (Applicability Standard 4)—emerged later, introducing some new features and benefits not available to AS2 users. AS2 and AS4 share some common characteristics like file compression, encryption, and non-repudiation, but AS4 is based on web services and, unlike AS2, it doesn’t always require online status. Instead, AS4 has the ability to pull messages by the recipient even if their system if offline because it is always active.
In short, AS4 is basically a better, improved version of its predecessors. So the question is, why do companies still tend to use AS2 over AS4? Well, that’s because some might not have an option—for example, Walmart suppliers. For those who can choose, however, the decision to stick with AS2 is simply dictated by its widespread adoption across all industries.
EDI VAN vs. AS2
Companies often question whether they should choose EDI via AS2 versus a Value-Added Network (VAN). The short answer is, it depends. Both methods provide a secure way of transferring data, but while EDI AS2 is a direct point-to-point connection, a VAN acts as a sort of postal service that can reach multiple recipients at once. At first glance, AS2 seems like the more cost effective option, but it all depends on how big your trading partner community is, as each partner needs to be set up one by one. Plus, with direct, point-to-point EDI via AS2, you’ll have to support your own environment. In contrast, a VAN comes with a set of services and benefits. For those companies in search of peace of mind, AS2 via VAN is probably the right answer.