Want To Do Direct EDI Communications? Secure These First

Posted by John Carl Villanueva on Thu, Jan 21, 2016 @ 08:07 PM


There are two ways of exchanging EDI messages. You can do it directly or you can course it through a third party service provider like a VAN (Value Added Network). While the first option is generally more complicated, it's certainly very doable. In this post, we'll talk about some of the key components you'll have to secure before you can start sending EDI messages directly to your trading partners. 


1. A mechanism for automating processes

Automation is an essential piece in Electronic Data Interchange. In fact, the ability to automate B2B transactions was one of the key motivations for developing EDI.

Here's one simple task you will want to automate. Let's say your EDI document has already been processed internally and is ready for sending. Although you could send that file manually, it would be much more efficient if your EDI communications system had the capability to simply detect the presence of the document, grab it, and then send it to the intended recipient, all without any human intervention



Of course, that's just a simple example. There are other things you might want to do. Perhaps you might want to combine the file with another file, or encrypt it, or generate a copy, or forward a copy to another server, and many others. How would you accomplish these tasks automatically?

Normally, you would write tiny programs known as scripts to do those little tasks for you. You could ask someone from IT with good programming skills to write the scripts or you could hire someone to do that. 

The problem with scripts is that they're highly customized. Or maybe the better term would be "personalized". Only the person who wrote them will likely be able to easily understand their inner workings. Once the person who wrote them leaves, you would have a problem auditing or, worse, modifying those scripts whenever you need to. 

A better option would be to use an EDI communications solution that has some built-in automation mechanism that's easy to understand, use, and modify. 


2. Support for common communications protocols

Unless you'll be transacting with just one trading partner, it's important to be able to support multiple communications protocols. Each trading partner will likely have its own preferred file transfer protocol. One trading partner might prefer to transact via FTPS, another might prefer doing it over AS2, still another might be capable of transacting only via SFTP.

So, at the very least, you should be able to support the most widely used ones like AS2, FTP, FTPS, SFTP, HTTP, OFTP, and HTTPS. This will allow you to cater to the communications requirements of a large majority of trading partners. 


This article offers a nice discussion on popular file transfer protocols used in EDI: EDI Transmission Options Every Trading Partner Should Know

Bear in mind though that setting up multiple file transfer services can be difficult, especially if you need to integrate them all into your EDI environment. You'll be needing more scripts and, because each protocol has its own commands/nuances, your script developer should be knowledgeable with those protocols as well. 

If you can find an EDI communications solution that already supports multiple protocols, that would greatly simplfy things. 


3. Security and compliance

Security is another crucial component in EDI communications. Several EDI documents will likely contain sensitive information. Thus, you'll want to protect them against eavesdropping, fraudulent alterations, and other nefarious activities.

Some communications protocols (like FTP and HTTP) transmit messages in the clear, so you might want to avoid those. Better options would be FTPS, SFTP, HTTPS, or AS2 running on HTTPS.

In many cases, security is going to be mandated. In some industries and regions, EDI communications are subject to certain regulatory requirements. It's important to be aware of the requirements in order to avoid violations as well as the hefty fines and penalties that follow them. 

Two major regulations that have an impact on EDI transactions are the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standards (PCI DSS).

If you operate in the healthcare industry or transact with companies in that industry, then there's a good chance you'll need to comply with HIPAA requirements. The article Securing HIPAA EDI Transactions with AS2 provides a good introduction on the subject. 

Similarly, if you transmit cardholder data, then you'll probably have to comply with PCI DSS requirements

In addition to industry-specific laws and regulations, you'll also have to be mindful of region-specific legislations. If you transact with companies in Europe, for instance, then it's important to be aware of their data protection laws, which are among the most stringent in the world.

It would help if you knew what legal options are available to allow the transfer of data from Europe to the US in case you need to do that. As of this writing, the most popular legal option - known as the Safe Harbor agreement - has been invalidated, so you need to explore alternatives. 

These laws and regulations have requirements that cover security principles like confidentiality, data integrity, availability, and authentication. You might want to consult a legal expert and/or an information security expert for guidance, particularly in achieving regulatory compliance. 

Because these laws and regulations usually dictate several requirements, you'll most likely need different solutions to address them. For example, confidentiality requirements are usually met through encryption solutions. Data integrity, on the other hand, can be satisfied by digital signatures. Authentication can be satisfied through passwords or digital certificates, and so on. So it's possible for you to end up with a hodge podge of solutions. 

If you can have an EDI communications solution that incorporates various solutions that can help you meet all or majority of the security requirements, then you might want to go with that in order to simplify your compliance initiatives.


Related articles

How To Set Up An Automated AS2 File Transfer

You Know It’s Time To Implement Server To Server File Transfer When..

10 Essential Attributes of a Secure File Transfer


About JSCAPE MFT Server

JSCAPE MFT Server is a managed file transfer server that's fully capable of enabling direct EDI communications. It comes with:

  • A powerful GUI-based feature for automating a wide range of business/EDI processes. With this feature (known as Triggers), there's no need to write scripts.
  • A wide selection of EDI communications protocols, including: FTP, FTPS, SFTP, SCP, HTTP, HTTPS, AS2, and OFTP. 
  • A comprehensive set of security features that will enable you to meet regulatory requirements covering EDI communications

Download a free, fully-functional evaluation edition of JSCAPE MFT Server now.


Download Now  



Topics: JSCAPE MFT Server, Managed File Transfer, Business Process Automation, AS2