What is AS2 protocol? How to use Applicability Statement 2

Sending files internally and externally isn’t as simple as dragging them into an email. There are too many cybersecurity concerns that can occur, including lost documents, unauthorized access and transfer delays. And when costs, contracts or orders are involved, even small issues can turn into bigger problems.

That’s why secure file transfer matters. Many enterprise organizations deal with electronic data interchange (EDI) documents on a regular basis, and they need to move business data from system to system without getting intercepted or mangled. Transferring files over an AS2 protocol can help with this process. The right AS2 setup keeps your organization’s data moving behind the scenes, without the back-and-forth.

What is AS2, and how does it work?

Applicability Statement 2 (AS2) is a file transfer protocol that enables organizations to conduct fully automated, server-to-server file transfers. AS2 was created by the Internet Engineering Task Force (IETF) in 2002 as a secure method for transferring EDI over the internet. For example, you can use AS2 to share digitized purchase orders, invoices, healthcare claims and other types of business documents. Thanks to AS2 validation, you can ensure message integrity, confidentiality and reliability.

AS2 is based on the hypertext transfer protocol (HTTP) and incorporates secure/multipurpose internet email extensions (S/MIME) for business-grade messaging. AS2’s built-in electronic receipt functionality, known as message disposition notification (MDN), is a function of S/MIME. Since firewalls are normally configured to allow HTTP and HTTPS connections, you won’t have to apply any configuration changes to your firewall for AS2 to work.

Understanding AS2: Its history and why it matters to EDI

EDI is a standardized, scalable and efficient method for exchanging digitized business documents between organizations or within departments. It originated in the transportation sector during the 1960s and later expanded to industries such as retail, e-commerce, healthcare and manufacturing. EDI replaced paper-based workflows with automated exchanges to help enterprises move faster and with fewer human errors. Common EDI standards include ANSI X12, which is widely used in North America, and EDIFACT, which is used internationally. Others include TRADACOMS, HL7 for healthcare and XML-based formats.

When two organizations — or two departments in the same organization — work together, they typically exchange documents like purchase orders, invoices, shipping notices and RFQs. In healthcare, these might be insurance claims or eligibility checks. These documents were once paper-based, but manual processes are prone to mistakes and slow down business operations. Many enterprise organizations have since shifted to electronic formats, some using email and manual entry, while others turn to EDI systems that streamline and automate the entire process from end to end.

EDI transactions typically happen between computer systems without human input. Data is pulled directly from business applications such as inventory systems or ERP platforms, formatted into standardized EDI messages and sent automatically. Upon receipt, the data is extracted and fed into the recipient's systems. Automation scripts, integration tools and EDI translators help manage this flow to ensure consistency and speed even between partners that use entirely different platforms or formats.

To move EDI data between trading partners — especially those in different locations — organizations need a secure and reliable transmission method. Traditionally, this was handled by value-added networks (VANs), which acted as intermediaries much like postal services. Both parties had to subscribe to the same or connected VANs to exchange data. Over time, internet-based solutions like FTP, SFTP and AS2 began replacing VANs due to their lower cost and broader accessibility. These options allow organizations to use their existing internet infrastructure and simplify partner onboarding.

AS2 has since become the dominant protocol for EDI transmission. It enables secure, real-time exchange of EDI documents over the internet by using encryption, digital signatures and receipt acknowledgments. AS2 addresses the security challenge of internet-based EDI by ensuring that data remains private and tamper-proof during transit. However, AS2 is not isolated to just EDI file sharing. Because it offers strong security without requiring third-party intermediaries, AS2 is now a preferred choice for many industries for reliable and secure file sharing, including those governed by strict compliance standards like HIPAA in U.S. healthcare and PCI DSS in finance.

Key features and benefits of AS2

Rising cyber threats and increased pressure to achieve regulatory compliance is pushing business leaders to focus more on data security. These factors further strengthen the case to deliver EDI transactions through AS2. That said, AS2 offers various organizational benefits. These benefits include:

• Compliance with regulatory requirements: Helps meet mandates like GDPR, HIPAA and PCI DSS
• Cost savings: Allows internet-based data sharing and removes the need for expensive VANs
• Enhanced efficiency: Real-time AS2 communication and MDNs minimize manual efforts
• Greater reliability: Built-in features, like AES encryption, digital signatures and MDNs, that improve trust and reliability between trading partners
• Stronger security: Protects against cybersecurity attacks and unauthorized access thanks to its encryption and digital signature features
• Universal solution: Widely adopted and tested by enterprise organizations across different industry sectors

Thanks to these features and benefits, organizations find that AS2 is a comprehensive protocol that allows them to exchange data internally and externally at minimal cost with maximized security.

How to set up AS2 file transfers

To ensure data security, AS2 file transfers are usually sent over HTTPS. HTTPS encrypts data in transit using SSL/TLS. It also enables trading partners to use digital certificates for mutual authentication. For added security, you can augment HTTPS with AS2’s built-in encryption functionality. Regardless of whether you use AS2’s built-in encryption or not, an AS2 transmission done over HTTPS is already secure and can be set up by following these steps:

• Choose an AS2 software solution like JSCAPE MFT Server by Redwood
• Get and exchange digital certificates for your organization and its trading partners
• Adjust the AS2 protocol’s settings as necessary. This typically includes creating profiles, AS2 servers, connectors, data exchange agreements and directory monitors
• Test your AS2 connection before pushing it into production. Check that the encryption and decryption features, digital signatures and MDNs are working properly
• After you’ve successfully tested the connection, implement the AS2 protocol for live use

AS2 security

AS2 is equipped with security features that make it easy for your organization to safely transfer files internally and externally. These security features include:

• Digital certificates: Enable trading partners to authenticate each other. Mutual authentication ensures that both parties only transact with legitimate trading partners and not impostors. In order to strengthen the reliability of your digital certificates, a certificate authority must digitally sign them.
• Digital signatures: These can be used to enforce non-repudiation or disputes. A digital signature affixed by a sending trading partner allows the receiving party to verify whether the EDI message it received came from a legitimate sender and not an impostor. Similarly, a digital signature affixed by a receiving trading partner allows the sending party to verify whether the intended recipient received the message.
• Hashing algorithms: Hashing algorithms like SHA-1, MD5 and SHA-2 enable recipients to check received messages for data integrity. If the original message is tampered with along the way, the hashing algorithm can detect it.
• MDN: This can be done using asynchronous MDN or synchronous MDN. It serves as an electronic confirmation that an AS2 transfer went through successfully. Once the EDI message arrives, the receiving server may issue an MDN, affix its digital signature to it and then send it back to the message sender.
• Secure sockets layer/transport layer security (SSL/TLS) encryption: This prevents eavesdroppers from viewing the contents of your EDI messages. SSL/TLS combines asymmetric cryptography, which uses private keys and public keys for encryption and decryption, with a symmetric cryptographic algorithm like AES to preserve data confidentiality. You can take advantage of SSL/TLS security when you run your AS2 connections over HTTPS.

AS2’s built-in security features make it suitable for business-to-business (B2B) data exchanges. For this reason, large enterprises and retailers either require or recommend the use of AS2.

Best practices for using AS2

AS2 works best when it’s maintained with care. Start by keeping track of each certificate — who owns it, when it expires and which trading partner it belongs to. Don’t wait until the last minute to renew it. If a certificate lapses, your data transfers will fail.

Logging matters too. Record every AS2 message that’s sent and received. Watch for errors. If a message stalls or fails, you need that data. Set up alerts for missing receipts or timeouts. If a file doesn’t go through, retries should be automatic, not manual.

Make audits part of your organization’s routine. Check your security settings often. Look at who can access what, and how. Use strong encryption settings. Confirm that only authenticated users can send or receive files.

Stay in sync with your trading partners. Each one may use different AS2 IDs, certificates or URLs. Maintain a list that includes them all. When something changes, update your systems quickly.

These steps help keep your organization’s file transfers secure and smooth. With the right controls in place, AS2 can deliver both reliability and peace of mind.

Choosing an AS2-compatible MFT provider

The best way to implement AS2 is through a managed file transfer (MFT) server. An MFT server like JSCAPE MFT Server can augment AS2’s built-in security functions with complementary security features such as data-at-rest encryption, logging, access control, data loss prevention (DLP), strong authentication and many other essential attributes of a secure file transfer.

However, a robust AS2 solution doesn’t only support AS2. It also supports a wide range of other file transfer protocols such as FTP/S, HTTP/S, SFTP and Odette File Transfer Protocol (OFTP2). This will allow your organization to interoperate with any trading partner that prefers to exchange data through other file transfer protocols. JSCAPE MFT Server is Drummond-certified for AS2. The Drummond Group tests software applications to ensure reliability and interoperability between certified products.

Lastly, an AS2-supported MFT server like JSCAPE MFT Server is fully equipped with automation-enabling capabilities. These capabilities enable you to automate data exchange processes. To learn more about JSCAPE MFT Server’s automation features, view these videos:

Using trading partners in JSCAPE MFT Server - part one

Using trading partners in JSCAPE MFT Server - part two

or read these posts:

Using triggers to automate file deletion

Using regular expressions in triggers - part one

Indeed, JSCAPE MFT Server is built to accomplish a full range of file transfer workflows.

Get AS2 support without the EDI overhead costs

Want to test it in your own environment? JSCAPE MFT Server runs on Windows, Linux, Mac OS X and Solaris. It supports large files, batch transfers and a wide range of file types — including XML and binary data. You can also manage the platform through an API if you prefer to automate tasks or integrate it with other systems.

JSCAPE MFT Server gives you the flexibility to work with trading partners who require AS2. You don’t need to invest in a costly EDI-specific solution just to meet that one protocol requirement. With built-in support for AS2, you can securely exchange files of any type, apply encryption and digital signatures and get proof of delivery using MDNs. It’s a protocol built for more than EDI, and JSCAPE MFT Server lets you take full advantage of it. Request a demo or get a free trial to see JSCAPE MFT Server in action.