Transport Protocols & Security
Secure electronic invoice transmission requires robust protocols, encryption standards, and authentication mechanisms. Explore the technologies that protect your business documents in transit.
Secure Document Transport
Transport protocols define how electronic invoices move securely between systems, ensuring confidentiality, integrity, authentication, and non-repudiation.
While document standards define what data an invoice contains, transport protocols determine how that invoice travels safely from sender to recipient. These protocols must address multiple security concerns: preventing unauthorized access, detecting tampering, verifying sender identity, and confirming delivery.
Modern eInvoicing networks employ a range of transport mechanisms, from traditional file transfer protocols enhanced with security layers to sophisticated web services with built-in encryption and digital signatures.
Encryption
Protecting invoice data from unauthorized access during transmission using industry-standard encryption algorithms.
Authentication
Verifying the identity of senders and receivers through certificates, signatures, and secure credentials.
Delivery Confirmation
Providing proof that invoices were successfully received and can be processed by the recipient system.
AS2: Applicability Statement 2
AS2 is the most widely used protocol for EDI transmission, providing secure, reliable exchange over HTTP/HTTPS with built-in encryption and receipt confirmation.
How AS2 Works
AS2 transmits EDI messages over HTTPS using standard web protocols but adds comprehensive security features. Messages are encrypted, signed, and accompanied by Message Disposition Notifications (MDNs) that provide delivery confirmation.
The protocol establishes point-to-point connections between trading partners, with each party maintaining AS2 certificates for authentication and encryption. Setup requires certificate exchange, endpoint configuration, and agreement on security parameters.
Security Features
Encryption
- 3DES, AES-128, AES-256 encryption algorithms
- RSA key exchange for secure session establishment
- End-to-end message encryption protecting data in transit
Digital Signatures
- SHA-1, SHA-256, SHA-512 message digests
- RSA or DSA signature algorithms
- Tamper detection and sender authentication
Receipt Confirmation
- Synchronous or asynchronous MDN responses
- Signed receipts for non-repudiation
- Automated retry and error handling
Compression
- ZLIB compression reduces bandwidth usage
- Automatic compression/decompression
- Particularly beneficial for large documents
Implementation Considerations
- Certificate Management: Requires obtaining, distributing, and renewing X.509 certificates for each trading partner
- Firewall Configuration: Inbound/outbound HTTPS access must be permitted for AS2 endpoints
- AS2 Software: Dedicated AS2 server or gateway required; available as standalone or integrated solutions
- Partner Coordination: Both parties must agree on security settings, compression, and MDN requirements
- Monitoring: Logging of transmissions, MDNs, and errors essential for troubleshooting
When to Use AS2
AS2 is the de facto standard for traditional EDI implementations, particularly in automotive, retail, and manufacturing industries. Choose AS2 when trading partners require it, when you have existing EDI infrastructure, or when you need proven, mature technology with broad industry support.
AS4: The Next Generation
AS4 represents the evolution of secure B2B messaging, building on web services standards and serving as the foundation for modern networks like Peppol and e-SENS.
AS4 Architecture
AS4 is based on ebXML Message Service (ebMS) 3.0, utilizing SOAP and WS-Security standards. Unlike AS2's point-to-point approach, AS4 supports more complex routing and intermediary scenarios while maintaining strong security.
The protocol defines "profiles" tailored to specific use cases. The most prominent is the "AS4 Light Client Conformance Profile" used by Peppol, which simplifies implementation while retaining essential security features.
AS4 vs. AS2 Comparison
| Aspect | AS2 | AS4 |
|---|---|---|
| Foundation | HTTP/HTTPS with MIME | Web Services (SOAP) |
| Maturity | Established (since 2002) | Modern (since 2013) |
| Routing | Point-to-point only | Supports intermediaries |
| Security | S/MIME based | WS-Security based |
| Complexity | Moderate | Can be more complex |
| Adoption | Wide EDI community | Modern networks (Peppol, e-SENS) |
Peppol AS4 Profile
Peppol's AS4 implementation simplifies the full AS4 specification by defining a specific subset of features. This "light client" profile makes implementation more accessible while ensuring interoperability across the network.
Key Features of Peppol AS4
- TLS 1.2+ for transport layer security
- WS-Security for message-level protection
- X.509 certificates for access point authentication
- Synchronous messaging pattern with HTTP 200 acknowledgment
- Standardized error handling and receipt messages
When to Use AS4
AS4 is required for 4-corner networks like Peppol and mandated for many European public procurement systems. Choose AS4 when connecting to these networks, when building multi-party exchange infrastructure, or when modern web services integration is preferred over traditional EDI.
SFTP: Secure File Transfer Protocol
SFTP provides encrypted file transfer capabilities, commonly used for batch invoice processing and as a simpler alternative to message-oriented protocols.
SFTP for eInvoicing
SFTP (SSH File Transfer Protocol) encrypts both authentication credentials and file contents during transfer. Unlike AS2 or AS4, SFTP is a file-based protocol rather than message-oriented, making it straightforward to implement but lacking built-in features for delivery confirmation and structured receipts.
Organizations typically use SFTP for scheduled batch transfers of multiple invoices packaged in single files. The receiving system polls the SFTP directory, retrieves new files, and processes them according to agreed-upon naming conventions and formats.
Advantages & Limitations
Advantages
- Simple to implement and widely supported
- Strong encryption via SSH protocol
- Lower infrastructure requirements
- Familiar to IT teams
- Suitable for batch processing
- Can transfer any file type or format
Limitations
- No native delivery confirmation mechanism
- Requires custom solutions for receipts
- File-based rather than message-based
- Less suitable for real-time processing
- Manual error handling often required
- No standardized metadata structure
Common Implementation Patterns
Scheduled Polling
Automated jobs check for new files at regular intervals (e.g., every hour or daily), retrieve them, and trigger processing workflows.
Directory Structure
Organized folders for incoming, processing, processed, and error states help manage file lifecycle and prevent duplicate processing.
Acknowledgment Files
Recipient creates response files indicating success or failure, placed in designated directories for sender to retrieve.
Batch Packaging
Multiple invoices combined into single compressed archives with manifest files listing contents and metadata.
When to Use SFTP
SFTP works well for batch invoice processing, backup transfers, or when trading partners lack AS2/AS4 capabilities. It's particularly suitable for internal transfers within organizations or when real-time delivery confirmation isn't critical. Avoid SFTP when compliance requires documented proof of delivery or when immediate processing acknowledgment is necessary.
API-Based Transport
Contemporary eInvoicing increasingly leverages RESTful APIs and webhooks, offering real-time integration with cloud platforms and modern application architectures.
REST APIs for Invoice Exchange
RESTful APIs provide straightforward HTTPS-based endpoints for invoice submission and retrieval. This approach aligns well with modern cloud services, microservices architectures, and developer-friendly integration patterns.
Many access point providers, BSP platforms, and government clearance systems now offer API interfaces alongside traditional protocols. APIs typically use JSON or XML payloads, OAuth2 authentication, and standard HTTP status codes for error handling.
API Transport Characteristics
Authentication
- OAuth 2.0 for delegated authorization
- API keys for simpler scenarios
- JWT tokens for stateless authentication
Transport Security
- TLS 1.2+ encryption mandatory
- Certificate pinning for sensitive connections
- Rate limiting to prevent abuse
Delivery Patterns
- Synchronous POST for immediate submission
- Webhooks for asynchronous notifications
- Polling endpoints for status checks
Error Handling
- HTTP status codes (200, 400, 401, 500, etc.)
- Structured error responses with details
- Retry logic with exponential backoff
Webhooks for Event Notification
Webhooks enable push-based notifications when invoice-related events occur. Rather than repeatedly polling for status updates, systems register callback URLs that receive HTTP POST requests when invoices are delivered, validated, or rejected.
Typical Webhook Events
- invoice.received: New invoice arrived for processing
- invoice.validated: Invoice passed all validation rules
- invoice.rejected: Invoice failed validation with error details
- invoice.status_changed: Invoice workflow status updated
When to Use APIs
APIs excel for integrating eInvoicing with modern SaaS applications, building custom integrations, or when real-time interaction is valued. They're increasingly common in 3-corner BSP platforms and government clearance systems. Choose APIs when you want developer-friendly integration, webhook capabilities, or seamless cloud service connectivity.
Security Implementation Guidelines
Certificate & Key Management
- Use certificates from trusted Certificate Authorities (CAs)
- Implement automated certificate renewal processes
- Maintain certificate inventory with expiration tracking
- Protect private keys with hardware security modules (HSMs) for high-value scenarios
- Establish procedures for emergency certificate revocation
Encryption Standards
- Mandate TLS 1.2 or higher for all connections
- Disable deprecated protocols (SSL, TLS 1.0/1.1)
- Use AES-256 for data encryption when possible
- Implement forward secrecy (ECDHE cipher suites)
- Regularly update cipher suites based on security advisories
Authentication & Access Control
- Require mutual authentication (both parties verify each other)
- Implement role-based access control (RBAC) for API users
- Use separate credentials for different trading partners
- Enable multi-factor authentication (MFA) for administrative access
- Rotate API keys and passwords regularly
Monitoring & Incident Response
- Log all transmission attempts, successes, and failures
- Monitor for unusual patterns indicating security incidents
- Set up alerts for certificate expiration, failed authentication, and transmission errors
- Maintain audit trails for compliance and investigation
- Establish incident response procedures for security breaches
Secure Your eInvoicing Infrastructure
Implementing robust transport security requires expertise in protocols, certificates, and security best practices. Our specialists can help you design, implement, and maintain secure invoice exchange systems.
