Two Protocols, Very Different Design Goals

AS2 and SFTP both move files between organizations. That's roughly where the similarities end. They were designed for different problems, they operate differently at the protocol level, and they impose different operational burdens. Choosing between them is rarely a pure technical decision. It depends on your industry, your trading partners, and your compliance requirements.

This guide lays out the differences honestly. AS2 is not always better. SFTP is not always simpler. The right choice depends on your specific situation.

How AS2 Works

AS2 (Applicability Statement 2) sends files over HTTP/S using MIME formatting. Each message is encrypted with the recipient's public key, signed with the sender's private key, and transmitted as an HTTP POST to the recipient's AS2 endpoint URL.

The critical feature of AS2 is the MDN (Message Disposition Notification). After receiving and processing a message, the recipient sends back a signed receipt confirming what was received, whether decryption succeeded, and whether the signature was valid. This receipt is cryptographic proof that the specific message was delivered and processed correctly.

The MDN can be returned synchronously (on the same HTTP connection) or asynchronously (via a separate HTTP POST to a callback URL).

AS2 message flow

Sender encrypts the payload with the recipient's public certificate.
Sender signs the encrypted payload with their own private key.
Sender POSTs the message to the recipient's AS2 URL over HTTPS.
Recipient verifies the signature, decrypts the payload, processes it.
Recipient generates and signs an MDN, returns it to the sender.
Sender verifies the MDN signature and records the delivery confirmation.

How SFTP Works

SFTP (SSH File Transfer Protocol) runs over an SSH connection. The client authenticates to the server using a username/password or SSH key pair, then uploads or downloads files to designated directories on the server.

SFTP provides transport-level encryption (everything is encrypted in transit via SSH) and authentication (only authorized users can connect). It does not provide message-level encryption, digital signatures, or delivery receipts at the protocol level.

SFTP file transfer flow

Client authenticates to the SFTP server (SSH key or password).
Client uploads a file to a designated directory.
Recipient polls the directory or receives a notification that a file arrived.
Recipient downloads and processes the file.

There's no built-in confirmation that the file was received intact, processed successfully, or even picked up at all.

Security: Different Layers, Different Guarantees

Encryption

Both protocols encrypt data in transit. The difference is what happens at rest.

AS2: Messages are encrypted at the message level before transmission. Even if someone intercepts the HTTP traffic (unlikely with TLS, but possible in certain network configurations), the payload is still encrypted. The file is encrypted from the moment it leaves the sender until the recipient decrypts it with their private key.
SFTP: Encryption exists only during the SSH session. Once the file lands on the server's filesystem, it's in cleartext (unless the server has disk encryption, which is a separate concern). If the SFTP server is compromised, the files are readable.

Authentication

AS2: Digital signatures authenticate every message. The recipient can verify exactly who sent each message using the sender's public certificate. This is per-message authentication.
SFTP: Authentication happens at connection time. Once connected, the system trusts that all files uploaded during that session came from the authenticated user. If credentials are shared or compromised, there's no per-file proof of origin.

Non-repudiation

This is the biggest security difference and the reason AS2 exists.

AS2: The signed MDN provides cryptographic proof that a specific message was received and processed by the recipient. Neither party can deny the exchange happened. This is legally significant in regulated industries.
SFTP: No built-in non-repudiation. You have server logs showing a file was uploaded, but logs can be altered. There's no signed receipt from the recipient confirming they received and processed the data.

When AS2 Is Required

In some industries and with some trading partners, the choice is already made for you.

Retail

Walmart mandates AS2 for all EDI communications with suppliers. This is the single biggest driver of AS2 adoption. If you sell to Walmart, you use AS2. Target, Home Depot, and other major retailers also prefer or require AS2 for EDI.

Pharmaceutical supply chain

DSCSA (Drug Supply Chain Security Act) compliance increasingly requires AS2 for exchanging transaction data between manufacturers, wholesalers, and dispensers. The non-repudiation guarantee of AS2 aligns with the regulatory requirement to prove chain of custody for pharmaceutical products.

Automotive

Major automotive OEMs and tier-one suppliers use AS2 for supply chain EDI. The industry standardized on AS2 years ago, and the ecosystem tooling reflects it.

Any partner that requires it

Sometimes AS2 is simply what your trading partner supports. If they only have an AS2 endpoint, you use AS2. This is the pragmatic reality for many small and mid-size businesses.

When SFTP Makes More Sense

SFTP is the right tool when you don't need the guarantees AS2 provides and you want simpler operations.

Internal transfers

Moving files between systems within your own organization? SFTP is simpler to set up, simpler to maintain, and provides adequate security. Non-repudiation between your own systems is rarely a requirement.

Low-volume, non-critical transfers

Sending a monthly report to a partner who doesn't require a specific protocol? SFTP is quick to configure and widely supported. Every cloud provider offers managed SFTP services.

Partners with limited technical capability

SFTP is conceptually simpler. Upload a file. Done. There are no certificates to exchange, no MDN configuration to negotiate, no AS2 IDs to match. For partners without dedicated integration teams, SFTP has a lower barrier to entry.

Bulk data transfers

SFTP handles large files efficiently. While AS2 can transfer large files, the overhead of encryption, signing, and MDN processing adds latency. For multi-gigabyte data dumps, SFTP's streaming model is more efficient.

Operational Complexity: The Honest Comparison

Setup effort

SFTP: Create an account, exchange SSH keys, configure directory permissions. A competent sysadmin sets this up in under an hour.
AS2: Exchange certificates, configure AS2 IDs, agree on MDN settings (sync vs. async, signing algorithm), configure encryption and signing algorithms, test the connection end to end. First-time setup typically takes 1 to 3 days, including the back-and-forth with the trading partner.

Ongoing maintenance

SFTP: Rotate SSH keys periodically. Monitor disk space. That's roughly it.
AS2: Monitor certificate expiration dates and rotate them before they expire. When certificates rotate, coordinate with every trading partner that uses them. A single expired certificate can take down multiple connections simultaneously.

Debugging

SFTP: Problems are usually obvious. Connection refused (firewall), permission denied (auth), no such file (wrong directory). Standard SSH debugging tools work.
AS2: Error messages are often cryptic. "Insufficient data for decryption" could mean a wrong certificate, a format mismatch, or a corrupted message. Debugging requires understanding the full AS2 protocol stack.

Cost Considerations

SFTP costs

AWS Transfer Family (managed SFTP): $0.30/hour for the endpoint (~$216/month) plus $0.04/GB transferred.
Self-hosted: A Linux VM with OpenSSH. Minimal cost beyond the server itself.
Commercial SFTP servers (Cerberus, Titan, etc.): $500 to $5,000 one-time license.

AS2 costs

Commercial AS2 platforms (IBM Sterling, OpenText, Cleo): $10,000 to $100,000+ per year, depending on volume and features.
Open-source (OpenAS2, Mendelson): Free software, but requires staff time for setup and maintenance.
AS2 VAN services (managed AS2): $200 to $2,000/month depending on trading partner count and message volume.

AS2 is significantly more expensive at every tier. This cost is justified when non-repudiation is a business or regulatory requirement. It is not justified when you're simply moving files.

Feature Comparison Table

Feature	AS2	SFTP
Transport encryption	TLS (HTTPS)	SSH
Message-level encryption	Yes (S/MIME)	No
Digital signatures	Yes (per message)	No
Delivery receipt	Yes (MDN)	No
Non-repudiation	Yes	No
Setup complexity	High	Low
Operating cost	High	Low
Large file handling	Adequate	Excellent
Protocol standard	RFC 4130	RFC 4253 (SSH)
Industry adoption	Retail, pharma, automotive	Universal

The Hybrid Reality

Most organizations end up using both. AS2 for trading partners and industries that require it. SFTP for everything else. There's no rule that says you have to pick one.

The key is using each protocol where it provides genuine value:

Use AS2 when you need non-repudiation, when your trading partner requires it, or when regulatory compliance demands it.
Use SFTP when you need simple, reliable file transfer without the overhead of certificate management and MDN processing.

If You're Setting Up AS2

If you've determined that AS2 is the right protocol for your use case, the next challenge is making sure your configuration is correct before going live with a trading partner. Certificate errors, MDN misconfigurations, and encryption mismatches are common, and debugging them across organizational boundaries is slow.

AS2 Certify lets you test your AS2 setup against a known-good endpoint before involving your trading partner. It validates your certificates, tests encryption and signing, confirms MDN processing, and grades your configuration A through F. You find and fix problems on your side first, which means the actual partner onboarding goes faster.

If you're evaluating AS2 for the first time or setting up a new trading partner, test your configuration at as2certify.org.