Does Your Company Have an EDI System?

September 3, 2014|Abe Babler

The entire country heard riveting stories near Christmas last year when it was revealed that Target had a data breach and their customers’ financial data had been stolen, sold across the black market and exploited for fraudulent charges. After investigations, it was discovered that the breach had occurred through a business to business portal with an HVAC company that exchanged business orders with Target.

You may not be aware of that information because it was not widely publicized in the media. Yet you may be using a similar electronic data interchange (EDI) environment to send and receive order information from your own customers, especially in manufacturing environments that provide direct branding or private label branding. If you have an EDI system within your business practices, you need to take steps to mitigate that risk for your consumers and the consumers that your business relationships touch.

Electronic data interchange (EDI) is an electronic communication system that provides standards for exchanging data via any electronic means. By adhering to the same standard, two different companies, even in two different countries, can electronically exchange documents (such as purchase orders, invoices, shipping notices, and many others). EDI has existed for more than 30 years, and there are many EDI standards (such as X12, EDIFACT and ODETTE), some of which address the needs of specific industries or regions.

The risk in an EDI environment varies based on the internal processes that are used to provide orders, billings and receiving between organizations. Some EDI transactions contain financial information. Some EDI forms are built internally on demand by the product provider while others are outsourced to professional EDI service environments. Swapping ACH data transaction confirmations between your organization and your bank is an EDI process. The data that is exchanged matters, as does how well that data is secured. Investigate the PCI-DSS compliance in your wide area network. With the Target breach, the EDI portal at the HVAC company was used to penetrate the rest of the Target systems (no pun intended) and extract customer financial data. 

There are potential risks for both parties involved in any data communication process and in the Target case, both parties had errors in their setup and execution that allowed extensive penetration of both systems and access to the financial data of 40 million consumers. When you understand and recognize the potential risks, you can take normal, preventative measures that include regular risk assessments to identify threats.

The IT Risk Services and Technology professionals on Schenck’s Business Optimization team can help you put those measures in place. We provide SOC, ITGC and a host of other IT risk reduction strategies to help our clients, including building and maintaining secure EDI environments. To learn more, contact Abe Babler at abe.babler@schencksc.com or 800-236-2246.


Abe Babler is a Business Consultant at Schenck SC specializing in IT infrastructure and governance for over 16 years.