Good To Know Security in PunchOut communication - what companies should know

A PunchOut is an elegant solution for digitising and simplifying procurement processes. Purchasing systems can communicate directly with suppliers' catalogues via standardised interfaces such as OCIor cXML. However, precisely because sensitive data is exchanged between different systems, the security of PunchOut communication** should also play a central role in companies.

What happens during PunchOut communication?

A buyer clicks on a so-called PunchOut link in their own e-procurement system. From there, they are forwarded directly to the supplier's online shop. Once the shopping basket has been filled in the supplier's shop, it is transferred back to the company's own system.

To ensure that this process runs smoothly and securely, all transferred data must be protected and access must be clearly controlled. This is the only way to prevent technical incidents and unauthorised access from the outset.

What risks are associated with PunchOut connections?

PunchOut connections run over the Internet and there are typical risks such as

• Weak or missing authentication,
• Access by unauthorised third parties,
• unencrypted communication,
• outdated or poorly secured systems on both sides
• and missing expiry dates or unlimited access rights for session links that act as access tokens and, in the worst case, remain permanently open.

This can lead to real problems, especially in sensitive industries or with complex purchasing structures - for example, data loss, system failures and unwanted access by third parties.

How can I secure my PunchOut communication?

To ensure security, companies - both on the customer and company side - should observe a few standards:

• Keep systems up to date: Regular updates and security checks
• Consider protocol selection: cXML offers more options for control and validation than OCI. - It may therefore be the better choice in some cases
• HTTPS as mandatory:** all data should be transmitted in encrypted form
• Limit session validity: PunchOut links should only be valid for a short time
• Authenticated sessions: only authorised users should be granted access. For example, via single sign-on. Access rights should be checked regularly and outdated or unused user accounts deactivated.

How does PunchCommerce support security in PunchOut communication?

PunchCommerce not only supports you in connecting online shops and supplier catalogues with e-procurement systems using PunchOut - it also ensures that your data remains secure. Thanks to firmly defined security standards, data loss or compliance violations are virtually impossible.

Among other things, PunchCommerce:

• SSL encryption of all data transfers
• Centralised access control** via gateway mode incl. session validation
• Role and rights management
• Support of OCI and cXML protocols**
• Hosted in Germany, DSGVO-compliant
• Single sign-on (PunchCommerce One)
• Two-factor authentication (PunchCommerce One)

If you have any questions or suggestions, just send us an email hallo@punchcommerce.de or call us at +49 6142 / 953 80 - 60. We appreciate your feedback!