How open standards support enhanced drug distribution security — Conference reflections

Georg Jürgens
Published in
6 min readDec 14, 2022


Compared to other countries, the regulation of U.S. drug distribution is highly decentralized. To enable secure communication and data exchange between trading partners in this decentralized set-up, interoperability is a key requirement of every solution.

DSCSA for Dispensers and their Trading Partners — Virtual Conference

Recently, the Open Credentialing Initiative (OCI) in partnership with the National Community Pharmacists Association (NCPA) ran a virtual conference on the U.S. Drug Supply Chain Security Act (DSCSA) geared towards Dispensers and their Trading Partners. As an OCI member, I participated in one of the panel discussions where my fellow panelists and I discussed key topics and concerns around credentialing for DSCSA compliance. Below are some of my highlights from each day’s closing panel.

How are Dispensers supported?

There is considerable concern amongst industry players and regulators about the lack of DSCSA awareness and preparedness by dispensers and other supply chain participants. With less than a year to go until full DSCSA enforcement on November 27, 2023, an industry-wide collaborative push is needed to get everyone from manufacturers all the way to dispensers ready on time.

A pharmacist himself, Max Peoples, RPh, explained why he believes dispensers are lagging behind and how they can get up to speed now. His key advice is to get informed now. There are plenty of resources available that strive to translate the inevitable legalese into easier-to-digest material, for example, NCPA information, DSCSAEdu, or checklists from the State of Ohio Board of Pharmacy. In addition, pharmacists should talk to their current suppliers and service providers or reach out to other ones that have DSCSA on their radar.

How can dispensers catch up on DSCSA? | Max Peoples (RxScan, Uptown & Essentra Pharmacies)

Dave Mason from Novartis/Sandoz explained how the manufacturer helps small dispensers and distributors in cross-departmental efforts with education and technical assistance.

How do manufacturers support small dispensers? | Dave Mason (Novartis)

Spherity’s integration partner SAP offers a Verification Router Service (VRS); think “Pharma Yellow Pages” but fully automated and invisible. This service facilitates product enquiries between supply chain actors regardless of prior business relationships between those interacting parties; be it internationally operating manufacturers, small wholesalers, dispenser retail chains, or the local pharmacy around the corner.

SAP’s Oliver Nürnberg highlighted the importance of collaboration between competing service providers in order to reach the entire market from large to small supply chain participants and make customer onboarding as pain-free as possible. In practice, this means that even though SAP’s target market are not small businesses, they coordinate their efforts with other service providers who cater for those market segments to enable a functional interoperable network across the whole pharmaceutical supply chain.

Competitors join forces to enable small community pharmacists | Oliver Nürnberg (SAP)

Trusting the credential issuer?

David Kessler from regulatory compliance expert, Legisym, explained the level of scrutiny that is applied before issuing an electronically verifiable credential. According to OCI’s requirements, a credential issuer must perform thorough due diligence that satisfies NIST Identity Assurance Level 2. This does not only involve checking such things as license numbers but also ensuring that the examined party does indeed own the license. To establish a foundational level of quality and, thus, trust within the industry, OCI mandates third party audits against its conformance criteria of credential issuers who participate in the ecosystem.

Why should I trust a credential? | David Kessler (Legisym, LLC)

Additional trust concerns revolve around business confidentiality. Ideally, you only want a credential issuer to be involved in the provision and maintenance of your credentials. Your supply chain transactions are quite literally none of their business. The OCI-defined credentialing framework has this separation of duties built in. As OCI member Alex Colgan put it, “Everyone is responsible for their piece.”

Lights out — Issuers don’t see your transactions | David Kessler (Legisym, LLC) and Alex Colgan (XATP)

What’s the big deal about open standards?

In general, industry standards establish minimum quality, performance, and/or design expectations and help various actors within an ecosystem align on a common denominator. New entrants instantly know the benchmarks and consumers or service users can expect a level of consistency across providers.

The aforementioned DSCSA VRS providers have agreed on using a certain messaging standard for product enquiries as defined by GS1, a widely respected standards setter. This has been topped up with the OCI-defined credentialing framework, which in turn leverages open W3C specifications. Because all these standards are accessible by anyone, any service provider can participate in this ecosystem. Consequently, the use of shared standards does not only create an open market, but also the foundation for true service interoperability, a key requirement in an ecosystem as decentralized as the U.S. pharmaceutical industry. Because a supply chain participant will need a bundle of different solutions to comply with DSCSA, adherence to the same open standards makes it possible for solution providers to integrate with each other, enhance each other’s services or products and offer one-stop shops to customers.

Oliver Nürnberg outlined the multi-year testing effort that VRS providers have already gone through to create an interoperable, stable industry-wide solution with more testing of system upgrades to come. Any aspiring DSCSA VRS providers should engage now in preparation for the full DSCSA enforcement in fall 2023.

Testing is complex and it’s happening NOW! | Oliver Nürnberg (SAP)

Oliver Nürnberg further elaborated on the need for competitors to work together. He voiced concerns about late market entrants trying to introduce solution approaches that do not comply with the open standards that the industry has already agreed upon. “The worst thing that can happen is that we’ll have 4 or 5 or 6 different ways of proving this [referring to DSCSA Authorized Trading Partner status]. That will make it extremely costly.” He also cautions that misalignment will counteract industry-wide interoperability but can be avoided by everyone following shared open standards.

Adoption of one open and standardized framework is key for industry-wide interoperability? | Oliver Nürnberg (SAP)

Does OCI’s framework also apply to product tracing?

Alex Colgan from LedgerDomain’s XATP digital wallet explained that OCI’s work on credentialing has already laid a resilient foundation for the tooling needed to develop a potentially semi-automated tracing solution. He emphasized the benefits of open standards as a basis for confidence in the legitimacy of tracing requests, especially those coming from industry participants without prior contact.

How can credentials support product tracing | Alex Colgan (XATP)

Is OCI-defined credentialing being adopted?

Whilst DSCSA calls for an interoperable electronic system, it does not specify the design of such a solution. This is a double-edged sword. On the one hand it allows the industry the freedom to find the most suitable solution; on the other hand there is a risk of multiple incompatible solutions emerging, eventually leaving some trading partners behind as pointed out by Oliver Nürnberg.

I explained in the panel discussion that, “Credentialing is mainly for those who don’t want to establish manual processes everytime they receive a [product identifier verification] request or response. Using credentials is a compliance decision by the individual trading partners.”

With solutions being based on the OCI-specified open credentialing framework, providers don’t need to worry about coming up with their own credentialing design. They can simply take what is there, integrate it in their service packages and, thus, focus on the needs of their specific customer base. As a result, trading partners can shop around to find the solution that fits their needs best and still be sure that their service provider can interact with others unhindered.

At Spherity, we are witnessing this with the integrators of our digital wallet solution. These leading VRS providers have aligned on OCI-defined credentialing and differentiate themselves through their wider service offerings to customers. Credentialing provides them with the backbone for interoperable communication between all trading partners. We see large manufacturers getting involved in testing as well as leading wholesalers. Slowly but surely dispensers are also getting engaged. The rising use of credentialing will result in increased competition between service providers. This will enhance value generation for customers and drive down costs. We expect interest to keep growing in the coming months. Our systems are in place. Everything is ready.

Are credentials being adopted by the industry? | Georg Jürgens (Spherity)

Together with our integration partner RxScan, a pharmacy solution provider, Spherity is onboarding the first community pharmacies to their credential-enabled DSCSA solution. Once onboarded, a pharmacy will be able to send product verifications in an electronic format to the respective manufacturers and receive a response within seconds.

How can Dispensers Acquire Credentials? | CARO

Many thanks to the OCI Messaging team for organizing a tremendous educational conference and publishing the recordings.

Find OCI conference hand-outs here:

To learn more about credentialing, OCI’s FAQs are a good starting point: