Preventing counterfeit e-pedigree data

Although many people may think of serialization and e-pedigree as the industry’s final checkmate in the counterfeit arms race, nothing could be further from the truth.

Counterfeiters—which are organized crime enterprises, not petty criminals—will attempt to counterfeit not only your packaging, but also your electronic pedigree data itself, along with authentication portals and websites.

GS1 is working globally and in the U.S. on the issue of product security, not only with regard to the physical product itself, but also the e-pedigree data as it flows through the supply chain.

Due to the complexity of the supply chain, GS1 uses simulation software to help expose security vulnerabilities that may exist in the supply chain, to allow new ideas to be tested to close them up, and to try to avoid creating new vulnerabilities or vectors of attack that criminals can leverage.

From a manufacturer’s standpoint, once a product ships from their loading dock, they essentially lose sight of it. From a data point of view, once they send an ASN or shipping event via EPCIS, it’s off their radar screen.

These transition points in the supply chain are essentially the vectors of attack. It is possible for someone to pose as the manufacturer and falsely pass EPCIS data to a wholesaler/distributor. (A secure communication mechanism such as AS2 is designed to prevent such hijacking of identity.)

The fundamental question is one of authentication: How do the trading partners across the supply chain know they have an electronic connection that’s secure and that the trading partner sending data to them is who they say they are?

One solution that’s being explored is the idea of having a manufacturer start what has become known as a Chain of Custody List (or CoO-List) for each item. This simplified list can act as a “proxy” for the full pedigree data. At the time of receipt, the next trading partner will know which other trading partners had held custody of the item and be provided a mechanism by which their pedigree system could verify the information directly with the trading partner who is represented as having asserted the original portion of the CoO-List. This mechanism simplifies the amount of data passed between trading partners, allows companies to leverage their Master Data Management efforts further, and provides a means for trading partners and inspectors to analyze, verify, and react to simple mistakes and nefarious activity appropriately.

Liked this article? Download the entire playbook here.

More in Pharmaceutical