When serializing packages for e-pedigree, go random

Pharmaceutical Commerce, Pharmaceutical Commerce - January/February 2013,

The looming California e-pedigree standards do not specify how to generate product codes, but random codes are easy to produce and essential for supply chain security

The US pharmaceutical industry is approaching a significant milestone in the upcoming months: 24 months until the first phase of California e-pedigree regulations go into effect. For many global pharmaceutical companies, serialization initiatives have been underway for a number of years. Counterfeit intrusions continue to occur both domestically and internationally, and various serialization schemes are becoming the standard around the world. Whatever the driver may be, the need for supply chain security and visibility remain at the forefront.

The debate over whether to serialize within the pharmaceutical industry is effectively being answered for companies—but that shouldn’t stop the industry and regulators from performing the due diligence required to ensure that serialization and traceability are implemented in ways that maximize supply chain security. One of these key decisions is whether or not to utilize random codes versus sequential serial numbers. Pharmaceutical companies have a number of factors to consider when determining serial number composition, from standards such as GS1 to possible technology limitations with RFID.

From a security standpoint, however, there is overwhelming and documented support for the use of random codes. Unfortunately, some companies have chosen to move forward with sequential serial numbers—most often because the implementation is perceived to be simpler, with little understanding as to the benefits of using random codes. In some cases, the serialization vendor can only effectively support consecutive or sequential numbers. While sequential serial numbers are better than nothing, one supposes, a much higher degree of protection is afforded by using random code generation.

Implementation

When a number of the track-and-trace solutions for the pharmaceutical industry were being developed in the mid to late 2000s, the support for random number generation and allocation was thin. Solutions were largely being built to meet the California e-pedigree requirements at that time, which did not specify random or sequential, and consequently did not address the larger question of security effectiveness. The challenge of printing random codes was also a hindrance. Thus some early adopters didn’t fully consider their options for code structure and composition.

Fast forward to today, and any sophisticated track-and-trace platform should offer support for both random and sequential codes, easing implementation. Additionally, printing solutions have matured, and the ability to support on-demand printing of random codes has become common.

The science of randomization comes out of cryptographic research, among other areas. Mathematically, the randomness of a code is dependent on the size of the character set (for example, alphanumerics) and the length of the code. A character set of 30 and a length of 12 has a 1-in-531-quadrillion chance of being guessed.

Verify Brand’s software platform uses a cryptographic-strength code generator, and checks code uniqueness against the set of previously generated codes. The unique codes are then included in the desired identifier, such as the GS1 Serialized Global Trade Item Number (SGTIN). By definition, the serial-number section of the SGTIN allows for an alphanumeric code up to 20 characters in length. Each explicit set of unique codes is then delivered via secure communications to a site-level serial-number manager or print system.

In short, if you’ve already aligned with serialization solution providers, ensure they can support random codes for future scalability. If you are currently in the process of identifying vendors, make sure support of random codes is on your checklist. Ultimately, the complexity and effort required to implement random codes is negligible when compared to sequential numbers, but the impact on supply chain security can be significant.

It’s also important to note that some solution providers, particularly those who approach serialization as a security device, have supported random codes for many years. In addition to offering mature technical solutions, these providers can give guidance regarding code composition and structure, taking into account factors such as a manufacturer’s product volume, adherence to standards, and desired security level (e.g., probability of guessing a code).

Specifically, the recommended best practice code structure for pharmaceutical manufacturers would include the following characteristics:

  • Random
  • Alphanumeric in non-RFID applications; otherwise numeric
  • Exact length is dependent on: GS1 standards Estimated number of serialized items Average lifespan in the market Label real estate (barcode size and human readable) Use of RFID currently or in the foreseeable future.

Benefits

The Los Alamos National Laboratory released a study in 2005,* describing an effective anti-counterfeiting serialization technique that utilizes unique codes on items and a method for verifying codes against a known “good” set. Among the outcomes of the study were the following key points:

  • This method is highly effective in detecting counterfeits and deterring counterfeiters.
  • Serialization with authentication is vastly more economically feasible than the average physical security feature.
  • The approach requires a “random, unpredictable, and nonsequential” code.

The simple argument: An item with a sequential serial number in the hands of a counterfeiter provides all the information needed to create a significant quantity of counterfeit items with serial numbers that will match valid serial numbers tracked by the manufacturer. Sequential numbers allow counterfeiters to create more product with “valid” codes that will pass authentication initially.

Now assume that same item has a random code. The most items a counterfeiter can produce with serial numbers that have a high probability of being valid is one. Random codes force counterfeiters to guess numbers with impossible odds, meaning all authentications will fail.

A common, but false, challenge to the random versus sequential argument is that it requires users to actively authenticate in order to gain value from the random code. This argument doesn’t pertain to random versus sequential, but rather to the effectiveness of serialization in general. While the mere presence of a code on a product may deter counterfeiters, authentication is required to realize the full value of any type of code.

This is a perfect example of the opening point that companies have taken on the bare minimum to meet regulations and miss the relatively easy, yet high-value, component of authentication. Additionally, authentication of a code has to be viewed in relation to the effort required to authenticate other types of security features, such as a hologram or invisible ink. Authentication of codes requires no education or training, and can be done in a rapid manner using widely available tools (Web, mobile, call center). Other physical security features often require proprietary tools or intimate knowledge of the feature itself.

Consider that the use of random codes actually decreases the amount of authentications required in order to be effective, because it’s guaranteed that every invalid code will provide an invalid response. With sequential numbers, the existence of counterfeit items with “valid” numbers is more likely, which means a greater amount of authentications are needed to identify real products from imitations. Additionally, at the far end of the supply chain, such as when the product reaches the consumer, authentication will be diffuse or occasional. Thus the best practice approach that requires the least authentications is preferred: random.

Put yourself in the counterfeiter’s shoes:

  • Counterfeiting is known to occur in bursts—large occurrences contained to a certain geography within a specific period of time.
  • Supplying product with invalid codes will absolutely result in failed authentications.
  • The more counterfeit product made, the chances of being detected go from minimal, to probable, to mathematically certain.
  • Failed authentications lead to measurable data of when and where the failures are occurring.
  • Isolation of location and time frame provide a substantial lead to investigators and authorities to track down counterfeiters.

If you could choose between counterfeiting a product with sequential numbers vs. a product with random numbers, which would you choose?

ABOUT THE AUTHOR

Scott Pugh is Verify Brand’s director of strategic development, where he is responsible for educating and supporting customers across industries on innovative ways to introduce, implement, and obtain value from serialization and traceability. Prior to Verify Brand, Scott was a senior manager within Accenture’s US Secure Supply Chain practice and helped lead numerous pharmaceutical