Guide
DSCSA: Serialized, Aggregated, EPCIS-Exchanged — Enhanced Distribution Security in Practice
The Drug Supply Chain Security Act (DSCSA) requires interoperable, electronic, package-level traceability for prescription drugs distributed in the United States. After multiple stabilisation periods, FDA's enforcement of the enhanced drug distribution security provisions is now squarely on the supply chain: manufacturers, repackagers, wholesale distributors, and dispensers all have to send, receive and store transaction information at the package level, verify saleable returns, and respond to suspect and illegitimate product investigations within tight clocks. This guide walks through what each trade partner has to do, the EPCIS data exchange shape that the industry has settled on, and a realistic readiness path for any link in the chain. It is written for serialization leads, supply chain managers, and QA directors at pharmaceutical manufacturers, repackagers, 3PLs, and wholesalers.
Start free trial Free trial, no credit card, onboard in days, not months.
What enhanced drug distribution security actually requires
Under enhanced DSCSA, every transaction involving a covered prescription drug must carry electronic Transaction Information (TI) and Transaction Statement (TS) at the package level — meaning each unique GTIN + serial number + lot + expiry must be traceable through every change of ownership. Trade partners must send, receive and store this data interoperably; they must verify product identifiers on saleable returns before reselling; and they must investigate suspect product within 24 hours and notify FDA of illegitimate product within 24 hours of determination. The shift from lot-level traceability to package-level traceability is the headline change — and the place most under-prepared organisations lose months of remediation.
Serialization and aggregation: the data foundation
Each saleable unit must carry a unique product identifier: GTIN, serial number, lot number, expiry date, encoded as a GS1 2D DataMatrix and in human-readable form. Aggregation links those units to their immediate parent (bundle, case) and onward to pallet — typically through GS1 SSCC codes — so that a downstream scan of the pallet returns every serial inside. The classic failure modes: serial numbers reused or not unique across SKUs, aggregation not validated (scanning the pallet returns the wrong serials), and lot/expiry data on the carton not matching the package serialization data. The system you ship has to be the system that proves itself in EPCIS later.
EPCIS event exchange
The industry has settled on GS1 EPCIS 1.2 (with movement to 2.0 underway) as the de facto data exchange standard for DSCSA TI/TS. Manufacturers send commissioning, aggregation and shipping events; wholesalers send receiving, aggregation and shipping events; dispensers send receiving events. Each EPCIS document carries the EPC codes for the products, the bizStep (commissioning, packing, shipping, receiving), the disposition (in_progress, in_transit, in_possession), and the source/destination identifiers. Connectivity is typically through AS2, SFTP, or a managed network (RxScan / TraceLink / Antares). Pre-DSCSA enforcement, many partners exchanged sample EPCIS files monthly; under enhanced security, exchange is per-shipment, automated, and validated by the receiving partner.
Verification and saleable returns
DSCSA requires verification of the product identifier on suspect product, on saleable returns before resale, and on randomised samples as part of the trade partner's verification system. Verification is typically run through the Verification Router Service (VRS) — a federated service that routes a verification request from any trade partner to the responsible manufacturer's database, returning a verified / not verified response. For wholesalers, saleable returns verification is the volume use case: a returned bottle must be verified against the manufacturer's commissioning record before it can be put back on the shelf. The most common gap is offline batches of returns piling up because the VRS connector failed silently — verification has to be a real-time, monitored workflow.
Suspect product and illegitimate product investigations
§582 requires trade partners to investigate suspect product within prescribed timeframes and to notify FDA of illegitimate product within 24 hours of determination, via Form FDA 3911. Suspect product is anything with reason to believe it is counterfeit, diverted, stolen, intentionally adulterated, or unfit for distribution. The investigation must be documented — what was the suspicion, what was investigated, what was the determination, and what action was taken — and the records held for the required retention period. Illegitimate product additionally triggers quarantine, disposition (typically destruction with documented evidence), and notification of immediate trading partners. The clock starts at suspicion, not at convenience.
Records retention and the six-year rule
All DSCSA transaction information, transaction statements, and verification records must be retained for at least six years from the date of the transaction or the verification event. The records must be retrievable in a reasonable time and format on request from FDA or state regulators. For high-volume distributors this is a non-trivial archival problem: tens of millions of events per year, multiplied across multiple partners and multiple EPCIS schemas as the industry transitions from 1.2 to 2.0. Build the archive as a queryable store keyed on EPC, GTIN, lot, and trade partner — not as a tarball you hope you never have to open.
A 9-month readiness path by role
Manufacturers (months 1 to 3): commissioning, aggregation, EPCIS shipping per partner, VRS responder integration. Wholesalers (months 1 to 5): receiving, aggregation, EPCIS shipping to dispensers, saleable returns verification at scale. Dispensers (months 1 to 2): receiving event capture from each manufacturer, retention, and the ability to respond to inspection. All partners (months 6 to 9): partner-by-partner conformance testing, illegitimate-product drill against a real-shape investigation, archive validation against a multi-year retrieval scenario. Don't underestimate the partner-conformance phase — even after the data formats are right, edge cases (returns, decommissioning, partial aggregation breaks) surface only under live volume.
Where this lives in V5 Ultimate
The clauses above aren't theoretical — every one maps to a shipped module and an industry profile. Jump to the parts of the product that turn this guide into evidence on a Monday morning.
Modules that do the work
Traceability
Package-level genealogy with parent-child aggregation through case and pallet.
Label & barcode design
GS1 2D DataMatrix with GTIN, serial, lot and expiry printed at the line.
eBMR with serialization
Batch records carrying the commissioning and aggregation events.
Recall & investigation
Suspect / illegitimate product investigation with FDA 3911 pre-populated.
Trade partner portal
EPCIS exchange with manufacturers, wholesalers and dispensers.
Industries this hits hardest
Frequently asked
Did the DSCSA enforcement deadline move again?
FDA issued multiple stabilisation periods through 2024 and 2025 to allow trade partners to mature their interoperable systems. As of mid-2026, enhanced drug distribution security is broadly enforced, with FDA prioritising warning letters for trade partners unable to demonstrate package-level traceability and EPCIS exchange. Plan as if enforcement is current — any further stabilisation is operating runway, not a strategy.
Does DSCSA apply to OTC drugs?
DSCSA covers prescription drugs in finished dosage form for human use. OTC drugs are out of scope, as are veterinary drugs, blood and blood components for transfusion, radioactive drugs, imaging drugs, IV solutions used for irrigation, and certain combination products. Some compounded products are also exempt under specified conditions. The scope determination should be documented per SKU, not assumed.
What's the difference between DSCSA and EU FMD?
Both regulations require serialization and verification of prescription drugs, but they differ structurally. EU FMD (Falsified Medicines Directive) verifies at the point of dispense against a national medicines verification system; DSCSA requires package-level traceability through every change of ownership in the US supply chain. A serialization line built for one rule can typically generate the data for the other, but the downstream verification and traceability infrastructures are separate.
How long does VRS verification take in production?
A well-implemented VRS round trip is typically under one second per query. Real-world latency depends on the manufacturer's responder service availability, the network path, and the request volume at peak. Plan for retry logic, an offline queue for VRS outages, and SLA monitoring on every responder you depend on — silent failures on returns verification are the most common cause of saleable-returns backlog.
See it on your shop floor.
Free trial, no credit card, onboard in days, not months.