FAQ

General FAQ

  • Whilst the theory of Verifiable Credentials can be overwhelming, their use is not. OCI offers solution providers a knowledge base to get up to speed. It is then down to them to create user-friendly apps. We understand that the aim is to provide credentialing fully integrated into existing solutions.

  • DSCSA requires product verifications on returned and suspicious products. The industry uses the Verification Router Service (VRS) infrastructure to exchange verification requests between wholesalers or dispensers and manufacturers. VRS also enables product verificatons for more scenarios than those required by law, e.g. status checks.

    Because most product verification requests must be sent directly to manufacturers, this leads to situations where, for example, a manufacturer interacts with a dispenser with whom the company has no prior business relationship.

    The challenge here is that pharmaceutical supply chain actors are only supposed to be transacting with authorized trading partners (ATP). If you have never dealt with the other side, how will you know whether they are an ATP as defined by DSCSA?

    That’s why all trading partners involved in product verifications must check the ATP status of their counterparty. To ensure that both sides comply with DSCSA requirements, OCI has developed an approach to credentialing that enables a fully automated, interoperable electronic check of the authorized status.

    Watch this short video for further information.

  • No. There is no membership requirement to use a solution supplied by an OCI-conformant provider. Nevertheless, we encourage trading partners and solution providers to actively participate in the development of the OCI architecture and governance.

  • Every full member must commit to the OCI Governance and sign our Membership Agreement. Please check our OCI community page. Once signed and accepted, you are a full member and can contribute to OCI in our meetings and work groups with members from across the industry.

    There are no membership fees for trading partners.

    For membership questions, please contact hello@oc-i.org.

  • Sure. Please send your feedback, suggestions and questions to hello@oc-i.org.

    For specific feedback on all resources published on the OCI GitHub, please use the standard “Issue” feature provided by GitHub.

  • The industry uses multiple solution providers, different routing services and implementations to fulfill DSCSA requirements. Hence, multiple providers and trading partners exchange data and interact with each other. To enable interoperability between all these parties, OCI has developed a neutral decentralized architecture that enables all interacting trading partners to verify their authorized trading partner (ATP) status in an electronic way.

    This is achieved by combining the usage of Verifiable Credentials that express the ATP status with unique Decentralized Identifiers. These components are defined by open standards from the World Wide Web Consortium (W3C). This is the same organization that has defined the standards for how the internet works today.

    Leveraging these W3C-defined tools avoids vendor lock-in, interoperability constraints, and data aggregation within a central entity.

    Watch a short video about DSCSA ATP Credentialing.

  • Verifiable Credentials are effectively electronic proofs similar to credentials we use in everyday life, such as your driving license giving assurance that you are able to drive properly.

    In the context of DSCSA, OCI has created guidance for the way Verifiable Credentials should look and function to attest to proper Authorized Trading Partner (ATP) status in electronic interactions.

    In technical terms, a Verifiable Credential is a digital assertion containing a set of claims (e.g., about a state license or FDA Establishment Identifier) made by an entity about itself or another entity. A subset of identity data, Verifiable Credentials are cryptographically signed and can be verified. Verifiable Credentials can be used to create selective disclosures of information (known as “verifiable presentations”) to limit data exposure. The entity described by the claims is called the subject of the credential.

    OCI uses Verifiable Credentials in accordance with the openly accessible W3C specification.

  • A Digital Wallet is the software used to manage the digital identity of an organization and its associated Verifiable Credentials.

    The Digital Wallet is the layer providing trading partners and credential issuers a peer-to-peer exchange of credential details. The issuer of credentials can send credentials into the Digital Wallet of the Trading Partner. The Trading Partner can use the Digital Wallet to acquire, store and present credentials.

    In the OCI ecosystem, integrators like Verification Router Service (VRS) providers are able to connect to their customers’ Digital Wallets.

    On a customer's behalf, the VRS provider can:

    • request the presentation of the ATP credential (and attach it to a product enquiry or response message) and

    • verify all incoming ATP credentials.

  • OCI has established multiple mechanisms to ensure that a credential is trustworthy. A central element is the usage of OCI-conformant, cryptographically verifiable credentials that are signed by the issuer and the presenter. Additionally, each presented credential is confined by an expiration period.

    1. Digital Signatures proof authenticity

    • Each issued Verifiable Credential is signed by the credential issuer. OCI-conformant issuers are listed in a public registry, which is automatically checked as part of the business interaction to ascertain the origin of the signature.

    • The issuer’s publicly accessible digital signature is derived from a private key (secret signing mechanism) in their digital wallet. OCI requires from digital wallet providers strong security mechanisms to protect the integrity of private keys.

    • The credential holder signs each presentation of a credential using a similar signing mechanism as the issuer.

    • The recipient of a credential (verifier) can challenge all signatures and scrutinize whether a credential and its presentation are trustworthy through automated mechanisms.

    2. Avoiding re-usage of credentials

    After five minutes, each OCI-conformant presentation of a Verifiable Credential expires. Enforcing this short timespan prevents re-usage of credentials for unintended purposes.

Operational FAQ

  • This should not be a heavy lift. OCI-compliant vendors’ onboarding processes are designed to make it as easy as possible for Trading Partners and VRS providers to get started and maintain credentialing as part of their business processes.

    For VRS providers, the integration with their customers’ digital wallets is fully API-based. Implementation of credentialing into existing processes should not cause any significant disruptions.

    Trading Partners should not need to involve IT specialists, as no IT system integration is required thanks to their VRS provider’s API-facilitated integration.

  • Setting up credentialing is often initiated by the DSCSA compliance or serialization team. For onboarding, staff with access to notarized corporate documents and held licenses or registrations also need to be involved. This may be your administrative or legal teams for information regarding the organization’s identity and your compliance or licensing registration teams for licensure information.

  • OCI is open for all service providers supporting the U.S. pharmaceutical supply chain with DSCSA solutions. OCI membership is not required to integrate with an OCI-conformant digital wallet provider or credential issuer.

    Find available service providers in the OCI Marketplace.

    Please reach out to us (hello@oc-i.org) if you are still unsure whether your service provider supports OCI.

  • Getting set up can be a quick process for Trading Partners. A crucial step is to have all the necessary information available for onboarding. See also “Who should I involve in setting up credentialing in my organization?” above.

  • No. All trading partners using OCI-conformant providers are interoperable.

    As a trading partner you need to sign up with only one digital wallet provider. Your VRS provider may offer the wallet service as part of their package, which avoids separate vendor assessments.

  • Service costs are set by the service providers within the OCI ecosystem. OCI has neither any influence on their pricing nor do we charge any mark-ups on such services.

    You are not required to join OCI to engage with OCI-conformant service providers. Should you choose to join OCI, there are no membership fees for Trading Partners.