Russia Compliance and Crypto Coding: Top 8 Questions Answered
Pharmaceutical manufacturers who produce medicines in the Russia market are gearing up for registration, serialization, and reporting requirements that will start as early as July 2019 (for medicines on the Nosologies list as described in government decree No. 1557) but our recent webinar shows that the industry still has a lot of questions about the regulations.
The topic that raises the most questions? Cryptography, as the regulations require the application of a crypto key and code to a product's unique identifier encoded in a barcode to be compliant. Here are the 8 most commonly asked questions, along with the answers:
What does the term "cryptographic" mean?
The word "cryptographic" in terms of Russia compliance means taking some information and combining it with other data that is randomly generated according to specific mathematical principles.
For Russia cryptography, the Global Trade Item Number (GTIN) and serial numbers are used as baseline information to generate a unique crypto key and code for that pairing of information. The crypto key and code are used in Russia serialization and verification processes to:
- Provide additional protection mechanisms to guard against potential counterfeiting or duplication of product identifiers for products in the market.
- Provide a secure "Offline" mode for pharmacy endpoints in their verification process that can be scanned locally during times of intermittent or disabled internet connections.
How does the crypto code strengthen the barcode data carrier?
The crypto code, which is generated using the GTIN and serial number, helps ensure that only one combination of the GTIN and a serial number can be created for a package by adding an encrypted cryptographic code to the barcode data carrier, which serves as the unique product identifier. Thus, the unique product identifier is a combination of not only the GTIN and serial number, but the cryptographic key and code as well. There are other optional fields, but these four elements make up the minimum data required for a given product pack.
Who provides crypto codes?
A public-private organization named CRPT provides the crypto codes through their cryptographic system. This system is available as either a cloud-based system or as physical equipment, depending on where the product is packaged. To somewhat simplify the process, a common application program interface (API) is used regardless of the specific cryptographic system.
Who has to send the GTIN and serial number combinations to obtain the crypto key and code from the Russian Government?
The GTIN and serial number are provided by the pharmaceutical Marketing Authorization Holder (MAH) or manufacturer to the crypto coding generation system, with the crypto key and code returned for application into the barcode. In addition to the crypto key and code being returned to the submitting company, the key and code are also automatically published by the cryptographic system to the government MDLP compliance system.
How many characters need to be captured in the crypto key and code?
In the current version of the cryptographic regulations, there are 4 characters needed for the crypto key and 88 characters needed for the crypto code.
Does the data that's part of the crypto key and code also have to be printed on the package as human readable data?
In government decree No. 1556, it states that the GTIN and the individual serial number must be included in a human readable format on the label. However, it does not specify that the crypto key and code are to be printed on the label in human readable text.
Is it possible that crypto codes will not be necessary for Russia compliance?
With the publication of government decrees No. 2963-p and No. 1556, both of which specify CRPT's role in reporting and cryptographic generation, and make crypto codes a firm legal and regulatory requirement, it is unlikely that crypto coding requirements will be removed. There is a slight possibility that the exact length or composition of the crypto codes might change based on continuing feedback from the industry.
Does the pharmaceutical MAH or manufacturer need to report a cryptographic key and code in the product identifier reports already required?
No. the pharmaceutical MAH or manufacturer is not responsible for adding the cryptographic key and code to their governmental reports. The cryptographic system self reports the crypto key and code associated with a given product identifier. In fact, pharma MAHs are guided to completely purge any generated crypto key and code information as soon as practical after the packaging operation has been completed.
If you are still planning for Russia compliance, watch the on-demand webinar to hear more about the requirements and see where your peers are in regards to readiness, or contact us through the form at right to understand how TraceLink can help you manage Russia compliance regulations and related cryptographic requirements.