Compliance

Published April 15, 2026 · Updated May 29, 2026

DSCSA compliance for pharmacies, in plain English.

The Drug Supply Chain Security Act (DSCSA) is a U.S. federal law passed in 2013 with a stair-step rollout. The final tier — small dispensers with 25 or fewer full-time employees — enters full enforcement on November 27, 2026. The law governs how prescription drugs are tracked through the supply chain — from manufacturer to wholesaler to dispenser — and it has direct implications for every pharmacy that holds inventory.

This guide covers what DSCSA actually requires of a dispenser, what a serialized barcode contains, and what DSCSA software needs to do in practice — including the gaps most general-purpose pharmacy management systems leave on the table.

What DSCSA actually requires of dispensers

If you're a pharmacy that buys, holds, and dispenses prescription drugs, the law treats you as a "dispenser" and you have four core obligations:

1. Buy only from authorized trading partners. Wholesalers must be licensed; manufacturers must be registered. You're responsible for confirming this.
2. Receive and retain transaction records. Every shipment comes with electronic transaction information (TI) and transaction statements (TS) you must keep for 6 years.
3. Verify product authenticity. If you suspect a drug is illegitimate, you must investigate, quarantine, and notify trading partners and the FDA. You also have to verify the product identifier on returned saleable drugs before reselling them.
4. Operate at the package level. By the November 27, 2026 small-dispenser enforcement deadline, every prescription drug package must carry a serialized 2D barcode (GS1 DataMatrix) containing GTIN, lot, serial number, and expiration date. Your systems must be able to capture and store all four.

What's in the serialized barcode

The DSCSA-compliant barcode encodes four GS1 application identifiers (AIs):

• AI 01 — GTIN-14: The 14-digit Global Trade Item Number identifying the manufacturer's product (drug + strength + package size).
• AI 17 — Expiration date: 6 digits, YYMMDD format. Some manufacturers use DD=00 to mean "last day of the month."
• AI 10 — Lot number: Up to 20 alphanumeric characters. Variable length, terminated by an FNC1 group separator (ASCII 0x1D) or end of string.
• AI 21 — Serial number: Up to 20 alphanumeric characters. Unique per package within a lot. This is the piece that's new under DSCSA — pre-DSCSA barcodes typically only had GTIN, lot, and expiration.

The presence of AI 21 (serial number) is what distinguishes a DSCSA-compliant barcode from a pre-DSCSA one. Most manufacturers have been shipping serialized stock for years; the November 2026 small-dispenser deadline closes the door on non-serialized drugs in the trading-partner chain.

Why FNC1 / GS character handling matters

Variable-length AIs (10, 21, 240) terminate when the scanner encounters the FNC1 character — ASCII byte 0x1D, also called Group Separator (GS). If your scanner is configured to strip this byte (the default on many HID-mode Bluetooth scanners), the parser sees a single concatenated mess instead of distinct lot and serial fields. Real DSCSA scans simply won't parse correctly.

If you're using a Zebra DS2278 or similar, the scanner needs "GS character transmission for HID Keyboard" enabled in its programming guide. Without it, your system records the lot but loses the serial — which means you're not actually capturing DSCSA-required data. RxRescue's setup guide walks operators through this configuration step-by-step.

What DSCSA software (and your inventory system) needs to do

Whatever software you use, it has to:

• Capture all four AIs from a serialized 2D barcode (GTIN, lot, serial, expiration).
• Store them as distinct fields, not concatenated text.
• Preserve raw scan data for audit purposes — if an FDA or wholesaler dispute arises about whether a specific package was authentic, you need to prove what was scanned.
• Detect and reject duplicate serial numbers — receiving the same serialized package twice almost always indicates a counterfeit or chain-of-custody issue.
• Track expiration dates at the package level. Lot-level tracking isn't sufficient when DSCSA-required serial-level data is available.

Most pharmacy management systems handle the purchasing and receiving side. Where they often fall short is on-shelf inventory: knowing exactly which serialized packages you currently hold, which are nearing expiration, and which have been pulled or returned. That gap is what RxRescue is built to fill.

How RxRescue handles DSCSA scans

RxRescue's GS1 parser is fixture-tested against the full set of DSCSA barcode patterns: standard serialized scans, pre-DSCSA lot-only scans, scans with AIM symbology prefixes (]d2, ]C1), scans with leading FNC1, last-day-of-month dates (DD=00), and dozens of edge cases. Each scan is stored with raw input preserved, parser version tagged, and timestamp logged for audit.

The product is built around a strict No-PHI boundary: it stores stock data (GTIN, lot, serial, expiration, drug name, quantity) and is designed not to collect PHI by blocking patient-identifying fields at the import layer. See our security & compliance posture for what this means for HIPAA scope and procurement-level review.

Start a 30-day free trial →

Frequently asked questions about DSCSA

How long must a dispenser maintain DSCSA transaction records?

DSCSA requires dispensers (pharmacies) to maintain transaction information and verification records for at least 6 years from the date of the transaction. Most pharmacies keep them 7 years to align with state-board retention requirements. Records must be electronically accessible within 48 hours of a regulatory request — paper-in-a-binder does not meet the standard.

When is the DSCSA enforcement deadline for small dispensers?

Small-dispenser DSCSA enforcement at the package level begins November 27, 2026. The FDA's stabilization period for small dispensers (under 25 full-time pharmacists) extended the original 2023 deadline to give independent and institutional pharmacies time to put serialized package-level systems in place.

What is the DSCSA serialization timeline?

DSCSA was enacted in 2013 with a roughly ten-year phase-in. The enhanced, package-level traceability requirements took effect November 27, 2023, but the FDA granted stabilization-period exemptions that staggered actual enforcement by trading-partner type: manufacturers and repackagers first, then wholesale distributors (through 2024), and finally small dispensers — pharmacies with 25 or fewer full-time employees — on November 27, 2026. A small pharmacy's serialized package-level obligation lands last in that sequence, which is why November 27, 2026 is the date that matters most for independent, correctional, and institutional pharmacies.

Does my pharmacy management system handle DSCSA compliance?

Most pharmacy management systems handle the purchasing and receiving side of DSCSA — capturing T3 transaction documents from the wholesaler. Where they typically fall short is on-shelf inventory: knowing which specific serialized packages you currently hold, which are nearing expiration, and which have been pulled or returned. That gap is what a dedicated physical-inventory tool covers. See how RxRescue fits alongside your PMS for the layer model.

Does DSCSA apply to correctional and detention pharmacies?

Yes. Correctional and detention pharmacies are dispensers under DSCSA and carry the same November 27, 2026 obligations as any community retail pharmacy. The dispenser-of-record question can be more complex when a healthcare contractor operates the pharmacy inside a facility owned by a county or state — we wrote about that gap in DSCSA in the correctional pharmacy.

What is the difference between DSCSA T3 documents and serialization?

T3 documents (Transaction Information, Transaction History, Transaction Statement) record the chain of custody — who shipped what to whom. Serialization adds a unique identifier to each package (GTIN, lot, serial number, expiration) so that an individual bottle can be tracked and verified, not just a transaction line. Both are required under DSCSA; serialization is the part that requires barcode-aware scanning at the package level.

What if a wholesaler ships me a non-DSCSA-compliant bottle?

Reject and return it. Under DSCSA, dispensers are required to verify that incoming product carries a compliant serialized barcode and matching transaction documentation. Accepting non-compliant product creates a chain-of-custody gap that surfaces in audits and can disqualify the bottle from future return-credit. Most wholesalers will accept the return without dispute when the rejection reason is DSCSA-non-compliance.

Related

• DSCSA self-assessment — five questions to ask your pharmacy team this week
• Correctional pharmacy inventory tracking
• Wholesaler returns and credit windows
• FEFO expiration tracking for pharmacies
• DSCSA & pharmacy inventory glossary
• The DSCSA 2026 deadline — what to do this week (blog)
• DSCSA in the correctional pharmacy (blog)
• What an FDA inspector actually asks a pharmacy (blog)
• Section-based pharmacy audits (blog)

Validated as of 2026-05-13. DSCSA regulatory references reviewed quarterly.