CVS's Web Authentication Goes Way Beyond PIN

Pharmacies today have to balance the need for more and faster data access for customers with the fact that the data being sought is not only highly sensitive but also much more strictly regulated. (Weary of infuriating PCI rules? Try working under HIPAA for a few months.) CVS has come up with an imaginative authentication method for its latest Web enhancements.

The chain last week announced enhancements such as deeper access to purchase history and promotions—which themselves telegraph specific types of drugs being prescribed. For authentication, the site is seeking the usual password and login for access. But it then requires a birthdate and—here's the good part—two pieces of information likely found only on an existing prescription bottle: a prescription number and the store number.

Although some pharmacies publish a customer's DOB on prescription labels, most don't. CVS publishes the month and date of the customer's birthday, not the year. And the site requires the year for authentication. The store number can theoretically be looked up on the public Web site, but that would require the thief to know which pharmacy the intended victim uses.

So it's a good system, in that the data doesn't exist in any one place and it requires access to something—a recent prescription label—that is difficult to access remotely.

If a thief is truly dedicated, prescription labels are often thrown away intact (they are often murder to remove from the bottles), so garbage searching is one way to get around much of this. But that's hardly likely with an identity thief hitting a Web site. Too messy and too dangerous.

CVS isn't alone in its pharmacy security quests. Both Rite-Aid and Walgreens recently tangled on how to secure pharmacist-led chat transcripts and Walgreens had to limit a prescription text service so much that it seemed to lose much of its raison d'être. And Winn-Dixie explored various ways of alerting shoppers to imminently expiring medications, only to run into security or legal obstacles.

CVS, though, seems to have figured out a way to make this idea really work. Nothing is ever breach-proof. But if the chain puts some effort and creativity into its security, both regulators and customers will notice.