STIR / SHAKEN Compliance 101 – The Deadline is Looming

 

Introduction

The plague of robocalls in the United States continues to be out of control, with PRNewswire reporting that Americans received over 3.9 billion robocalls in April 2022.

With fraudulent scams using robocalls expected to scam more than $40 billion in revenues in 2022, initiatives to curb robocalls continue to be implemented both in the USA and worldwide.

As service providers, we all need to comply with SHAKEN and STIR initiatives mandated by the FCC to reduce the number of robocalls and spoof calls. This is imperative to restore faith in the telephone system.

According to the FCC website:

"The STIR/SHAKEN framework, an industry-standard caller ID authentication technology, is a set of technical standards and protocols that allow for the authentication and verification of caller ID information for calls carried over Internet Protocol (IP) networks. As implementation progresses, it will give Americans more confidence that the caller ID information they receive is accurate and will allow voice service providers to provide helpful information to their consumers about which calls to answer".

STIR/SHAKEN has already been implemented in the large carriers, and the latest deadline for smaller carriers has been brought forward from the 30th June 2023 to the 30th June 2022.

Failure to comply fully will mean downstream providers will block your services. More importantly, providers that fail to comply face penalties of at least $10,000/day up to a maximum of $100,000/day.

The FCC is serious about implementing and reducing robocalling and spoof calling.

In the words of the FCC Chairwoman Jessica Rosenworcel: "We are not going to stop until we get robocallers, spoofers, and scammers off the line."

 The Mandated Solutions

The mandated FCC solution is a two-tiered approach; hence the James Bond-inspired acronyms SHAKEN/STIR.

Let’s take a closer look.

WHAT IS STIR?

STIR is an acronym for Secure Telephony Identity Revisited. As the name suggests, it has to do with improving telephony security.

It is a protocol that allows service providers to include the calling party's information within a digital signature. It allows for verification of the terminating service provider's signature and is concerned mainly with end devices.

WHAT IS SHAKEN?

SHAKEN is an acronym for Secure Handling of Asserted information using toKENs. Sounds complicated, right? It is not very easy.

SHAKEN outlines the standards and prescribes how service providers deploy STIR within their networks.

STIR focuses on the compliance of end devices, whereas SHAKEN is concerned with deployment within the network.

SPOILER ALERT – Peeringhub can provide you with all of the expertise needed around compliance, freeing you to focus on what you do best – providing excellent services to your customers.

 We will outline the procedure for compliance, but if you need your compliance problem to go away to concentrate on your service, hit us up.

Why You Should Choose Peeringhub:

Approved Authority Status	Peeringhub is one of only eight approved Stir/Shaken Certificate Authorities in the United States.
Certificate Management	We fully adopt the ACME protocol for certificate management. Peeringhub provides ACME server access to all its subscribers to order new certificates automatically as part of the offering. The certificate management process is customer-driven.
Free CDN	Peeringhub provides a Certificate Repository hosted in the AWS cloud with CDN to all subscribers without any additional charge.
Choice of Implementation solutions	We offer different solutions for service providers to sign calls and verify inbound traffic.
Free-To-Use VoIP Switch	In addition to a dipping engine for verifying and signing calls using a Stir/Shaken certificate, Peeringhub provides a free-to-use VoIP switch with built-in Stir/Shaken support.  With a switch that has integrated Stir/Shaken signing and verification services, there is no need to access an external dipping service which can be a potential point of failure and introduce additional unnecessary latency.  Our integrated Stir/Shaken switching solution is free for up to 500 ports.
Support of Certificates	Peeringhub's Stir/Shaken solution supports service provider certificates and delegate certificates.
Compliance	We are fully compliant with ATIS-1000092, ATIS-1000074 and ATIS-1000080.
Issue certificates to end-users	As a number provider, we provide you with a free desktop client to download. You can issue certificates to the end-users who buy your phone numbers. Enable your clients to sign their calls using their own identities.
Long Term and Short Term Certificates	Peeringhub supports long term certificates and short-term certificates.  You can choose the time frame for the needed certificates at the time of certificate generation.
Delegate Certificate	Service Providers can allocate Phone Numbers for each end-user. End-users can use the Peeringhub’s ACME server to generate their VoIP user certificate.

The Five Steps to SHAKEN/STIR Compliance

Step 1 – You Need to Get an Operating Company Number

The National Extension Carrier Association (NECA) is responsible for distributing Operating Company Numbers (OCNs).

All information for applying for your OCN can be gleaned from their website.

In short, their application process requires you to submit the following:

1.    Your interconnection agreement with an upstream service provider

2.    A copy of an invoice with one of your customers

3.    A state sealed copy of your articles of association

4.    Other administrative information.

NECA charges a standard fee of $475 for each OCN application. If you need an expedited service with a 3 day turnaround time it costs $600.  

To start this process, go to https://www.neca.org/. Click on the Contact Us page. Locate the helpdesk email and email the helpdesk requesting an application form.  Once you receive the form, you just need to fill it in and provide the requested information.   

Step 2 - You Need to Register with the Secure Telephony Industry Public Administrator (STI-PA)

Iconectiv is the STI Public Administrator.

You need to register with iconectiv as an authorized carrier, after which you will be provided with a service provider code token.

Registration is simple and can be found on the iconective policy administrator website.

You will be required to submit the following:

·         FCC Form 499A

·         Your OCN

·         Your billing contact details

You will be contacted via email for authorization and further information.  

It normally takes 1 - 2 days for iconectiv to respond to your online application.  You will be provided with a test plan to fill out.  This test plan is to help you to familiarize yourself with the UI and API provided by iconectiv.  

If you need help in conducting and filling out the test plan, you can always contact Peeringhub to give you assistance. 

Once you submit your test plan, your service provider status should be approved very quickly.

Once approved, you will be added to the website, and service providers will be notified of your certification.  

In-depth documentation on how to register as a Stir/Shaken Service Provider from iconectiv is available here. 

Step 3 – You Need to Secure a Token

Peeringhub can help you secure a token from iconective.

Should you prefer to go it on your own, iconective does have a guideline which spells out what you need to do, in which case you will need to:

• Upgrade your software to the necessary spec

• Run performance tests with iconective

• Complete the rest of the STI-PA application process.

 Step 4 - Get Yourself a Certificate

Once you have received your token, you will be required to submit the token and a certificate signing request to the Certifying Authority (CA).

Assuming you have done enough to qualify, the CA will issue you a STIR/SHAKEN certificate. The certificate confirms that you are now fully compliant.

As Peeringhub, we would assist you throughout the process.  You can contact Peeringhub to open an account via email ca-request@peeringhub.io.

Step 5 – Declare That You Have Complied With STIR/SHAKEN Requirements

The final step is to change your status to being fully compliant.

You do this by logging into the FCC's Robocall Mitigation Database and setting your status to Full STIR/SHAKEN compliance.

What if You Are Too Late?

If you are too late to comply with the deadline, the only basis upon which you can apply to the FCC for an extension is that of “circumstances beyond your control” which you will have to allege and motivate.

What is Your Risk if You are not Compliant by the Deadline? 

Failure to comply by the deadline will result in your VoIP termination provider blocking your calls.

The FCC is empowered to go after non-compliant companies and has already taken action against some of them, even withdrawing some exemptions. For example, Vonage and Bandwidth have been referred to the agency's Enforcement Bureau for further investigation.

Even if you are a small VoIP service provider, you can't escape becoming STIR/SHAKEN compliant. The two-year extension for some categories of small voice service providers ("SVSPs," those with 100,000 or fewer voice service subscriber lines) to fully implement the STIR/SHAKEN caller ID authentication standards was shortened by the FCC's fourth report and order.  

The FCC also requires "bad actor" small VSPs to implement STIR/SHAKEN within 90 days of an Enforcement Bureau determination following notice that the bureau suspects or fails to meet the VSP's obligations.

Certain states have implemented heavy penalties for non-compliance. For example, two New York Bills signed into law on November 8, 2021, require telecommunications service providers to increase robocall protections by requiring STIR/SHAKEN implementation and blocking calls to specific numbers.

The first law effectively codifies the Federal Communications Commission's (FCC) regulations into state law and imposes significant penalties on non-compliant companies.

The second law requires compliance within 12 months of all voice service providers who are interconnected with the public switched telephone network and who provide voice communication services to end-users to implement the STIR/SHAKEN authentication framework to verify and authenticate caller identification on the provider's internet protocol (IP) network. The civil penalties for non-compliance are steep and range from at least $10,000/day to a maximum of $100,000/day.

It is simple. Comply, or you may as well close your doors!

Conclusion

We need to restore the trust in our services, which unscrupulous and often fraudulent operators have hijacked.

More than 40% of the robocalls made in the USA are made for fraudulent purposes.

The result is that the public has opted not to answer their phones. This loses revenue for all of us and negatively affects commerce to an alarming degree.

It is time to comply with mandatory measures to fix the problem. The deadline is looming.

Peeringhub is here to assist.