Federal Communications Commission
DA 13-34
Before the
Federal Communications Commission
Washington, D.C. 20554
In the Matter of)
)
Petition of STi Prepaid, LLC for Declaratory
)
CC Docket No. 96-115
Ruling, or in the Alternative, Petition for Waiver
)
)
IP-Enabled Services
)
WC Docket No. 04-36
ORDER
Adopted: January 11, 2013
Released: January 11, 2013
By the Chief, Wireline Competition Bureau:I.
INTRODUCTION
1. In this Order, we grant a petition for waiver of our customer proprietary network information(CPNI) rules filed by STi Prepaid, LLC (STi). The waiver will permit prepaid calling card providers,
which generally do not have an ongoing billing or service relationship with their customers, to
authenticate their customers’ identities to ensure that CPNI is disclosed only with the customers’ consent.
2. On August 4, 2009, STi, a provider of prepaid calling cards, filed a petition seeking
clarification or, alternatively, a limited waiver of certain of the Commission’s privacy rules that apply to
telecommunications service providers and interconnected VoIP providers.1 Specifically, STi requests a
declaratory ruling that prepaid calling card providers may satisfy the customer authentication
requirements in the Commission’s CPNI rules2 by having a customer provide the personal identification
number (PIN) associated with a prepaid calling card.3 In the alternative, STi seeks a waiver from the
Commission’s CPNI rules so that prepaid calling card providers may use the PIN associated with a
calling card to satisfy the customer authentication requirements in the CPNI rules.4 STi states that
1 Petition of STi Prepaid, LLC for Declaratory Ruling, or in the Alternative, Petition for Waiver (filed Aug. 4, 2009)
(STi Petition). On September 24, 2009, the Wireline Competition Bureau (WCB) sought comment on the STi
Petition. Pleading Cycle Established for STi Prepaid, LLC Petition Regarding Customer Authentication Provisions
of CPNI Rules, CC Docket No. 96-115, Public Notice, 24 FCC Rcd 12086 (WCB 2009). No comments were
received. On September 24, 2010, STi Prepaid, LLC (STi) and Vivaro Corporation (Vivaro) filed an application
pursuant to section 214 of the Communications Act, 47 U.S.C. § 214, to transfer control of STi to Vivaro. On May
20, 2011, WCB granted STi’s application for transfer of control. Domestic Section 214 Authorization Granted, WC
Docket No. 10-205, Public Notice, 26 FCC Rcd 7615 (WCB 2011).
2 47 C.F.R. § 64.2010. CPNI includes information derived from a customer’s relationship with a provider of
communications services. See 47 U.S.C. § 222(h)(1) (defining CPNI as “information that relates to the quantity,
technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to
by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by
virtue of the carrier-customer relationship; and information contained in the bills pertaining to telephone exchange
service or telephone toll service received by a customer of a carrier; except that such term does not include
subscriber list information”) (subsection denotations omitted).
3 STi Petition at 1.
4 Id.
Federal Communications Commission
DA 13-34
providers of prepaid calling cards typically do not have an ongoing relationship with their customers, andtherefore cannot authenticate their customers using the same tools as providers of other
telecommunications services.
3. As explained below, using only the PIN associated with a prepaid calling card to authenticate
the holder of the prepaid calling card would violate subsections (a)-(c) of section 64.2010 of the CPNI
rules. However, we find that it is in the public interest for purchasers of prepaid calling cards to have
access to the CPNI associated with their calling cards. We further find that allowing prepaid calling card
providers to rely on the PINs associated with prepaid calling cards in order to authenticate their customers
will not unduly risk the privacy of those customers’ CPNI. Therefore, we grant the waiver request.
II.
BACKGROUND
4. In 2007, the Commission strengthened the customer authentication requirements in its CPNIrules to address the burgeoning problem of data brokers gaining unauthorized access to consumers’ call
detail records and other CPNI, and selling that information.5 Under the Commission’s rules,
telecommunications carriers and interconnected VoIP providers are prohibited from providing call detail
information during a telephone call unless the customer initiating the call provides a password that is not
based on readily available biographical or account information.6 When establishing a customer’s
password, the carrier must authenticate the customer without reference to readily available biographical or
account information.7 If a carrier is unable to authenticate a customer over the phone or online, the carrier
may send call detail records to the customer’s address of record, or call the customer’s telephone number
of record.8 Similar protections apply to customers’ online queries for CPNI.9
5. Prepaid calling cards allow consumers to pay a fixed dollar amount in return for calling
capabilities. A consumer may receive access to the prepaid service in the form of a plastic card, a paper
receipt, or a virtual card on the Internet.10 In each case, the customer is provided a PIN to access the
services associated with the account. The customer’s use of the PIN also identifies, for the service
provider, the prepaid calling card account from which the service provider should deduct funds. Prepaid
calling card service providers assign PINs to customers in different ways. For example, purchasers of
plastic prepaid calling cards typically must remove a protective coating that covers the PIN prior to its
purchase. Purchasers of electronic prepaid calling cards typically receive the PIN electronically upon
confirmation of the transaction.11
5 See Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer
Proprietary Network Information and Other Customer Information; IP-Enabled Services, CC Docket No. 96-115;
WC Docket No. 04-36, Report and Order and Further Notice of Proposed Rulemaking, 22 FCC Rcd 6927, 6953
(2007) (EPIC CPNI Order), aff’d sub nom. Nat’l Cable & Telecom. Assoc. v. FCC, 555 F.3d 996 (D.C. Cir. 2009).
6 47 C.F.R. § 64.2010(b).
7 47 C.F.R. § 64.2010(e).
8 47 C.F.R. § 64.2010(b). “An ‘address of record,’ whether postal or electronic, is an address that the carrier has
associated with the customer’s account for at least 30 days.” 47 C.F.R. § 64.2003(b). A telephone number of record
is “[t]he telephone number associated with the underlying service, not the telephone number supplied as a
customer’s ‘contact information.’” 47 C.F.R. § 64.2003(q).
9 47 C.F.R. § 64.2010(c).
10 For purposes of this order, we refer to each of these services as a “prepaid calling card service,” irrespective of
whether the customer is given a physical calling card associated with the service. See infra at para. 12 (defining the
scope of this Order).
11 STi Petition at 1–2.
2
Federal Communications Commission
DA 13-34
6. Prepaid calling card providers typically do not know who their customers are or how tocontact them.12 Nevertheless, customers of such services sometimes want or need to access their CPNI.13
According to STi, it has received numerous requests from prepaid calling card customers for CPNI, often
from customers who must access their calling records for reasons related to court or other legal or
governmental proceedings.14 STi contends that it does not have enough information to authenticate those
customers in any of the ways provided for in the Commission’s rules.15 STi can confirm that the person
seeking access to CPNI has access to the PIN associated with the prepaid calling card. STi therefore
requests that the Commission issue either a declaratory ruling or a waiver that would allow prepaid
calling card providers to authenticate customers using the PINs provided with prepaid calling cards.
III.
DISCUSSION
7. We deny STi’s request for a declaratory ruling. A declaratory ruling is appropriate toterminate a controversy or remove uncertainty.16 No controversy or uncertainty exists here. STi has
acknowledged that it does not have enough information about its customers to authenticate them
according to the Commission’s rules.17 STi requests authority to authenticate its customers using the PIN
associated with a prepaid calling card. However, the CPNI rules require authentication that does not use
readily available biographical or account information. Because the calling card PIN may function as the
customer’s account number, the Commission’s rules preclude using the PIN to authenticate a customer.18
Therefore, we find a declaratory ruling is not appropriate in this case.
8. We find, however, that good cause exists to grant STi’s waiver request.19 A rule may be
waived where the particular facts make strict compliance inconsistent with the public interest.20 Waiver is
appropriate if deviation from the general rule would better serve the public interest than strict adherence
to the rule.21
9. In deciding whether to grant a waiver, it is appropriate to take into account considerations of
hardship, equity, or more effective implementation of overall policy on an individual basis.22 We find
that granting STi’s waiver will appropriately balance prepaid calling card customers’ privacy with their
12 Id. at 4–5.
13 Calling card services have been regulated by the Commission as telecommunications services because they
provide transmission of information, without a change in form or content, for a fee directly to the public. See, e.g.,
AT&T Corp. Petition for Declaratory Ruling Regarding Enhanced Prepaid Calling Card Services; Regulation of
Prepaid Calling Card Services, WC Docket Nos. 02-133, 05-68, Order and Notice of Proposed Rulemaking, 20
FCC Rcd 4826, 4827, para. 4 (2005).
14 Id. at 2.
15 Id.
16 47 C.F.R. § 1.2.
17 STi Petition at 2.
18 The PIN may be associated with the individual account – and is often the only way to identify a customer’s usage
and remaining value on a prepaid card – in the same way that an address, phone number, or account number is
associated with a subscriber that receives monthly bills at a fixed address.
19 The Commission’s rules may be waived for good cause shown. 47 C.F.R. § 1.3.
20 Northeast Cellular Telephone Co. v. FCC, 897 F.2d 1164, 1166 (D.C. Cir. 1990) (Northeast Cellular).
21 Northeast Cellular, 897 F.2d at 1166; accord NetworkIP, LLC v. FCC, 548 F.3d 116, 127 (D.C. Cir. 2008).
22 WAIT Radio v. FCC, 418 F.2d 1153, 1157 (D.C. Cir. 1969).
3
Federal Communications Commission
DA 13-34
interest in having access to their own CPNI. As the Commission has explained, “[s]ection 222 reflectsthe balance Congress sought to achieve between giving each customer ready access to his or her own
CPNI, and protecting customers from unauthorized use or disclosure of CPNI.”23 This balance is
reflected in section 222(c)(2), which requires telecommunications carriers to disclose CPNI “upon
affirmative written request by the customer, to any person designated by the customer,”24 and section
222(a), which imposes a duty on every telecommunications carrier to protect the confidentiality of
proprietary information of and relating to their customers.25
10. The Commission also recognized the need to balance “consumers’ interests in ready access to
their call detail record, and carriers’ interests in providing efficient customer service with the public
interest in maintaining the security and confidentiality of call detail information.”26 The Commission’s
CPNI authentication rules appropriately balance these interests when the carrier and customer have an
ongoing relationship because the carrier has information regarding the customer’s identity. However, in
the case of prepaid calling cards, where the provider does not have an ongoing relationship with its
customers, authenticating customers for purposes of providing CPNI is not feasible under the
Commission’s rules. The Commission’s rules instead have the effect of preventing purchasers of prepaid
calling cards from being able to access their CPNI.
11. Prepaid calling card customers should have a means to access the call detail records and other
CPNI associated with their use of prepaid calling cards. The public interest is not well served by failing
to provide a viable method for calling card customers to access their CPNI, which they may need for legal
or governmental proceedings or to verify that the number of calling minutes they have received from a
calling card are consistent with the number of minutes advertised.
12. While we are mindful of the importance of protecting CPNI records, there is no evidence in
the record to suggest that use of the PIN associated with a prepaid calling card to authenticate a customer
for purposes of providing the customer with CPNI will expose that CPNI to undue risk of unauthorized
access.27 The PINs associated with prepaid calling cards are randomly generated and are not widely
available. Moreover, the PINs are issued to the card purchaser and under the control of the purchaser,
similar to a password that is known only to the provider and customer. We limit the scope of this order to
customer authentication by prepaid calling card providers that do not have telephone numbers or
addresses of record for their customers, and do not have any other relationship with their customer that
could be used to authenticate the customer.
13. Accordingly, we grant STi’s request for a waiver of sections 64.2010(b) and (c) of the
Commission’s rules to allow the use of PINs issued with prepaid calling cards to be used to authenticate
prepaid calling card customers in satisfaction of the Commission’s CPNI rules. We emphasize that
prepaid calling card providers remain subject to all of the other provisions of the Commission’s CPNI
rules, including the requirement to take reasonable measures to discover and protect against attempts to
23 EPIC CPNI Order, 22 FCC Rcd at 6931, para. 6.
24 47 U.S.C. § 222(c)(2).
25 47 U.S.C. § 222(a).
26 EPIC CPNI Order, 22 FCC Rcd at 6939, para. 17.
27 We recognize, however, that in some cases, it is possible that CPNI will be exposed to persons other than the
customer who purchased the card or for whose use the card was purchased. For example, particularly in the case of
scratch-off PINs, if the card is lost or stolen, whoever is in possession of the card and its associated PIN will be able
to access the CPNI associated with the card. However, we believe that on balance the risk of such exposure is
outweighed by allowing customers to have access to their CPNI associated with prepaid calling cards.
4
Federal Communications Commission
DA 13-34
gain unauthorized access to CPNI.28IV.
ORDERING CLAUSES
14. Accordingly,IT IS ORDERED
, pursuant to sections 1, 4(i), 5(c), 201, 202, and 222 of theCommunications Act, as amended, 47 U.S.C. §§ 151, 154(i), 155(c), 201, 202, 222, and sections 0.91,
0.291, and 1.3 of the Commission’s rules, 47 C.F.R. §§ 0.91, 0.291, 1.3, that the requirements contained
in 47 C.F.R. § 64.2010(b), (c) that customers be authenticated without reference to account information
and that passwords be created without reference to account information are waived to allow prepaid
calling card providers that do not have telephone numbers or addresses of record for their customers, and
do not have any other relationship with their customer that could be used to authenticate the customer, as
described in this Order, to use the Personal Identification Number associated with a prepaid calling card
to satisfy the authentication requirements and password creation requirements contained in 47 C.F.R.
§ 64.2010.
15.
IT IS FURTHER ORDERED
that STi Prepaid, LLC’s Petition for WaiverIS GRANTED
to the extent indicated herein, and its accompanying Petition for Declaratory RulingIS DENIED
.FEDERAL COMMUNICATIONS COMMISSION
Julie A. Veach
Chief
Wireline Competition Bureau
28 47 C.F.R. § 64.2010.
5
Edoc Internal Id:
318350
Released On:
Thu, 2013-01-10 19:00
Published On:
January 11 2013
Adopted Date:
Thu, 2013-01-10 19:00
Edoc ID:
DA-13-34
