Skip to main content

What are the STIR/SHAKEN Requirements?

photo of planet earth showing connections

STIR/SHAKEN call authentication, an integral component of branded calling for businesses, promises to help protect consumers from call spoofing by enabling voice service providers to verify the caller ID name and number transmitted with a call matches the caller’s phone number. Several years ago, the Federal Communications Commission (FCC) mandated communications service providers (CSPs) implement STIR/SHAKEN in the IP portion of their networks, along with a robocall mitigation program.

Currently, STIR/SHAKEN is helping curtail call spoofing and fraud, but in certain instances, CSPs have difficulty distinguishing between legitimate and spoofed calls, allowing fraudulent calls to get through. Furthermore, many legitimate calls from businesses are being blocked or mislabeled as spam — which prevents customers from picking up the phone. This has caused some businesses to take matters into their own hands.

Businesses have a vested interest in protecting their customers, employees and assets from spoofed calls and resulting financial damages. One way they can take action is by signing their own calls — which ensures end-to-end call authentication and deterministic call treatment, helping stop spoofed calls. While enterprises don’t directly implement the STIR/SHAKEN protocols, they’re now able to sign their own calls. TransUnion Spoofed Call Protection make this possible.

In addition, there are branded communications solutions available that combine call branding with call authentication. Our suite of Trusted Call Solutions includes Branded Call Display (BCD) for businesses which leverages Rich Call Data (RCD) and an end-to-end call authentication solution.

Beyond providing more context around a call through business location, logo and reason for the call, call authentication verifies a call hasn’t been spoofed. Together, these solutions help ensure consumers can trust who’s calling again and answer the phone without fear of being defrauded.

The STIR/SHAKEN protocols and governance framework are designed to combat illegal call spoofing by verifying caller identities.

  • STIR (Secure Telephony Identity Revisited): is a set of technical standards developed by the Internet Engineering Task Force (IETF) which verify a calling party is authorized to use a specific telephone number.
  • SHAKEN (Signature-based Handling of Asserted information using toKENs): is a framework that introduces a governance model that designates the roles and responsibilities of the policy administrator (STI-PA) and certificate authority (STI-CA), and outlines who is eligible to receive certificates (US carriers with OCNs). It also enables traceback capabilities and a level of trust (attestation) based upon the carrier’s relationship to the telephone number.

What are the STIR/SHAKEN requirements?  

The STIR/SHAKEN requirements for CSPs are:

  • Have an up to date 499-A-Form on file with the FCC
  • Have a Valid Operating Company Number (OCN)
  • Register in the FCC Robocall Mitigation Database (RMDB) to certify what actions you've taken regarding STIR/SHAKEN and robocall mitigation 

To take part in the STIR/SHAKEN ecosystem, service providers must also:

  • Register with the Policy Administrator (STI-PA) which verifies the identity of the carrier to ensure their eligibility.
  • Select a Certification Authority (STI-CA) which ensures requestors of certificates are eligible and their credentials are validated with the STI-PA.
  • Obtain a SPC TOKEN from the STI-PA. The token enables CSPs to request a certificate.
  • Request a certificate from an approved STI-CA. The certificate is required to digitally sign and authenticate calls.

How do I get a STIR/SHAKEN certificate?

To be able to digitally sign and authenticate calls, a CSP must obtain STIR/SHAKEN registration from an approved Certification Authority (STI-CA). To request a certificate, the carrier sends a certificate signing request (CSR) to the Certificate Authority with its associated SPC Token. We are an STI-PA approved Certification Authority.

Under the current Governance Authority rules, a voice service provider must meet certain requirements to receive a STIR/SHAKEN certificate. Specifically, a voice service provider must have a current FCC Form 499A on file with the Commission, have been assigned an Operating Company Number (OCN), and have direct access to telephone numbers from the North American Numbering Plan Administrator (NANPA) and National Pooling Administrator. The Governance Authority reviews this policy on a quarterly basis at least or as needed.

How to Implement STIR/SHAKEN?

The FCC’s initial STIR/SHAKEN implementation date was June, 30 2021; however, service providers were able to apply for an extension. As of June 2022, only 12% of service providers completed their STIR/SHAKEN implementation, while 67% had yet to begin implementation.

To streamline the implementation of STIR/SHAKEN, service providers should select a software solution that performs all the core functions associated with STIR/SHAKEN, including STI-AS, STI-VS, SP-KMS, SKS, SI-CR. These core functions all need to interact with one another in an orchestrated manner to properly sign and verify calls made under the STIR/ SHAKEN framework. Since their interactions are complex and may require network upgrades, they need to be thoroughly tested:

  • Internally: to ensure hardware and software are configured properly
  • With other providers: to validate authentication and verification services are working correctly

How do you become STIR/SHAKEN compliant?

Businesses do not need to take any action to be STIR/SHAKEN compliant. However, all service providers were required to submit certification in the FCC Robocall Mitigation Database to declare what actions they had taken toward implementing STIR/SHAKEN.

The STIR/SHAKEN registration database tracks the compliance status of all carriers’ robocall mitigation efforts (STIR/SHAKEN, robocall mitigation, exemptions, etc.). To appear in this database, CSPs had to also agree to cooperate with the FCC, law enforcement and ITG to investigate and stop any illegal robocalls it learns are using its service to originate calls. Intermediate providers and terminating CSPs will be prohibited from not accepting voice traffic directly from any CSP not in this database. Additionally, carriers were required to block calls from other carriers that did not have a certification on file as of September 28, 2021.

STIR/SHAKEN is an evolving process that continues to be refined to address the dynamic needs of the marketplace, therefore it’s essential to stay up to date with the latest call authentication regulations and standards. The good news is carriers and enterprises alike are seeing value.

Discover how our award-winning Branded Call Display — part of the TruContact Trusted Call Solutions portfolio — leverages STIR/SHAKEN call authentication to help ensure legitimate calls get through and answered. You may also learn more about  Spoofed Call Protection.


Do you have questions? Our team is ready to help.