Back in 2007, in response to the pretexting controversy, the FCC strengthened its CPNI rules to require telecommunications carriers to authenticate a subscriber’s identity before providing call detail information. The FCC rules required carriers to authenticate customers with a password or some other information that does not rely upon "readily available biographical information" before providing telephonic, online or in-store access to CPNI, including call detail information.
These rules presented a particular difficulty for prepaid calling card providers, who typically do not have the same type of information available to them about the identity of their customers. In response to a prepaid card provider’s petition seeking relief from the authentication rules, the FCC’s Wireline Competition Bureau has issued a waiver to all prepaid calling card providers to allow them to authenticate users solely by virtue of the PIN assigned to the card if the prepaid card provider does not have other identifying information on the end user. Under the waiver, the prepaid card provider may provide call detail information to a caller if the caller provides the PIN as authentication.
However, it is important to note that this waiver does not apply if the prepaid card provider has telephone numbers or addresses of record for the customer. Moreover, the FCC ruling concludes, for the first time, that an email constitutes an address of record for this purpose (see fn. 8). Thus, for “no pin” customers, the prepaid card provider should authenticate the customer via the telephone number(s) registered with the account. For cards purchased online, which are then delivered to an email address, the prepaid card provider should authenticate the customer using the email address provided. It is only for prepaid cards sold through traditional retail store distribution channels that a provider will lack any identifying information other than a PIN.