EI3PA Compliance
Ensure Your Consumer Credit Information from Experian is Secure and Compliant With Industry Regulations
Meeting industry standards for the protection of consumer credit information is a critical security requirement if you store, process, transmit, or provide data from the credit bureau, Experian.
Is Your Organization Prepared?
In 2009, Experian created a set of requirements to promote stronger protection of consumer credit information. These requirements are known as the Experian Independent Third Party Assessment (EI3PA) standard. EI3PA is based on the Payment Card Industry Data Security Standard (PCI DSS) and establishes 12 requirements for organizations to comply with to protect data supplied by Experian. It also mandates that all organizations have a qualified security assessor (QSA) perform a third-party audit to demonstrate compliance.
Who is Affected?
The EI3PA came about because Experian wanted to make sure that credit history information shared with their partners was secured appropriately. Rather than create their own standard starting from scratch they just grabbed the PCI Data Security Standard (PCI DSS). The PCI DSS outlines controls that should be in place to protect card holder data (credit card numbers). In this case instead of applying to credit card data each control applies to credit history information. This means a third party handling Experian credit histories will need to comply with each of the 12 PCI DSS Requirements. The requirement categories are (just replace “cardholder” with “credit history”):
The 12 Experian Independent Third Party Assessment (EI3PA) requirements:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel
Don't Wait Until the Last Minute to Meet New Compliance Standards!
Contact a MDS today to receive expert guidance on how to get your security program up and running.
Our Pledge:
Building out and maintaining your IT ecosystem doesn’t have to be a do-it-yourself project. MDS can help identify network issues, configure devices, and optimize your infrastructure to maximize efficiency and performance. Our consultants are highly trained technology specialists that understand the complexities of multi-vendor environments and have the knowledge and skills to help your business become more agile, customer-focused and operationally efficient.
Contacts: |
NYC Headquarters:
307 West 38th Street, Suite 1801
New York, NY 10018
Tel: 646-744-1000
Miami Office: Tel: 786-899-2980
San Juan Office: Tel: 646-460-6229
Email: contactus@mdsny.com