EI3PA Compliance

Ensure Your Consumer Credit Information from Experian is Secure and Compliant With Industry Regulations

Meeting industry standards for the protection of consumer credit information is a critical security requirement if you store, process, transmit, or provide data from the credit bureau, Experian.

   Is Your Organization Prepared?

In 2009, Experian created a set of requirements to promote stronger protection of consumer credit information. These requirements are known as the Experian Independent Third Party Assessment (EI3PA) standard. EI3PA is based on the Payment Card Industry Data Security Standard (PCI DSS) and establishes 12 requirements for organizations to comply with to protect data supplied by Experian. It also mandates that all organizations have a qualified security assessor (QSA) perform a third-party audit to demonstrate compliance.

Who is Affected?

The EI3PA came about because Experian wanted to make sure that credit history information shared with their partners was secured appropriately. Rather than create their own standard starting from scratch they just grabbed the PCI Data Security Standard (PCI DSS).  The PCI DSS outlines controls that should be in place to protect card holder data (credit card numbers).  In this case instead of applying to credit card data each control applies to credit history information.  This means a third party handling Experian credit histories will need to comply with each of the 12 PCI DSS Requirements.  The requirement categories are (just replace “cardholder” with “credit history”):


The 12 Experian Independent Third Party Assessment (EI3PA) requirements:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software or programs


Requirement 6: Develop and maintain secure systems and applications


Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes


Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel


Don't Wait Until the Last Minute to Meet New Compliance Standards!

Contact a MDS today to receive expert guidance on how to get your security program up and running.

Our Pledge:

Building out and maintaining your IT ecosystem doesn’t have to be a do-it-yourself project. MDS can help identify network issues, configure devices, and optimize your infrastructure to maximize efficiency and performance. Our consultants are highly trained technology specialists that understand the complexities of multi-vendor environments and have the knowledge and skills to help your business become more agile, customer-focused and operationally efficient.

Contacts: |

NYC Headquarters:
307 West 38th Street, Suite 1801
New York, NY 10018
Tel: 646-744-1000

Miami Office:
Tel: 786-899-2980
San Juan Office: Tel: 646-460-6229

: contactus@mdsny.com