EI3PA Requirements - Build And Maintain A Secure Network

EI3PA, which is an acronym for “Experian Independent Third Party Assessment,” is a list of requirements that they enforce with third parties who have access to credit history information.

EI3PA is based entirely on PCI DSS – or PCI data security standard – and it demands that any business who handles credit histories complies with all twelve requirements.

This essentially means that any company seeking to do business utilizing credit histories must build and maintain a secure network in order to do so.

What Are The 12 EI3PA Requirements?

Although we are only going to deal with the first two in this article, there are twelve EI3PA requirements in total.

Each of these twelve requirements fall under six sub-categories, which you will find below.

Build & Maintain A Secure Network

Requirement 1: Install & maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain A Vulnerability Management Program

Requirement 5: Use and regularly update antivirus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor & Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain An Information Security Policy

Requirement 12: Maintain a policy that addresses information security


Each of the above is critical to your business achieving EI3PA compliance. In this article, we’ll talk about the first two.

So let’s start at the beginning.

Requirement 1: Install & maintain a firewall configuration to protect cardholder data

The first requirement covers installing and maintaining a firewall to protect the cardholder data – further, it needs to be configured for both inward and outward traffic, and is preferably configured within different wireless networks for security.

It makes recommendations regarding the configurations of firewalls and routers, mobile devices, and employee-owned devices that access the network.

It asks that you ensure untrusted networks are not gaining access to any of your system components in the cardholder data environment – direct public access from the internet to any system component in the cardholder data environment should be prohibited entirely.

When it comes to personal devices, they should have personal firewall software that remains running and cannot be altered by either the carrier or the employee.

To ensure tampering doesn’t happen, we recommend a periodic audit of a sample of employee-owned devices to ensure compliance with standards.

As well, the EI3PA requirements make the excellent point that all the security policies and operational procedures that a company implements regarding EI3PA be well documented, kept up to date, and is communicated properly to all stakeholders.

This point is particularly important, because once the setup is completed, businesses sometimes forget that use, customer needs, and vulnerabilities change over time, thus affecting the rules that need addressing to keep you up to date and compliant.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

While it may seem obvious, you’d be surprised how often people forget to update passwords.

Requirement number two requires all vendor-supplied defaults for system passwords and other security parameters be changed, because these are known to hackers and can be easily guessed.

Standards should be set in place for configuring system components, and should be consistent with industry standards.

Utilize strong cryptography for non-console administrative access, and appropriate technology for web-based management, or where called for.

Remember, as well, that any shared hosting providers must protect each hosted environment, especially the cardholder data.

Once again, documentation is important, because it allows a company to monitor the parts of the whole to ensure that no weak links are left untended.

When auditing this requirement, you should check to ensure that each system component has their functionality included.

If you wish to go the extra mile, and ensure the list of hardware and software components that you are verifying are being kept updated by personnel at all times, a survey or interview with employees is a best practice to ensure their commitment to the updates.

Contact 1st Secure IT

No matter whether you need help preparing for EI3PA or managing your business once you are in partnership, 1st Secure IT can help you achieve EI3PA compliance and stay that way.

Your job is to manage your business – we exist because experts are needed in this field, and we are dedicated to insuring that your network is both secure AND compliant with requirements.

Call 1st Secure IT now to schedule an audit and discussion about vulnerabilities and opportunities.

1st Secure IT

4613 N. University Drive #323
Coral Springs Florida
(866) 735-3369

Cyber Security Risk Management and Consulting Services | 1st Secure IT | When Compliance Is Not Enough

What Is EI3PA?


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Wednesday, 16 October 2019

If you need help getting started... Contact Us!