What Is EI3PA?

Consumers today are becoming more and more savvy when it comes to their personal information.

Worries of credit card fraud and identity theft mean that companies have to be diligent with the information entrusted to them.

After seeing news of large data breaches with companies such as Facebook and Equifax, people want to know that the companies that are using their data are taking all possible and reasonable measure to protect their information, and to guard against identity theft.

If your company deals with credit information from Experian, you will need to ensure you meet EI3PA compliance guidelines.

What Is EI3PA?

EI3PA stands for Experian Independent 3rd Party Assessment.

It is an assessment of the ability of Experian resellers to protect the customer information they purchase from Experian.

This standard is closely related to the Payment Card Industry Data Security Standard (PCI-DSS).

The requirements of the EI3PA assessment include the following:

  • Build and maintain a secure network
  • Install a firewall to protect customer data
  • Ensure system passwords are changed from the defaults
  • Protect credit history information
  • Encrypt transmission of data when sending over unsecured networks
  • Maintaining a vulnerability management program
  • Keep anti-virus software up-to-date
  • Implement strong access control
  • Restrict access to customer data to those who have a need-to-know
  • Assign a unique ID to any person who has access to the systems where this information is stored
  • Monitor and test networks regularly
  • Maintain an Information Security Policy, and ensure all employees are familiar with this policy

These are the minimum standards for protecting Experian customer information.

It is important for Experian to ensure that all vendors and resellers with access to customer information are taking adequate measures to protect customer information from the possibility of fraud and identity theft.

After all, a data breach can have wide-reaching consequences, both financially and for your company’s reputation.

Who Needs To Be EI3PA Compliant?

Any organization which transmits, stores, processes, or provides consumer credit data from Experian is considered a Level 1 reseller and must comply with this standard.

Essentially, if you have access in any form to consumer data from Experian, you need to comply.

Level 1 resellers of Experian information cannot perform self-assessments, a third-party must be used.

As the EI3PA is closely based on the Payment Card Industry Data Security Standard (PCI-DSS), any organization which already meets this requirement is most likely already compliant, or comes close to it.

Resellers, as well as Experian themselves, face large risks if customer data is not adequately protected.

Who Can Do An EI3PA Assessment?

EI3PA assessments for Level 1 resellers must be performed by a 3rd party Qualified Security Assessor (QSA), such as 1st Secure IT.

Additionally, Experian will sometimes perform random security compliance audits to verify that providers are meeting all security policy requirements.

If you do not meet the conditions for being a Level 1 reseller, and have approval from Experian Information Security you may be able to perform a Level 3 Self-Assessment.

In addition to the EI3PA assessment, there is a requirement for quarterly scans of resellers networks for vulnerabilities.

These scans must be done by an Authorized Scanning Vendor (ASV) which will often be the same as your QSA.

Note that quarterly scans are required for both Level 1 and Level 3 vendors.

Contact 1st Secure IT

Is EIP3A compliance a concern for you?

If you are dealing with consumer credit history information, it should be.

Do you need a level 1 assessment performed, or guidance for performing a self-assessment?

1st Secure IT can help.

Contact us today to help you become EI3PA compliant, or to prepare for an audit.

Acting as an Experian reseller without being EI3PA compliant can have a major impact on your business if you’re found out, and can be even worse if you suffer a data breach while being noncompliant.

Contact 1st Secure IT today, and take the steps you need to keep your business secure in an uncertain digital world.

1st Secure IT

4613 N. University Drive #323
Coral Springs Florida
(866) 735-3369

Cyber Security Risk Management and Consulting Services | 1st Secure IT | When Compliance Is Not Enough

EI3PA Requirements - Build And Maintain A Secure N...
Cyber Security For Small Businesses On A Tight Bud...


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Wednesday, 16 October 2019

If you need help getting started... Contact Us!