In 2009 Experian established a requirement for their resellers to undergo an independent third party security assessment. The Experian security standard is closely based on the Payment Card Industry Data Security Standard and as PCI Approved QSA Company we are authorized to determine how well you are protecting this information externally and internally from unauthorized users. The Experian Independent 3rd Party Assessment (EI3PA) is an annual assessment of Experian's 3rd Party Processors' ability to protect Experian's data. If you are a company processing, storing, or transmitting credit information provided by Experian, you may be required to have your systems assessed by a Qualified Security Assessing company (QSA) like 1st Secure IT.
Experian chose to adapt the Payment Card Industry Data Security Standard (PCI DSS) processes to the credit industry with its own EI3PA compliance, which differs from PCI-DSS in two ways:
1. EI3PA assesses how a reseller provides protection of Experian-provided personal sensitive information data rather than cardholder data.
2. The merchant level and their respective reporting requirements are approved solely by Experian, not by the card issuer or issuing bank.
If you are facing an EI3PA assessment for the first time, it can seem to be daunting task. As a payment card industry qualified security assessor (PCI QSA), 1st Secure IT can provide your organization with a comprehensive security assessment of the Experian Data Security Standard, which will help assess how securely you are protecting the Experian credit information. Please see our Frequently Asked Questions or for additional information on Experian's Independent Third Party Assessment you may call us at 866-735-3369 or fill out our “Contact” page and an auditor will call you to arrange for a detailed presentation.
Experian EI3PA Frequently Asked Questions
1. What is EI3PA?
• Experian’s Independent 3rd Party Assessment is an annual assessment of an Experian Reseller’s ability to protect the information they purchase from Experian.
2. What does EI3PA require?
• EI3PA requires an evaluation of a Reseller’s information security by an independent assessor, based on requirements provided by Experian.
• EI3PA also establishes quarterly scans of networks for vulnerabilities.
3. Why must Experian Resellers comply with it?
• Experian and its Resellers face significant risks if the consumer information we provide is not adequately protected. Experian would violate its principles of exercising due care and due diligence by selling its products and services to customers who cannot protect them at least as well as Experian does. Protecting the consumer data entrusted to both Experian and its resellers is the right thing to do.
4. What level of assessment do we need to have performed?
• If Experian data is received by, stored and maintained on, and/or delivered from the Reseller’s systems, Level 1 is required.
• Nearly all Experian Resellers will require a Level 1 assessment.
• Assessment level for EI3PA is not determined in the same manner as under PCI, of course, since the number of credit card transactions a company conducts is not relevant to EI3PA.
5. Who must perform the assessment?
• Experian’s policy is that the same vendors who perform assessments for PCI compliance are qualified to perform assessments for EI3PA.
• The assessment must therefore be performed by a Qualified Security Assessor (QSA) as defined and listed by the PCI-SSC on their website.
6. Who must perform the quarterly scans?
• Experian’s policy is that the same vendors who perform scans for PCI compliance are qualified to perform scans for EI3PA.
• Scans must be performed by an Authorized Scanning Vendor (ASV) as defined and listed by the PCI-SSC on their website. In many cases, this may be the same vendor as your QSA.
7. Can we perform the assessment ourselves?
• If Level 1 conditions do not exist for a Reseller, and with the approval of Experian Information Security, you may perform a Level 3 Self-Assessment.
• Resellers may only qualify for this if they use a Technical Provider for all of their computer systems and do not store any Experian-provided data on their own systems.
• A Technical Provider is sometimes referred to as an ASP (Application System Provider) or SaaS (Software as a Service).
• All Technical Providers must be identified on Experian’s list of current certified technical providers, as set forth in the Reseller Security Certification Policy.
8. What other points about the level of assessment do we need to know?
• A Level 3 Self-Assessment Questionnaire (SAQ) may be performed if the Level 1 conditions do not exist for a Reseller, with the approval of Experian Information Security.
• Both Level 1 and Level 3 require quarterly scans.
9. What are Experian’s requirements when using IaaS (Infrastructure as a Service) or PaaS (Platform as a Service) cloud providers such as Amazon AWS?
• The EI3PA level 1 certification requirements still hold since the majority of the EI3PA security requirements are the responsibility of the reseller or shared between the reseller and the cloud provider.
• Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by Experian:
- ISO 27001
- PCI DSS
- SSAE 16 – SOC2 or SOC3
10. What form does the assessment report take?
• The expected deliverable at the end of EI3PA is the Report on Compliance (RoC).
• The form for this is provided with the EI3PA requirements documentation.
• Reports on Compliance and all results of EI3PA assessments as well as any other related artifacts are maintained as Confidential under Experian’s Information Security Policy.
11. Where can I get more information?
• The Experian Reseller Compliance Website contains details of the requirements for EI3PA
• Updates, alerts, and changes are also posted as they become available.
• Your account executive can provide details regarding access to this resource.
• The EI3PA Mailbox.