Experian Independent Third Party Assessment (EI3PA) Certification & Audits

NDB provides Experian Independent Third Party Assessment (EI3PA) certification, audit, and compliance services for organizations involved in the processing, storage, or transmission of credit information obtained from Experian which is deemed sensitive).  Additionally, NDB offers a complimentary EI3PA Policy Packet for every client we work with.  Generally speaking, the EI3PA certification is very similar to that of PCI DSS compliance, but with some differences, such as the following: (1). EI3PA is geared towards the protection of Experian-provided data, whereas PCI focuses on cardholder data, and (2). EI3PA approval rests with Experian, unlike PCI DSS, where the major payments brand, the Payment Card Industry Security Standards Council (PCI SSC), and other interested parties that have a voice regarding PCI DSS compliance.

NDB - North America's Leading Provider of Fixed-Fee EI3PA Assessments

Much like PCI DSS compliance, EI3PA has defined levels, along with requirements for quarterly vulnerability scans.  In fact, you may have often heard that it is really identical to PCI DSS, just replace the requirements of "cardholder data" with that of "Experian-provided data," which is a fairly accurate statement.  As for the process of becoming EI3PA certified, it generally begins with a requirement from Experian themselves (Experian Information Security Department) notifying a reseller or some other intended party that EI3PA certification is being required.  And much like PCI DSS, a QSA can conduct the actual Level 1 assessment.  As for NDB's EI3PA certification, audit, and compliance services, it consists of the following:

• EI3PA Readiness Assessment and Gap Analysis
• Remediation (as necessary from the Gap Analysis findings)
• Scanning and Penetration Testing Services
• Onsite fieldwork along with additional remote-fieldwork activities
• Report preparation, closing meeting, followed by issuance of EI3PA Report on Compliance

EI3PA and PCI DSS Framework

Though Experian does not make available to the general public the specific guidelines for its Independent Third Party Assessment (EI3PA) certification, simply viewing the PCI DSS standards will give you a thorough understanding of EI3PA scope.  At a high level, the EI3PA scope would be very similar to the following twelve (12) Requirements within PCI:

Build and Maintain a Secure Network
• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
• Requirement 12: Maintain a policy that addresses information security

Please visit the PCI Security Standards to learn more.  Additionally, please visit NDB's site dedicated specifically to the Payment Card Industry Data Security Standards, at pciassessment.org.  Additionally, because of the similarities with PCI DSS and EI3PA, organizations would highly benefit from reading PCI-QSA Charles Denyer's comprehensive white paper titled "PCI Remediation Plan | A 12 Step Process That Works," which explains in detail the necessary steps organizations should undertake in not only remediating for PCI, but actually planning for the assessment process itself.  The same ideology can simply be applied to EI3PA.  Furthermore, contact NDB's lead PCI-QSA, Charles Denyer, at 1-800-277-5415, ext. 705 or email him directly at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about NDB's Experian Independent Third Party Assessment (EI3PA) certification, audit, and compliance services.

 

From I.T.consultants to seasoned regulatory compliance auditors, our firm's wide expertise is diverse, cross-functional, and highly experienced in all our service lines.

From I.T.consultants to seasoned regulatory compliance auditors, our firm's wide expertise is diverse, cross-functional, and highly experienced in all our service lines.