Last year, 56% of organizations were hit by a breach caused by one of their third party vendors. Let that sink in for a moment.
56%.
What has been the cause for the uptick in third party breaches lately? Supply chain attacks. These coordinated, front-line network assaults can be difficult for businesses to tackle internally. When you’re also working with third-party vendors that are utilizing your network, maintaining a high security posture during operating hours (which for some may end up being 24/7) can be near impossible. Unless these third-party vendors operate entirely under the same roof or network as your business, you won’t have the same level of control over credit-based compliance efforts as you would with your own internal operations. This lack of consistent control over credit-based compliance can leave your company in a tailspin after being hit by a devastating supply chain attack.
These supply chain attacks target companies of any size, but instead of trying to hack the company itself, the hackers opt to find kinks in the armor of that company’s third party vendors. These third-party vendors have either been responsible for storing the credit card information of customers that the company has done business with for legal purposes or for transactional purposes.
When the customer’s credit information is not appropriately handled, stored, and encrypted, it can cause widespread damage to potentially millions of people’s credit profiles. This is where Experian has stepped in recently to solve this quandary via the implementation of the Experian Independent Third Party Assessment (EI3PA). This article will discuss what EI3PA is and the benefits of hopping on the bandwagon to being EI3PA compliant.
Experian Independent Third Party Assessment (EI3PA) Overview
Experian has been a main provider of consumer credit information since its launch in 1996. For over 20 years since its launch, Experian has made it a point to configure their processes for the benefit of consumers. Experian isn’t perfect, as is apparent via the $3 million fine that they were issued by the Consumer Financial Protection Bureau (CFPB) in March 2017. The cause for the fine was due to lenders not using Experian scores to make their consumer credit decisions. This goes against Experian’s marketing that dictates that these lenders should be using the Experian consumer credit score to make the most appropriate credit decision. This type of deception is the reason for the $3 million fine. Thankfully, Experian is committed to transparency and security in their operations and processes, as is apparent via their efforts to offer free services that allow consumers to have more control over their Experian credit score.
To date, the only consumer data that has been breached via Experian has been via a shared database. The most recent breach was the public exposure of data from over 123 million U.S. households from marketing analytics firm, Alteryx in late 2017. This is an unfortunate breach of security that could have been easily deterred via the incorporation of Payment Card Industry Data Security Standards (PCI DSS) by the third-party provider. Long before this data breach, Experian developed the Experian Independent Third Party Assessment (EI3PA) in 2009 that is closely based on PCI DSS compliance standards.
At a high level, the EI3PA scope would be very similar to the following twelve (12) Requirements within PCI:
PCI Data Security Standard (DSS) Overview |
||
| # | Goals | PCI DSS Compliance Requirement |
| 1 | Build and Maintain a Secure Network | Install and maintain a firewall configuration to protect cardholder data. |
| 2 | Do not use vendor-supplied defaults for system passwords and other security parameters. | |
| 3 | Protect Cardholder Data | Protect stored cardholder data. |
| 4 | Encrypt transmission of cardholder data across open, public networks. | |
| 5 | Maintain a Vulnerability Management Program | Protect all systems against malware and regularly update anti-virus software or programs. |
| 6 | Develop and maintain secure systems and applications. | |
| 7 | Implement Strong Access Control Measures | Restrict access to cardholder data by business need-to-know. |
| 8 | Identify and authenticate access to system components. | |
| 9 | Restrict physical access to cardholder data. | |
| 10 | Regular Monitor and Test Networks | Track and monitor all access to network resources and cardholder data. |
| 11 | Regularly test security systems and processes. | |
| 12 | Maintain an Information Security Policy | Maintain a policy that addresses information security for all personnel. |
The 12 PCI DSS requirements outline the necessary controls that must be implemented by organizations to increase the amount of security is present for cardholder data.
In short, the EI3PA are requirements that Experian imposes on those independent third party companies that have access to Experian consumer credit information. EI3PA requires third party companies that handle Experian implement these 12 PCI DSS requirements as well as improve key areas of their organizational infrastructure surrounding the protection of consumer credit information. All in all, EI3PA compliance means that a third party must embody 12 primary requirements that act to assess their security measures in protecting consumer data.
The 12 EI3PA requirements include protecting stored data, physically restricting access to data, and encrypting data across public networks. Each of these 12 EI3PA requirements applies to credit history information instead of credit card data which is what PCI DSS focuses on. Any reseller that transmits, stores, processes, or provides consumer credit data from Experian is required to adhere to these EI3PA requirements.
Third party companies that provide these services with Experian consumer credit information are required to demonstrate compliance with EI3PA. They must showcase to a third party Qualified Security Assessor (QSA) that they can appropriately secure their database of consumer credit information that they receive from Experian.
The QSA must be on-site for the assessment which makes the process of compliance that much more intricate and difficult to adhere to for third party companies that deal with higher volumes of credit card transactions.
EI3PA/PCI DSS Compliance
As mentioned earlier, the EI3PA certification is heavily based on PCI Data Security Standards (DSS). Although both are incredibly similar to each other, there are some main differences of EI3PA and PCI DSS to achieve full compliance. The main difference is subtle, but important to remember; EI3PA is based on the protection of Experian-provided data, whereas PCI DSS focuses on sensitive cardholder data (SAD). Another difference is that PCI DSS compliance requires the sign off from major payment brands and the PCI Security Standards Council (SSC), whereas EI3PA compliance requires only the verification of compliance by Experian.
The process of becoming EI3PA certified begins with Experian requiring the company to adhere to EI3PA to continue performing transactions that contain Experian consumer credit information. Although not much of the EI3PA information is made publicly available, we will be happy to give you more information on how your organization might benefit from the certification. Below is a table of the top 10 benefits for becoming EI3PA compliant (in no particular order):
10 benefits for becoming EI3PA compliant: |
|
| 1 | Experian provided consumer Credit Data Environment Scope Identification and Reduction |
| 2 | Credit Data Security Risk Management |
| 3 | EI3PA Compliance |
| 4 | Increased Business Value |
| 5 | Increased Customer Trust and Organizational Reputation |
| 6 | Effective Information Security Program |
| 7 | Repeatable Compliance Processes and Compliance Activities as Business-As-Usual |
| 8 | Increased Credit Data Security Awareness |
| 9 | Effective Incident Response Planning |
| 10 | Quality Reporting on EI3PA Compliance |
The good thing about the EI3PA compliance process is that your organization can have your compliance assessment configured by the same vendors that perform assessments for PCI compliance. If the QSA is certified to carry out a PCI DSS compliance assessment, the same QSA will be able to carry out your EI3PA assessment. This can be incredibly convenient and cost-effective for scheduling purposes. Your organization might be better off in the long run to work with a QSA that can perform the necessary annual and quarterly assessments for EI3PA and PCI DSS at the same time.
EI3PA must be renewed within one-year from the date of current certification. This is since the requirements are updated regularly by Experian, thus ensuring that independent third parties have the most updated understanding of how to protect consumer credit information. To ensure compliance is adhered to always, independent third parties are required to consistently test their web applications, network, and onsite wireless access points. This should be done via performing a gap analysis, onsite compliance reporting, vulnerability scans, and much more.
Once the QSA submits the report for certification, Experian will review and confirm the details of the supporting documentation to ensure it meets EI3PA requirements. Once the requirements are verified, a certification letter is sent out to the organization in writing by Experian that will outline the effective dates of the EI3PA certification. If the organization wishes to proclaim that they are EI3PA Level 1 certified for marketing or branding purposes, their marketing materials must follow Experian’s branding guidelines.
Vulnerability Scanning
Vulnerability scanning is the inspection of your organization’s network to ensure that there are no gaps in its security for hackers to exploit. These scans focus on testing company computers, networks, and other equipment. If any vulnerabilities are present within the network by the Approved Scanning Vendor (ASV), the organization is then prompted with recommendations that allows them to configure the appropriate countermeasures to ensure that points of entry to the network can be remediated. To be EI3PA compliant, third parties must have a PCI-authorized ASV scan their external facing networks on a quarterly basis to ensure that no new vulnerabilities have been introduced to the network as changes are being implemented. These quarterly scans can be extremely beneficial both as a means of increasing network security and improve organizational processes. The more effort that the organization puts into planning for the scans, the more positives they will likely get out of the process.
Network Penetration Testing
Penetration testing is similar to vulnerability scanning, but requires more expertise to administer as it cannot be automated. In a penetration test, the main goal is to identify potentials sites for security breaches in your processes for storing, using, and encrypting data. To maintain EI3PA compliance, organizations are required to perform network-layer penetration testing at least annually per PCI DSS Requirement 11.3.1. The organization must also perform a penetration test after any significant infrastructure upgrade or modification. Penetration tests can provide you with a third-party expert opinion that will give you a unique solution that can increase your company’s network security.
Wireless Assessment
Third-party organizations that maintain wireless access points in their payment card network are required to test for the presence of all wireless access points via the use of a wireless analyzer on at least a quarterly basis to comply with EI3PA and PCI DSS requirement 11.1. These wireless assessments must be performed by an independent assessor based on Experian’s EI3PA requirements. These wireless assessments area extremely important as they can assist administrators in quickly identifying which wireless devices are connecting to their network via an unauthorized access point. If an unauthorized access point were to be breached by one of these devices, the organization’s entire consumer credit information database could be compromised.
EI3PA Legal Compliance
EI3PA compliance can give your organization the tools it needs to continue to safeguard your organization’s assets and the Experian consumer credit information that you are utilizing. Experian provided data is also legally binding as it is required by organization to comply with the following laws:
- GrammLeach-Bliley (GLB) Safeguards Rule
- Fair Credit Reporting Act (FCRA)
- Federal Trade Commission Act
Non-compliance with EI3PA can cause your organization to be blacklisted from Experian until you achieve compliance. Experian does this to protect its consumer credit information from being exposed to the possibility of internal legal risk.
Final Thoughts
Complying with EI3PA requires that third party organizations follow strict, yet beneficial requirements that ensure that Experian customer data is protected from the possibility of a data breach or a supply chain attack. As your organization becomes more adept at complying with PCI DSS and EI3PA requirements, you will find that your processes will be more secure. This added credit information protection is important to your customers.
An EI3PA certification will put your organization in the best position to succeed in securing the consumer data that Experian has called on you to protect. Having a valuable ally such as Experian on your company’s side as it progresses will help it grow more sustainably without the risk of a data breach in the future. For further questions regarding EI3PA compliance or other cybersecurity solutions, please contact RSI Security today.