Third-party vendors are becoming more involved in business operations as time progresses. One survey notes that 75% of businesses saw third-party access grow over the past two years. With this increase in reliance on third party vendors to streamline business processes comes an increase in risks that might lead to a data breach if the consumer information is mismanaged and exploited by opportunistic hackers. When the organization is handling consumer credit information, there is a need to take extra precautions to ensure that the data does not fall into the wrong hands. This can be a difficult task to accomplish for a single organization, but when accounting for a third-party vendor, it can be nearly impossible to do unless security protocols are initiated to reinforce the consumer credit data.
The fact remains that only 52% of companies have security standards in place for their third-party vendors. This could be for a variety of reasons, but may be due to the inability of organizations to know where to begin when it comes to implementing security processes for their third-party vendors as they related to credit-based data.
The largest credit-reporting agency in the world, Experian, heard the feedback and saw the writing on the wall and decided to structure their own certification program called the Experian Independent Third Party Assessment (EI3PA). EI3PA emulates the Payment Card Industry Data Security Standards (PCI DSS) for which there are 12 requirements and 4 levels of certification. This article will address how often organizations must be audited if they wish to meet the EI3PA criterion for certification.
Experian Independent Third Party Assessment (EI3PA)
Experian has been operating since 1996 and reports over $4.6 billion in revenue while employing more than 17,000 employees which is the largest of the “Big Three” credit-reporting agencies (TransUnion and Equifax). Experian, like any of the other credit reporting agencies, have had a rough start in supplanting themselves as viable entities in the first part of this century. Case in point, a Vietnamese man ran an online identity theft service by paying for access to Experians database, and subsequently leaked over 200 million consumer credit profiles to the dark web. Once the dust settled, the U.S. Secret Service arrested the perpetrator, Hieu Minh Ngo. Ngo had been successful in paying for access to Experians database, then selling consumer information to identity thieves totaling more than $1.9 million. All in all, 30 million consumers had their information stolen which equated to over $65 million in fraudulent tax claims.
Roughly 4 years prior to this breach, in 2009, Experian developed the Experian Independent Third Party Assessment (EI3PA. EI3PA is closely based on the twelve (12) Payment Card Industry Data Security Standards (PCI DSS) requirements, but instead of focusing on the protection of consumer data in general, EI3PA is focused on how a third-party protects Experian-provided data. With 63% of all cyber attacks being traced either directly or indirectly to a third party, this certification is tremendously valuable to possess both for the sustainability of Experian cardholder data as well as the third-parties that utilize their data. EI3PA is similar to PCI DSS in that compliance with the requirements are required for the organization to continue operating at its current level.
The basis of EI3PA is driven on the requirement of all businesses that store, process, and transmit sensitive Experian provided data. These businesses are required by Experian to undertake an EI3PA assessment by a PCI-QSA on an annual basis. This annual assessment requires that the organization must submit proof of a number of documented policies, procedures, and processes that showcase their commitment to keeping Experian data safe and secure. EI3PA certification requires an organization to be compliant with approximately 275 criteria that comprise its twelve (12) mandated requirements. Although compliance with EI3PA can be challenging, it can also be extremely rewarding for your organization.
PCI DSS/EI3PA Level 1 Certification
The amount of compliance that is necessary for a third-party to adhere to EI3PA is ultimately related to their amount of annual credit card transactions. To understand which level your organization must comply with and how often you need audits, you can reference the PCI DSS 3.2 table below that details the requirements for each level:
PCI DSS 3.2 Levels | ||
Level | Affected Businesses | Audit Frequency & Compliance Requirements |
1 |
More than 6 million transactions annually across all channels including e-commerce. |
Annual on-site PCI security assessments and quarterly network scans |
2 |
1 million to 5,999,999 transactions annually |
Annual security self-assessment and quarterly network scans |
3 |
20,000 to 1 million transactions annually |
Annual security self-assessment and quarterly network scans |
4 |
Fewer than 20,000 e-commerce transactions annually and all merchants across channel up to 1 million transactions annually |
Annual security self-assessment and quarterly network scans |
As you can see from the above table, regardless of the EI3PA level of compliance that your business needs to comply by there are annual audits that must take place to assess the security of yours and your third parties systems.
If a third-party does more than 6 million annual transactions in a calendar year, they would be required to comply with a Level 1 PCI DSS certification. Compliance with Level 1 would require that they submit to an annual on-site assessment and quarterly network scans. It is extremely important that these assessments are done by a Qualified Security Assessor (QSA). The good news about the EI3PA security assessments and network scans is that they can also be done by the same QSA in the same breath as your PCI DSS assessments. Taking the route of having PCI DSS and EI3PA compliance assessments done at the same time requires ample planning, but can save your organization considerable time and resources if you can pull it off.
An EI3PA audit is an arduous process no matter your level though. Even at levels 2 through 4, there are still many hoops that your organization must validate to become PCI DSS and EI3PA compliant. Although an onsite security assessment is not a requirement for levels 2-4, Experian may direct a QSA to perform an onsite security assessment if they wish to. If an onsite security assessment is not a requirement for your organization, then a QSA can review your companys Self Assessment Questionnaire (SAQ) responses as well as your submitted documentation for the purpose of validating your organizations PCI compliance. To ensure that your organizations SAQ is not thrown out for being incorrect for your organizations categorization, please review the table below:
SAQ | Appropriate For | Requirements | # Of Questions |
A |
Card-not-present merchants (e-Commerce or mail/telephone order) |
No electronic storage, processing, or transmission of any cardholder data on the merchants systems or premises. |
22 |
A-EP |
e-Commerce merchants |
No electronic storage, processing, or transmission of any cardholder data on the merchants systems or premises. |
191 |
B |
Brick and mortar or mail/telephone order merchants |
No electronic cardholder data transmission, processing, or storage. |
41 |
B-IP |
Brick and mortar or mail/telephone order merchants |
PTS-approved payment terminals with an IP connection to the payment processor, and that have no electronic cardholder data storage. |
82 |
C-VT |
Brick and mortar or mail/telephone order merchants |
Virtual terminal on one computer dedicated solely to card processing. No electronic cardholder data storage. |
79 |
C |
Brick and mortar or mail/telephone order merchants |
Payment application connected to the Internet, but with no electronic cardholder data storage. |
160 |
P2PE |
Brick and mortar or mail/telephone order merchants |
Must use approved point-to-point encryption (P2PE) devices, with no electronic card data storage. |
33 |
D |
Merchants and service providers only |
No outsourcing of credit card processing or use of a P2PE solution. |
329 |
Report on Compliance (ROC)
One of the main assessments that is required by PCI Security Standards Committee (SSC) for Level 1 Visa Merchant certification is a Report on Compliance (RoC). An RoC needs to be filled out during the PCI DSS audit. Since EI3PA certification is based on an organization being PCI DSS compliant, an RoC is a pivotal document that must be submitted and verified for an organization to become EI3PA compliant. The RoC calls for an organization to implement policies and procedures that ensure the continued protection of cardholder data from any potential fraud or information misuse. For PCI DS compliance S, this would be related to Master Card, Visa, American Express and Discover, whereas EI3PA compliance would pertain solely to Experian.
An RoC is another assessment that must be completed by the same QSA that performs the merchants compliance audit. When the QSA is formulating the assessment, they must look over the merchants processes to prove that their security methodology is sound. Once all the merchants processes are validated against each requirement, the QSA will submit the RoC to the merchants bank for acceptance. Upon acceptance of the RoC by the merchants bank, Visa is notified of the merchants compliance verification.
The RoC process is required to be undertaken by a Visa merchant on an annual basis to comply with PCI DSS and EI3PA. To ensure that your organization doesnt get taken off guard by a failed compliance assessment, it would behoove you to perform regular reviews of compliance measures to ensure that all requirements are implemented and up-to-date always. A large focus of your PCI DSS and EI3PA audits should be to verify appropriate records are being kept to maintain compliance and prove that your efforts are appropriately configured and working as they should.
Attestation of Compliance (AOC)
Since the number of data breaches attributed to third-party vendors has increased by 22% since 2015, Experian has put more emphasis on their third party independent assessors being compliant with EI3PA. Organizations that are PCI DSS Level 1 (6 million annual credit card transactions annually) must attest that they are in compliance with the necessary security requirements set forth by PCI SSC (for PCI DSS compliance) and Experian (for EI3PA compliance). To have your organization verified, it must submit the following documentation following an annual audit:
- The appropriate Self Assessment Questionnaire (SAQ)
- A verified Report on Compliance (RoC) by a Qualified Security Assessor (QSA)
Once these documents have been verified after the completion of the audit, the QSA sends the Attestation of Compliance (AOC) to the appropriate payment brand. Again, for PCI DSS compliance, the AOC would be sent to Master Card, Visa, American Express and Discover, while for EI3PA compliance the AOC would be sent directly to Experian for validation. For level 1 organizations, it may be beneficial to conduct an annual onsite assessment and periodic remote assessments to ensure you maintain secure network security that allows you to effectively manage the flow of consumer data and manage your compliance in a cost effectiveness manner. This will allow your organization to be more sustainable and ready to address any vulnerabilities to your data infrastructure as they happen, rather than have them be caught during an audit.
Closing Thoughts
EI3PA audits can be a difficult and long process to undertake, but in the long run it is a requirement to continue utilizing Experian data. Recent studies have shown that out of compliance software accounted for44% of data breaches in 2017 and that is one mistake that Experian does not want their third-party vendors to make. These types of software mistakes by third-party service providers can lead can serve as entry points for attackers and malware campaigns that ultimately lead to the exposure of sensitive customer data.
With third-party usage growing immensely in the past several years, the EI3PA certification comes at the perfect time to combat customer card data breaches that could tarnish the reputation of Experian and the organization that experienced the breach.
In the modern age of credit reporting and data management where your operation could be devastated by a data breach, sustainability and effective security management means everything. Ensuring that your organization follows the correct avenues to submit your SAQ, RoC, and AoC to the appropriate payment brands is paramount to continued operational success. Planning and structuring your information security policies, processes, and procedures to ensure effective implementation and compliance with Experians EI3PA requirements will ensure the sustainability of your third-party service provider operation.
For further questions regarding our EI3PA compliance service or other cyber security solutions, contact RSI Security today.