In March of 2008, 134 million credit cards and the underlying data were stolen by spyware installed on the Heartland data systems via an SQL injection. Prior to the security breach, Heartland was processing over 100,000,000 card transactions a month for nearly 200,000 small to mid-sized retailers. This breach remained undiscovered until over six months later in January of 2009 when MasterCard and Visa alerted Heartland of suspicious activity and transactions. It was soon discovered that Heartland was out of compliance with the Payment Card Industry Data Security Standard (PCI DDS). As a result, they were not allowed to process card payments until they were found in compliance, which took six months, were required to pay over $145,000,000 in compensation for fraudulent payments, and lost thousands of customers due to their negligence. Now, Heartland is a company capable of weathering such a storm, but if you are a smaller online business, such a breach could wreck your company, and being found out of compliance can carry hefty fines.
It should come as no surprise that access to credit card data carries substantial risk. In 2009, Experian, a consumer credit reporting agency that gathers and aggregates data on more than 235 million U.S. consumers and 25 million U.S. businesses, created the Experian Independent 3rd Party Assessment (EI3PA) compliance program. The purpose of this compliance program was to alleviate cyber threats by making sure third parties satisfactorily protect consumer data. As a result, platform providers, technical providers, and agents of end users must annually re-evaluate their compliance through the lens of the EI3PA standard. This data protection is also mandated by several laws including the Federal Trade Commission Act, the Fair Credit Reporting Act, and the Gramm-Leach-Bliley Act. Non-compliance with this Experian 3rd Party Assessment compliance program can prevent a business from accessing Experian data and leaves them liable. If you have an online business, it is essential that you acquire your level 1 EI3PA certification and achieve EI3PA compliance. Below, we will discuss the specific requirements for online businesses and teach you how to be EI3PA certified.
EI3PA Certification
Before the EI3PA was created, Experian and its resellers would face significant blowback if their consumer information was not safe and secure. In order to protect their customer data and prevent a data breach such as what occurred at Heartland, Experian created the EI3PA. This quickly became a requirement for any business that delivered, transmitted, saved or processed Experian data. Such companies were required to achieve compliance via a technical certification from an outside QSA (Qualified Security Assessor). This certification would have to be maintained and in compliance at all times.
If your company processes, stores or transmits credit information provided by Experian, you may be required to have your policies and procedures assessed to demonstrate the ability to protect Experian provided data both externally and internally, from unauthorized users.
EI3PA requires an evaluation of a Third Party’s information security program and controls by an independent assessor, based on requirements provided by Experian. An Experian Independent Third Party Assessment (EI3PA) consists of security controls and compliance requirements adapted from PCI-DSS payment card security standards. Experian’s policy is that the same vendors who perform assessments for PCI-DSS compliance are qualified to conduct evaluations for EI3PA.
Achieving EI3PA level one compliance offers your company a competitive edge; it signals that you are a business of repute, and maintains, if not increases, the value of your company by protecting you from a data breach, customer loss, litigations, monetary loss, and brand attrition.
EI3PA Compliance allows you to prove an unflagging commitment to safeguarding Experian data by maintaining security standards meant to prevent consumer credit data security breaches.
Obtaining EI3PA Level 1 Certification
An EI3PA certification is not all that different than a standard PCI DSS compliance; basically, you simply replace the requirements of “cardholder data” with that of “Experian-provided data.” Also, Experian must approve EI3PA certification, whereas, with PCI DSS, the Payment Card Industry Security Standards Council, the major payments brand, and other parties have some say in regard to PCI DSS compliance.
Similar to PCI DSS compliance, EI3PA has several levels of certification and regular scans for vulnerability spots. To begin the process of achieving EI3PA level 1 certification, Experian Information Security Department will notify a reseller or online business that EI3PA is necessary. Like PCI DSS, a qualified security assessor can handle the Level 1 assessment.
According to PSI, Qualified Security Assessor (QSA) companies are, Independent security organizations that have been qualified by the PCI Security Standards Council to validate an entitys adherence to PCI DSS. QSA Employees are individuals who are employed by a QSA Company and have satisfied and continue to satisfy all QSA Requirements.” If you wish to find or verify a QSA employee, go to the PSI Assessors and Solutions page and scroll down. You can search by last name, first initial, or certificate number to verify their certification status.
Unfortunately, Experian does not give the general public the specific guidelines for achieving its EI3PA certification; however, PCI DSS standards give us a good barometer of what is required by EI3PA and allows us to get a general scope of what a QSA is looking for. This scope is nearly identical to the 12 PCI requirements. According to PCI’s website these requirements include:
- Build and Maintain a Secure Network
Requirement 1: The business must install and maintain a firewall configuration created expressly to protect cardholder data.
Requirement 2: You should never use vendor-supplied defaults for system passwords and other security parameters.
- Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
- Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
- Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
- Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
- Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
Once you have confirmed that you are compliant with these requirements, you may begin an audit with a QSA. This audit consists of the following steps:
- Step 1: EI3PA Readiness Assessment and Gap Analysis.
- Step 2: Remediation (as necessary from the Gap Analysis findings).
- Step 3: Scanning and Penetration Testing Services.
- Step 4: Onsite fieldwork along with additional remote-fieldwork activities.
- Step 5: Report preparation, closing meeting, followed by the issuance of EI3PA Report on Compliance.
Alternative Certifications or Assessments to Meet EI3PA Compliance
According to Experian, these standard certifications may be leveraged to meet EI3PA requirements: ISO 27001, PCI-DSS (Level 1), SOC2 Type II, FISMA, CAI/CCM Assessment.
For such certifications to be considered, Experian EI3PA team will then have to review that assessment report and obtain an attestation from the assessor who authored the report. That assessor will need to confirm the following information:
- The scope of the review included all systems that receive, store, process, or deliver Experian data.
- EI3PA certification requirements have been received, understood, and agreed to be met on an annual basis. Attestation of conditions being met include, but not limited to:
o Experians Multi-Factor Authentication (MFA) requirements are met.
o External vulnerability scan is performed on a quarterly basis and performed by PCI Approved Scanning Vendor (ASV).
Benefits of EI3PA Top of Form
There are several reasons, besides it being required, why attaining level 1 EI3PA certification is important for your business success.
Reduces cost of a future data breach Data breaches are expensive, both monetarily and in the loss of customers, reputation, and customer confidence in your company. On top of that, you have to pay to replace credit cards, pay compensations for customer losses, pay fines, and pay to investigate and pay to audit. Those figures add up really quickly. Below is a quick example of those costs:
- Breach notification costs: $1,000+
- Card brand compromise fees: $5,000 $500,000
- Card re-issuance penalties: $3 $10 per card
- Forensic investigation cost: $10,000-$100,000
- Forensic investigation: $12,000 $100,000
- Free credit monitoring for affected individuals: $10 30/card
- Lawyer fees: $5,000+
- Loss of customer confidence: businesses can lose nearly one out of every two customers in the case of a breach
- Merchant processor compromise fine: $5,000 $50,000
- Onsite QSA assessments following the breach: $20,000 $100,000
- Security updates: $15,000+
- Technology repairs: $2,000+
By achieving EI3PA compliance, you can reduce what these costs might look like in the case of a breach. If you show that you did everything in your power to prevent your Experian data from being stolen, you are far less vulnerable to serious blowback.
Increases consumer confidence in your company Odds are, you would not use a business if the chances of having your data stolen or improperly used were high. Customer confidence is extremely important to a businesss long-term success and can drastically affect a company’s profitability during the fiscal year. Potential customers are less inclined to utilize your services if they do not believe you capable of protecting their information. So, if you do have a breach, you will inevitably lose a significant portion of your customer base and thus lose out on a lot of business.
By having your EI3PA certification, you signal to your clients that you take the safeguarding of their information seriously, that you take pride in your companys security, and that you have taken all possible measures to prevent their payment data from being stolen.
Protects your clients When a client inputs their payment data into your system, they are trusting you with their information; they are putting their faith in your business integrity and professionalism. If you do get breached and their information stolen, both you and your clients suffer. EI3PA ensures that you have taken every step to protect your client and to signal that you are a responsible holder of their information. If you fail that, you are vulnerable to lawsuits, fines, and damage to your brand. Further, if you practiced deception and promised security when you were not compliant, you can face even stiffer penalties.
Protects your companys business data EI3PA compliance also protects your business data, especially that of your employees. Odds are, you pay plenty of attention to the security of the physical location of the business such as locks, guards, employee background checks, security cameras, and a variety of other measures. In a similar manner, it behooves you to protect your business digital valuables. Following EI3PA allows you to prevent thieves and hackers from using social engineering, malware threats, or remote-access attacks on your servers, computers or networks.
Creates a security standard Similarly to PCI DSS, EI3PA creates a standard criterion of what security and steps must be employed to protect a business and its customers from data breaches. These baseline 12 requirements create a firm and secure foundation to build a security system upon and such measures will serve to prevent that vast majority of security breach attempts.
Helps you avoid being sued or fined A breach not only leads to data loss and unhappy customers but often turns into lawsuits and major fines. Compliance helps you prevent or mitigate any potential fine or lawsuit.
Conclusion
Achieving level 1 EI3PA compliance is absolutely necessary for your business. Your customers trust you to protect their information. A data breach is not only expensive due to fines and lawsuits, but can cause an even larger burden because of the loss of consumer confidence in your brand. By protecting your customers’ data through EI3PA compliance, you protect your company. If you are looking for cybersecurity solutions for your company, contact RSI Security today for a consultation.