In 2018 certain industries are under the spotlight more than others and service providers are being watched much more closely. One of the industries that seem to be under fire every week is the security of consumer information. For example, patients in the health care industry are protected with patients rights under HIPAA laws. On the grander scheme, the world has gone futuristic and, unfortunately, that includes criminals. Whether its Macys, Sears or Saks Fifth Avenue, companies big and small have become targets for hackers. Regrettably, the data hacks of stores of any size affect all of us.
Thieves arent after the money of vendors necessarily but rather, the credit card information of consumers which they obtain from a data breach. The web of fraudulence becomes even more entangled if you are a vendor yourself. Regardless of what youre selling, be it t-shirts or industrial paint, the vast majority of purchases are made by credit card.
In 2016, only 27 percent of all point-of-sale purchases were made with cash, according to Javelin Strategy & Research. That number is only expected to drop over time. It sparks the question: what are the checks and balances in place that protects one as a seller or consumer? The answer: PCI DSS or EI3PA.
Run That By Me Again:
PCI DSS and EI3PA are two credit card security checks and standards that attempt to maintain the safety and security of personal information the world over. PCI DSS stands for Payment Card Industry Data Security Standard. EI3PA means Experian Independent Third Party Assessment. Heres a quick rundown on both before we get into the requirements of each.
PCI DSS: This security standard was formed in 2004 by the largest credit card companies in the world: American Express, Visa, MasterCard and Discover. The security standard was based on five principles of security.
- The security of the network: For consumers to make purchases in good faith, the network which conducts the transactions must be secure. That means firewalls, anti-malware, authentication and authorization services and other technical weaponry in the protection of vital information. The network must also work quickly. What good is a secure network if it takes 20 minutes to approve the transaction? Credit cards must be able to safely and conveniently operate within the network.
- The security of pertinent information: This pertains to PIN numbers, birthdays, email addresses and favorite color. Any and all information that credit card companies ask you in order to verify that is actually you. That data, just like the communication on the network, must be secure. When that information is sent, it must be encrypted to a degree that hackers cant pluck it out of the air.
- Maintenance of the system: Once these systems are in place, they then must be monitored for illicit activity. Hackers plant trojan horses, backdoors and all types of bugs in attempt to get into the systems. For the systems to remain safe, they must be watched closely.
- Access to systems: Since these systems are in place to allow vital information to flow easily from consumer to vendor, access must be limited. This encompasses everything from shredding spreadsheets to assigned access codes to anyone with security clearance. Checks upon checks.
- Proper Policy: Just like any large system, PCI DSS policy must be explicitly defined and enforced to ensure that everything works as planned.
EI3PA: We should start with the E, which stands for Experian. Experian is one of the three major credit reporting agencies in the world. Among other things, the company maintains information on over 235 million US Citizens and more than 25 million US businesses. EI3PA is Experians assessment of a vendors ability to protect the sensitive information that Experian provides. It works the same way that PCI DSS does, however, only using Experian provided data. EI3PA was designed with PCI DSS in mind but to the specifications of Experian.
Commonalities:
Now that we have defined what PCI DSS and EI3PA are, lets briefly mention what they have in common. PCI DSS has 12 requirements that must be met. It should be noted that EI3PA is based on policy and qualifications derived from PCI DSS. However, just because you have passed one doesnt mean you have met the demands of the other. Failure of a service provider to conform to all 12 PCI DSS requirements could end in a fine or removal of credit card services altogether. The same is true for EI3PA, although their requirements vary.
They both also continue to monitor the integrity of your system after you have passed inspection. Each requires an annual assessment to ensure that protocols and procedures are up to standard. These requirements are designed to meet tenets of the security standard outlined above. The consequences of not meeting at least one of these could be dire. Thankfully, there are companies whose purpose is guide you through either PCI DSS or EI3PA compliance.
PCI DSSRequirements:
- A firewall must be in place and monitored: This is the foundation for any business’s credit card service. Without a firewall, consumers information is there for the taking.
- System passwords and defaults cannot be provided by the vendor: Essentially you must change all passwords and security-related framework from when they were installed. Leaving everything as is from when it is installed is like putting a lock on your door but never actually locking it.
- Secure cardholder data: When someone swipes their card, their data is stored somewhere in the system. That information is sensitive and must be properly guaranteed not to fall into the wrong hands.
- Encrypt sensitive information when sending across networks: Similar to how customer data must be secure when stored, the same is true when said data is sent across networks. Without a secure encryption, data can be stolen while in transit.
- Regularly update and test anti-virus and other protection programs: Like any bank, the safeguards to maintain security must be checked and updated regularly.
- Maintain security and application systems: This is very similar to number 5, but rather in relation to applications and systems as opposed to patches and anti-virus programs.
- Limit access to cardholder information on a need to know basis: The fewer people that have access to a valuable property, the safer it is. That is why only trusted and properly trained employees should have access to cardholder data.
- All authorized users must have their own unique ID: Individual access codes promote accountability. Any changes or anomalies can be traced to the user that made them.
- Limit physical access to cardholder information: The same reasoning as above applies to physical access.
- Track any and all movement within the system: For the same reason everyone with access has their own unique codes, all log-ins and changes must be tracked. Without a monitoring system, its too complicated trace any malfeasance.
- Routinely test the efficacy of all security systems and mechanisms: Whats the point of a security system if you arent sure it works?
- Provide a strong policy that explicitly states expectations and responsibility in regards to security: Everyone must be on the same page as to the gravity of their roles.
NOTE: each of these requirements has sub-requirements that detail exact expectations. Here we have just outlined the overall points as this article is to highlight the differences between PCI DSS policy and EI3PA requirements. Click on the following link for more detailed information about PCI DSS.
EI3PA Requirements:
Because EI3PA is based on the same security protocols as PCI DSS, most of their general requirements are the same. We will list them here, however, its worth mentioning that specifics of meeting said requirements are not necessarily the same. We will cover in length the difference between EI3PA requirements and PCI DSS policy, but first, EI3PAs requirements.
- Put in place stringent control measures on access: Unique passwords to individuals, strong encryptions, auto log-outs, monitoring all movement within secure data stores, physical security controls are the abcs of cybersecurity access.
- Continually manage potential security gaps: All systems related to security must have up-to-date patches and proper updates. On a daily basis vulnerabilities must be monitored.
- Implement and update a strong security policy: Layout expectations, consequences and procedures are required to maintain a secure system.
- Safeguard Data: Any and all sensitive data must be protected securely.
- Build and protect a secure network: Using top security procedures maintain a secure network.
- Test and Monitor Networks: Maintain and test security and functionality of the network.
- Phone & Cloud Tech: Follow mobile and cloud protocols put forth by Experian.
- General: Follow and comply to audits and procedures set forth by Experian.
NOTE: As mentioned previously, these are the abbreviated EI3PA requirements. Click the following link for more detailed policy about EI3PA.
The $100,000 question: What Are the Differences Between PCI DSS and EI3PA Requirements?
Since EI3PA requirements are based on PCI DSS policy, the reality is that there are more similarities than a difference. Nevertheless, there are important distinctions between the two. The foremost difference is the formation of the policy. PCI DSS was formed by the four largest credit card companies in the world: Visa, Mastercard, American Express and Discovery. EI3PA was created by Experian, one of the three largest consumer credit reporting agency.
Origins:
PCI DSS policy and requirements are not made within a vacuum. They cannot unilaterally make changes without input from the Payment Card Industry Security Standards Council and other concerned parties. The same is true for approval. PCI DSS approval rests with a number of interested parties, while Experian has final say on all approvals. Experian, on the other hand, can make changes and alterations to their policy as they see fit. They also do not have the same data concerns that PCI DSS does.
Purview:
PCI DSS created its security requirements and oversight with all cardholder data in mind. Their intent is to protect, empower and direct the use of secure systems for proprietors and consumers alike. Consumers may never interact with policy directly, however, the directives are meant to ensure the security of sensitive data. When it comes to PCI DSS, banks also have a large say in regard to approval of compliance. That is because banks are the ones paying the majority of non-compliance fines from credit card companies. They essentially act as the middleman.
You could say that Experian works a very similar manner, but only with Experian provided data as their concern. Unlike PCI DSS, Experian is only concerned with the security of their own data. Experian also does not have a middle man. They have final say.
In Practice:
Both PCI DSS and EI3PA approval requires an assessment of your security protocols to ensure they are up to standard. But, the processes of each are divergent. Under PCI DSS policy, businesses have two ways to get approval. The first is a Self-Assessment Questionnaire, (SAQ) in which business self-assess their PCI DSS compliance. Not all businesses are eligible to do an SAQ. Companies that are not eligible must undergo a Qualified Security Assessor (QSA). Typically larger companies with complex IT not only require but benefit from QSAs. There are options for large companies to do self-assessment if certain concerned parties, like your bank, sign off.
EI3PA compliance always requires an on-site evaluation of a business’s security protocols by an independent third party assessor, which is based meeting Experian requirements. Thankfully, Experian is of the belief that assessors of PCI DSS policy are qualified to make assessments of EI3PA requirements. There are also other certifications and assessments that Experian has designated as up to Experian quality. They are as follows:
- ISO 27001
- FISMA
- CAI/CCM Assessment
- SOC2 Type II
- PCI DSS (level 1)
Those assessments must pass a number of Experian protocols but can be submitted to Experian for approval.
Monitoring:
PCI DSS has four levels of monitoring that are based on the number of card transactions per year. The more transactions the lower the level of your business and, therefore, the higher the necessary requirement for approval.
- Level one is companies with 6 million transactions annually
- Level two is 1-6 million transactions annually.
- Level three is 20,000-1 million annually
- Level four is less than 20,000 annually.
Experian only has approval or non-approval; they do not have multiple tier or merchant levels. Experian also has two unique requirements:
- External vulnerability scans, which must be submitted on a quarterly basis.
- Multi-factor authentication which relates to commercial and non-direct consumers with web portal access.
Closing Thoughts
PCI DSS policy and EI3PA compliance have more commonalities than differences, yet, when dealing with the complexity of cyber security solutions the differences are important to know. The overall goal of each is to protect vendors and consumers alike from the hundreds of thousands of cyber thefts that happen annually. Understanding and complying with the requirements are vital in avoiding damaging cyber thefts. Money is not the only commodity at stake. The trust of the consumer is an asset that if lost, may never be recovered.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.