For a variety of financial service companies, dealing with the credit history of customers is part and parcel of doing business. Whether its issuing a credit card or financing a small business, banks, lenders, and other service providers and institutions routinely utilize credit data from companies like Experian to make the most appropriate business decisions. But theres just one catch – financial institutions need to be careful (and compliant) in the way they handle private credit history information thats shared with them from Experian data.
More specifically, financial institutions need to be aware of whats called the Experian Independent Third Party Assessment, otherwise referred to as EI3PA. The EI3PA is an assessment requirement with applicable laws imposed by Experian on any third party that accesses their proprietary credit history information. Experian has this requirement in place for one simple reason: to ensure the privacy and security of customers credit history information as much as possible.
But what exactly is the Experian Independent 3rd Party Assessment, and what do financial institutions of all shapes and sizes need to know as they prepare to comply with EI3PA? Here well break down what the EI3PA is, the specific requirements that are likely to affect your financial services organization, and how a compliance partner can help you streamline EI3PA Compliance.
What Exactly is EI3PA?
As mentioned, the EI3PA exists because Experian wants to ensure that credit history information shared with third party partners is appropriately protected and secured. Rather than building their own standards from the ground up, Experian borrowed much of their requirements from the PCI Data Security Standard, also known as PCI DSS. The PCI DSS is an existing security standard for a variety of consumer financial activities, requiring financial institutions meet certain standards for things like protecting cardholder data. PCI DSS outlines controls that need to be put into place, and Experian has simply applied many of those same standards to credit history information.
So, in short, third parties handling consumer credit history data from Experian will need to comply with each of the 12 PCI DSS requirements, swapping out the terminology of cardholder for credit history. Just remember that the basic premise of EI3PA is that Experian recognizes the significant risks they face if their consumer data isnt adequately protected by third parties. Moreover, Experian would violate its internal principles of exercising due care and diligence if the shared data with partners that could not protect data at least as well as Experian themselves do.
EI3PA requires that any third party undergo an evaluation conducted by an independent assessor, focusing on security programs and controls. Along with the requirements adopted from PCI DSS, Experian has added unique security and reporting requirements that youll also need to take into account. Below is a list of requirements, step-by-step, that youll need to consider to reach EI3PA compliance.
1. Build and Maintain a Secure Network
Similar to PCI DSS, Experian partners need to protect credit history data with a secure network to prevent hackers, cyber criminals, or other malicious actors out of their systems. To be in compliance with the network security and maintenance portion of EI3PA, youll need to focus on fulfilling two main requirements:
- Firewall Installation and Maintenance – Firewalls are devices that control computer traffic into (and out of) an organizations network. Firewalls also protect sensitive information from unauthorized access the internal network. Routers are classified as hardware or software that connects two or more networks either internally or externally. Youll need to work with your compliance partner to do things like review configurations every six months, restrict traffic from untrusted networks, and properly install firewalls on all employee devices (even mobile.
- Avoid Vendor-Supplied Defaults – You want to completely avoid using system defaults for passwords and other critical security parameters, as these settings are unlikely to be EI3PA compliant. More importantly, these defaults often make it much easier for hackers to break into your systems, as settings like password strength requirements are not as strong as they can (and should) be. Remember to change these settings before installing any new system to save yourself time and hassle, and take advantage of any advanced encryption tools at your disposal.
Fact – EI3PA mandates that partners use multi-factor authentication when authorized users access credit history via browsers or web portals.
2. Protect Credit History Data
Private credit history data can take a variety of forms, including printed or digital. Third party institutions also need to take precautions when credit history data is transmitted, whether its via paper or email. Youre expected to protect credit history information and prevent its unauthorized use, be it printed and stored locally or transmitted via a public network or remote server.
- Protecting Stored Data – In general, no credit history data should be stored unless its necessary to meet the needs of your business. Youll also want to limit the time to retain data and purge sensitive information on a quarterly basis at the very least. Make sure to fully document the processes and procedures youre taking, including authentication keys and use access requirements. Work with your compliance partner to audit your data storage practices to ensure theyre in alignment with both PCI DSS and EI3PA standards.
- Transmission Encryption – Cyber Criminals may be able to intercept transmissions of credit history data over open, public networks so it is important to prevent their ability to do so. Therefore, youll need to use strong encryption and cryptography protocols to safeguard credit history data during transmission over open, public networks. This includes internet, wireless, and globals systems for mobile communications (GSM). Also, never send unprotected data via end-user messaging technologies such as WhatsApp or Facebook Messenger.
Fact – EI3PA is an annual assessment and certification, and must be renewed within one year from the date of current certification.
3. Maintain a Vulnerability Management Program
Vulnerability management is the process of systematically and continuously finding weaknesses in your credit history storage and processing infrastructure. This includes security procedures, system design, implementation, and internal controls that could be exploited to violate system security policy.
- Antivirus Software – Email and other online activities provide a prime target for cyber criminals and hackers to enter your system and gain access to confidential credit history data. So, not only do you want to employ strong anti-virus software, youll need to make sure its patched and updated on a regular basis. Make sure that your antivirus software is running at all times, and generating the necessary audit logs as well.
- Secures Systems & Applications – The development (and maintenance) of secure systems and software applications is critical to achieving EI3PA compliance. Similar to your antivirus software, all critical systems need to be patched and updates to the most recent versions possible. Less than critical systems should have patches applied to them as soon as possible, based on a risk assessment with your compliance partner. Moreover, implement secure coding practices for application development and generally follow secure software development practices.
Fact – Experians policy is that the same vendors who perform assessments for PCI compliance are qualified to perform assessments for EI3PA.
4. Implement Strong Access Control Measures
This requirement covers the ability of third parties to permit or deny the access to credit history data. This access can be physical (as in paper files) or technical access via a computerized database. Youll need to carefully monitor all access points, whether it be who has the key to a file cabinet or which system administrators have password access to your systems.
- Limit Access – In general, access to Experian credit history data should be restricted to on a need to know, business basis. And according to the standards, the least amount of data should be granted to each user based solely on what they need to perform their job.
- Unique IDs – EI3PA requires that you assign a unique identification to each person with computer access that could potentially access credit history data. This includes everyone within your organization, from sales and administrative to credit analysts. Also remember to use multi-factor authentication for remote access sessions, and use cryptography to render passwords unreadable during any transmissions.
- Restrict Physical Access – Any physical access to data or systems that house credit history data provides an opportunity for malicious actors to access or remove devices, data, systems or hard copies. Therefore, physical access should be appropriately restricted based on job function. Also, take care to limit physical access to people who may be part-time employees, contractors, visitors, or consultants that may enter your facility on a regular basis.
Fact – PCI DSS compliance certifications can be leveraged to help meet EI3PA standards, but Experians team will need to review the certification in addition to validating their own unique compliance rules.
5. Regularly Monitor and Test Networks
Whether youre a big bank or mid-sized credit union, youre going to be using physical and wireless networks to get the necessary Experian credit history information from Point A to Point B. Unfortunately, transmission over these networks does present an opportunity for cybercriminals to gain access to confidential credit history data. EI3PA mandates that you regularly monitor and test networks to spot vulnerabilities and take immediate steps to fill in the gaps for effective exploitation prevention.
- Tracking & Monitoring – You need to constantly track and monitor all access to network resources that might allow access to credit history data. Make sure you have proper logging mechanisms in place to track any and all user activities, whether it be internal or external. Tracking and monitoring activity within your networks is critical because, should your systems be compromised, youll be able to determine the cause and proper course of remediation action.
- Regular Testing – Just because your networks appear secure today, doesnt mean they will be tomorrow. Experian and PCI DSS recognize this fact and therefore mandate regular testing of network security systems and processes. Network testing is where a compliance partner can be especially valuable, help with things like penetration testing and vulnerability scans, some of which need to be conducted on a quarterly basis.
Fact – EI3PA assessments and reports are completely confidential, and access to is restricted to the Experian Global Security Office (GSO) team that reviews it.
6. Maintain an Information Security Policy
The final EI3PA requirement relates to your information security policy. An effective security policy should cover all departments and roles within your organization, and more importantly, sets the tone for how everyone is expected to approach and handle Experian credit history data. Your security policy should inform employees of their expected duties, as well as lays out accountability standards and consequences for violations.
- Policy Maintenance – Youll need to establish, publish, maintain, and disseminate a security policy that addresses all aspects of EI3PA compliance. Your policy must be reviewed at least once a year, and be updated to reflect any changes in your business practices or the cybersecurity environment at large. Your policy should cover day-to-day operating standards and best practices for each type of role, as well as each type of technology or device (ie PC, smartphone, tablet). A formal security awareness program is also required, and its wise to work with your compliance partner to develop a regular training program to ensure compliance on an ongoing basis. Finally, make sure that all newly hired employees have been adequately screened, and that any employees that quit or are terminated have their access revoked immediately.
Fact – Experian is available to assist in compliance efforts, and will confer to answer questions about EI3PA to assure proper understanding of each requirement.
Keep in mind that Experian 3rd Party Assessment guidance changes periodically, but are not made publicly available. This makes it even more beneficial to work with a compliance partner, so that youll have somebody on your team if (and when) Experian credit bureau decides to make changes. EI3PA is a comprehensive framework for any organization that deals with Experian credit history data, so make sure that both your internal teams – and your compliance partner – are pulling in the same direction to guarantee EI3PA compliance today, tomorrow, and well into the future. However, there are many different tools that go into protecting data and securing applications in which you might need to seek cyber security solutions.