The Experian Independent Third Party Assessment (EI3PA) is an annual assessment of a Third Party’s ability to protect and ensure the secure processing and storage of credit history data shared by Experian.
What does EI3PA require?
EI3PA requires an evaluation of a Third Party’s information security program and controls by an independent assessor, based on requirements provided by Experian. EI3PA consists of security controls requirements adapted from PCI-DSS. Additionally, the following are EI3PA unique requirements that must also be met:
External vulnerability scans - to be submitted to EI3PA on a quarterly basis
Multi-Factor Authentication - for commercial users/non-direct to consumer access to web portals
What’s the Difference? EI3PA vs. PCI-DSS
Unlike PCI-DSS, EI3PA:
Mandates an on-site visit from a Qualified Security Assessor to verify the compliance of third parties—no matter how big or small your organization is. Additionally, there are no tiers or different merchant levels with EI3PA—requirements are standard across the board.
Requires annual web application and network penetration testing. This testing (which satisfies the PCI-DSS 11.3 requirement) must be done once every year or after any major security overhaul.
MegaplanIT’s experienced consultants will walk you through the compliance process and provide you with the most up-to-date EI3PA guidance available from Experian.