Talk to a Security Expert Now: (800) 721-9177

Understanding the Experian Independent Third Party Assessment (EI3PA) Requirements

We frequently are asked about the Experian Independent Third Party Assessment (EI3PA).  The EI3PA is the Experian assessment requirements they impose on third parties that have access to credit history information. Not much of the documentation is publicly available so we thought we would share our insights based on our experience and reviewing the Experian guidance.

The EI3PA came about because Experian wanted to make sure that credit history information shared with their partners was secured appropriately.  Rather than create their own standard starting from scratch they just grabbed the PCI Data Security Standard (PCI DSS).  The PCI DSS outlines controls that should be in place to protect card holder data (credit card numbers).  In this case instead of applying to credit card data each control applies to credit history information.  This means a third party handling Experian credit histories will need to comply with each of the 12 PCI DSS Requirements.  The requirement categories are (just replace “cardholder” with “credit history”):


Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software or programs
  • Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security for all personnel

Each organization will need to review the DSS and ensure the minimum controls described are in place. The friendly folks at Experian also want some evidence from a third party ensuring that you are actually complying.  So EI3PA requires all third parties to demonstrate their compliance by having a QSA perform an on-site engagement.  This is more strict than PCI which categorizes merchants into tiers based on credit card transaction volume. The PCI tiers are used to determine the type of reporting required to demonstrate compliance (on-site assessment by a QSA for large volume shops, but just a self assessment questionnaire for small volume firms).


In addition to an overall assessment of compliance with the DSS standard, web application and network penetration testing must be completed. Specifically:PCI DSS 11.3 penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:


11.3.1 Network-layer penetration tests

11.3.2 Application-layer penetration tests


The EI3PA guidance changes periodically and is not publicly available.  Make sure to request the appropriate supporting documents from Experian including their up-to-date FAQ.  This will help make the process smooth and ensure that you are using the appropriate version of the DSS.  Being informed and making sure you have all the data in advance will help make the process smoother.

This Post Has One Comment

  1. Essentially replace PCI with EI3PA in the twelve core requirements, and there is your EI3PA mandate. Don’t forget that one of the most important – and time consuming aspects of EI3PA compliance – is developing all mandated policies and procedures. I’m constantly having to deal with my client’s challenges of having little or no documentation in place. If you look at the actual standards, there’s close to 50 or so policies and procedures that need to be in place, so finding a comprehensive policy packet is a must. EI3PA is not always about the technical aspects, there’s a lot of documentation that has to be in place, so just remember that! There are numerous providers online offering cost-effective templates, so now it’s easier and more affordable than ever to put in place all mandated EI3PA specific documents.

Leave a Reply

Your email address will not be published. Required fields are marked *