Compliance Services.

Experian Independent 3rd Party Assessment

What is EI3PA?

EI3PA stands for Experian Independent 3rd Party Assessment.  Developed by Experian in 2009, EI3PA utilizes the PCI DSS Audit Framework (Currently Version 1.2).  Experian and its Resellers face significant risks if the consumer information that is provided is not protected. As a result of Experian’s obligation to protect Customer Data, Experian created the EI3PA

  • EI3PA is an Annual Assessment of an Experian Resellers ability to protect the information they purchase from Experian
  • EI3PA requires an evaluation of a Reseller’s Information Security by an independent assessor, based on requirements provided by Experian
  • EIP3A also requires performing Quarterly External Scans of networks for vulnerabilities

Who Needs to be compliant?

Any company that stores, processes, transmits or delivers Experian Data must maintain a technical certification from a Qualified Security Assessor and must be certified and maintained in good standing at all times.

NetWorks Group's EI3PA Service Offerings

NetWorks Group, as a Qualified Security Assessor Company (QSAC) in good standing with the PCI Security Standards Council, is authorized  to perform these services. 

EI3PA Gap Analysis

The NWG EI3PA GAP Analysis follows the same process as an audit to generate a gap analysis and a set of recommendations to be used as an action plan to compliance. NWG's remediation services support our clients in implementing standards based security programs that will secure their businesses and meet the Experian EI3PA Requirements.

Your EI3PA Gap Analysis will verify and assess the effectiveness of several security measures, such as:

• Integrity of firewalls used to protect affected data systems
• Adequate protection of stored data
• Verification of encryption controls
• Access controls and identity management
• Policies and supporting documentation
• Processes and system security (i.e., patch management, virus controls, etc.)
• Physical security.
• At the conclusion of the assessment, NWG will provide a set of recommendations for each area of the EI3PA Standard. 

A major advantage of NetWorks Group’s GAP Analysis Service is that it is not a “Check the Box” solution  which leaves you with a list of Gaps with little to no recommendations to remediate those findings. Our process identifies gaps and creates a prioritized remediation plan to allow your organization to concentrate on meeting compliance time lines and budgetary constraints.

Deliverables include:

  • Gap Analysis Report
  • Prioritized Remediation Roadmap
  • Executive Summary
  • Detailed Findings

Remediation Services

  • NetWorks Group utilizes a separate dedicated team of security professionals for remediation work
  • We act as an extension of your team to quickly and efficiently plug any gaps identified during the Gap Analysis

EI3PA Onsite Report on Compliance (ROC)

As a PCI QSAC in good standing, NetWorks Group provides comprehensive security assessments of the Data Security Standard, which results in a documented Report on Compliance (ROC). The ROC provides independent validation of compliance required by Experian.

Our ROC assessments are led by senior security consultants who maintain CISA, CISSP, and QSA certifications. Our auditors intimately understand the retail -and service-provider processing models and the business drivers that make your business unique. We help our clients understand compliance risk, control options and compensating control strategies as they work toward achieving and maintaining EI3PA compliance.

Our auditors validate all 232+ controls within the PCI-DSS standard are in place or maintain the appropriate compensating controls to properly mitigate risks to your organizations credit data and submits the ROC directly to Experian.
 

Quarterly Scanning

  • Must be performed on all external facing networks
  • Quarterly scanning by an approved ASV is required as a periodic test that new vulnerabilities have not been introduced as changes are made to your systems.

Additional Services

Web Application Testing

  • If Customer has a website that collects, stores, or transmits credit information, PCI Requirement 11.3.2 may apply.
  • 11.3.2 states that a company should perform application-layer penetration testing once a year or after any significant application upgrade or modification

Annual Network Vulnerability and Penetration Testing

  • Required Annually or after any significant change for both internal and external networks
  • Fulfills requirement 11.3.1

Wireless Assessment

  • If Wireless Networks are present in the network, Wireless Assessment is required
  • Fulfills Requirement 11.1