With Experian EI3PA Security Program In Effect, How Soon Will Equifax and Transunion Follow Suit?
In the world of credit bureaus, we all know who the big 3 players are; Experian, Equifax, and Transunion. When Experian decided that they were going to implement their own security program for its resellers to follow, I was quite interested to see what they would come up with and how they were looking to enforce it. When they decided to adopt the PCI-DSS Standard as its basis for the EI3PA program and require all of its resellers to perform annual onsite assessments with a Report on Compliance (ROC) to be submitted directly to Experian, my thoughts shifted to the other two major credit bureaus and wondered how long it would be before each of them came out with their own program, or if they would mirror what Experian did and adopt the PCI-DSS standard as well.
For those who have no clue what the PCI-DSS looks like, it is a framework of roughly 232 controls that need to be in place. The standard, currently on version 1.2, consists of 12 general requirements such as Security Policy and Procedures, Physical Security, and various technology based requirements. Unlike other regulatory laws such as HIPAA, where there are a lot of interpretation of what the requirements mean, the PCI-DSS is black and white when it comes to what is expected to be in place. In fact, a lot of organizations who do not need to comply with the PCI standard are looking at the PCI-DSS and using it as a security framework within their organization.
As of yet, neither Equifax or Transunion have announced any plans to introduce a security program similar to Experian's EI3PA program. However, I believe they both will, before the end of 2010. They'll need to demonstrate to consumers that they feel security is very important for their credit data, and that they want their resellers to implement the proper security controls, as well, to ensure Confidentiality, Integrity, and Availability to all its data. They also do not want to lose ground to Experian, who many consider the third of the big 3.
In Closing, current Equifax and Transunion credit resellers should strongly consider downloading a copy of the PCI-DSS 1.2 standard from the PCI Security Council website at http://www.pcisecuritystandards.org and familiarizing themselves with the standard. I have a feeling you will be next in line to comply.
Christopher L. Hartley
July 12, 2010