Experian Independent 3rd Party Assessment

What is EI3PA?

EI3PA stands for Experian Independent 3rd Party Assessment.  Developed by Experian in 2009, EI3PA utilizes the PCI DSS Audit Framework (Currently Version 1.2).  Experian and its Resellers face significant risks if the consumer information that is provided is not protected. As a result of Experian’s obligation to protect Customer Data, Experian created the EI3PA

  • EI3PA is an Annual Assessment of an Experian Resellers ability to protect the information they purchase from Experian
  • EI3PA requires an evaluation of a Reseller’s Information Security by an independent assessor, based on requirements provided by Experian
  • EIP3A also requires performing Quarterly External Scans of networks for vulnerabilities

Who Needs to be compliant?

Any company that stores, processes, transmits or delivers Experian Data must maintain a technical certification from a Qualified Security Assessor and must be certified and maintained in good standing at all times.

NetWorks Group's EI3PA Service Offerings

NetWorks Group, as a Qualified Security Assessor Company (QSAC) in good standing with the PCI Security Standards Council, is authorized  to perform these services. 

EI3PA Gap Analysis (Pre-Audit)

If your company is facing an EI3PA for the first time, the assessment can be a daunting task. The first-year Report on Compliance ( ROC) almost always reveals significant gaps in operations, security processes, and controls, leaving your organization with many unanswered questions and an unclear road map to compliance.

NetWorks Group’s EI3PA Gap Analysis/Remediation Plan helps avoid the drain of both time and capital that are associated with a first-time ROC. Our QSA’s perform a review of your security processes and controls against the full PCI DSS but without the exhaustive operational testing required by the ROC testing procedures.

A major advantage of NetWorks Group’s GAP Analysis Service is that it is not a “Check the Box” solution  which leaves you with a list of Gaps with little to no recommendations to remediate those findings. Our process identifies gaps and creates a prioritized remediation plan to allow your organization to concentrate on meeting compliance time lines and budgetary constraints.

Deliverables include:

  • Gap Analysis Report
  • Prioritized Remediation Roadmap
  • Executive Summary
  • Detailed Findings

Remediation Services

  • NetWorks Group utilizes a separate dedicated team of security professionals for remediation work
  • We act as an extension of your team to quickly and efficiently plug any gaps identified during the Gap Analysis

EI3PA Onsite Report on Compliance (ROC)

As a PCI QSAC in good standing, NetWorks Group provides comprehensive security assessments of the Data Security Standard, which results in a documented Report on Compliance (ROC). The ROC provides independent validation of compliance required by Experian.

Our ROC assessments are led by senior security consultants who maintain CISA, CISSP, and QSA certifications. Our auditors intimately understand the retail -and service-provider processing models and the business drivers that make your business unique. We help our clients understand compliance risk, control options and compensating control strategies as they work toward achieving and maintaining EI3PA compliance.

Our auditors validate all 232+ controls within the PCI-DSS standard are in place or maintain the appropriate compensating controls to properly mitigate risks to your organizations credit data and submits the ROC directly to Experian.
 

Quarterly Scanning

  • Must be performed on all external facing networks
  • Quarterly scanning by an approved ASV is required as a periodic test that new vulnerabilities have not been introduced as changes are made to your systems.

Additional Services

Web Application Testing

  • If Customer has a website that collects, stores, or transmits credit information, PCI Requirement 11.3.2 may apply.
  • 11.3.2 states that a company should perform application-layer penetration testing once a year or after any significant application upgrade or modification

Annual Network Vulnerability and Penetration Testing

  • Required Annually or after any significant change for both internal and external networks
  • Fulfills requirement 11.3.1

Wireless Assessment

  • If Wireless Networks are present in the network, Wireless Assessment is required
  • Fulfills Requirement 11.1