3rd Party Assessment done right.
EI3PA stands for Experian Independent 3rd Party Assessment. Developed by Experian in 2009, EI3PA utilizes the PCI DSS Audit Framework (Currently Version 3.1). Experian and its Resellers face significant risks if the consumer information that is provided is not protected. As a result of Experian’s obligation to protect Customer Data, Experian created the EI3PA.
Any company that stores, processes, transmits, or delivers Experian Data must maintain a technical certification from a Qualified Security Assessor and must be certified and maintained in good standing at all times.
What else does EI3PA require over PCI?
NetWorks Group, as a Qualified Security Assessor Company (QSAC) in good standing with the PCI Security Standards Council, is authorized to perform your third party assessments for EI3PA compliance. Due to its specialized nature, EI3PA requires companies to go beyond the already stringent PCI DSS 3.1 standards and prove more areas of their infrastructure are secure for full compliance.
EI3PA Gap Analysis
Our EI3PA Gap Analysis follows the same process as an audit to generate a gap analysis and a set of recommendations to be used as an action plan to achieve compliance. Additional remediation services support our clients in implementing standards-based security programs that will secure their businesses and meet the Experian EI3PA requirements. The EI3PA Gap Analysis verifies and assesses the effectiveness of several security measures:
- Integrity of firewalls used to protect affected data systems
- Adequate protection of stored data
- Verification of encryption controls
- Access controls and identity management
- Policies and supporting documentation
- Processes and system security, such as patch management
- Physical security
A major advantage of the NetWorks Group EI3PA Gap Analysis is that it is not a “Check the Box” solution which leaves you with a list of issues with little to no recommendations to remediate those findings. Our process identifies gaps and creates a prioritized remediation plan to allow your organization to concentrate on meeting compliance timelines and budgetary constraints. At the conclusion of the assessment, you will be provided with a set of recommendations for each area of the EI3PA Standard. We act as an extension of your team to quickly and efficiently plug any gaps identified during the analysis of your infrastructure.
EI3PA Onsite Report on Compliance
As a PCI QSAC in good standing, NetWorks Group provides comprehensive security assessments of the Data Security Standard, which results in a documented Report on Compliance (ROC). The ROC provides independent validation of compliance required by Experian.
Our ROC assessments are led by senior security consultants who maintain CISA, CISSP, and QSA certifications. Our auditors intimately understand the retail and service-provider processing models and the business drivers that make your business unique. We help our clients understand compliance risk, control options, and compensating control strategies as they work toward achieving and maintaining EI3PA compliance.
Our auditors validate that all 232+ controls within the PCI-DSS standard are in place or maintain the appropriate compensating controls to properly mitigate risks to your organization's credit data and submits the ROC directly to Experian.
EI3PA requires a quarterly scan on all of your external facing networks by an Approved Scanning Vendor like NetWorks Group to make sure that new vulnerabilities have not been introduced as changes are made to your systems through day-to-day work.
Additional EI3PA needs for compliance.
Gap analysis, onsite compliance reporting, and external facing network quarterly scans are not all that's required to make sure you're covered. To make sure you're protected as well as compliant, make sure that you test your web applications, network as a whole, and your wireless access onsite.
- If Customer has a website that collects, stores, or transmits credit information, PCI Requirement 11.3.2 may apply.
- 11.3.2 — A company should perform application-layer penetration testing once a year or after any significant application upgrade or modification.
- Required Annually or after any significant change for both internal and external networks.
- 11.3.1 — Verify that the penetration test includes network-layer penetration tests. These tests should include components that support network functions as well as operating systems.
- If Wireless Networks are present in the network, Wireless Assessment is required
- PCI 11.1 — Test for the presence of wireless access points and detect unauthorised wireless access points on a quarterly basis.