If your company processes, stores or transmits credit information provided by Experian, you may be required to have your systems assessed to demonstrate the ability to protect Experian provided data both externally and internally, from unauthorized users.

EI3PA requires an evaluation of a Third Party’s information security program and controls by an independent assessor, based on requirements provided by Experian. EI3PA consists of security controls requirements adapted from PCI-DSS payment card security standards. Experian’s policy is that the same vendors who perform assessments for PCI compliance are qualified to perform assessments for EI3PA.

Why do you need to be EI3PA Compliant?

The Credit Reporting Agencies such as Experian face significant risks if sensitive consumer information is not adequately protected by all parties. To address this, Experian created EI3PA credit data security requirements.

Any entity that transmits, stores, processes, or provides consumer credit data from Experian is subject to EI3PA and must comply with and attest to compliance as performed by a third party Qualified Security Assessor (QSA).

EI3PA compliance is a competitive advantage for any business increasing the business value and reputation of an organization by way of protecting consumer credit data and reducing the risks of a data breach, loss of customers, brand erosion, litigations and huge monetary losses. EI3PA Compliance helps you to demonstrate an ongoing commitment to protect Experian provided data by preventing consumer credit data security breaches.



Our EI3PA Services

Because RSI Security is a Qualified Security Assessor Company (QSAC) for PCI compliance, RSI Security is also qualified and authorized to perform formal EI3PAs. RSI Security’s extensive experience with PCI DSS qualifies us to help you with the following tasks common to EI3PA compliance tasks:


EI3PA GAP Analysis (Pre-Assessment)

Our Qualified PCI DSS security advisors can help you identify significant gaps in operations, security processes, and controls, advise corrective actions to be taken prior to an EI3PA audit or compliance review. RSI Security will deliver a Roadmap to Compliance, our unique approach to remediation, to assist your organization in meeting required compliance objectives.

EI3PA Experian Security Assessment Report on Compliance (ESAR)

Our PCI QSA professionals provide comprehensive EI3PA assessments which results in a documented Experian Security Assessment Report on Compliance (ESAR). The ESAR provides an independent validation of compliance required by Experian.

Quarterly Scans

RSI Security is an Approved Scanning Vendor (ASV). Quarterly scanning by an approved ASV is required as a periodic test to ensure that new vulnerabilities have not been introduced as changes are made to your systems.

Web Application Test

If you have a website that collects, stores or transmits credit information, PCI DSS requires you to perform application-layer penetration testing at least once per year and after any significant application upgrade or modification. RSI Security provides Web Application Security Testing.

Annual Network Vulnerability and Penetration Test

PCI DSS requires annual network penetration testing at least once a year and after any significant infrastructure upgrade or modification. RSI Security provides penetration testing and vulnerability assessments.

Wireless Assessment

If you have wireless access points in your payment card network, PCI DSS requires you to test for the presence of wireless access points by using a wireless analyzer at least once a quarter. RSI Security provides wireless security testing.



Why work with RSI Security for
your EI3PA Compliance needs?

  • RSI Security’s skilled, experienced and qualified security assessment, advisory, engineering and testing teams utilize a risk-based and strategic value based approach to achieving your organization’s EI3PA Compliance.
  • Our advisory services help you identify and reduce the scope of your Experian data environment thus ensuring effective data security and minimize the cost of compliance.
  • Our qualified security assessors possess information security assessment, administrative and technical skills, knowledge and experience to help organizations achieve secure Experian provided data environments.
  • RSI Security is a full service security service provider organization with many years of experience providing data security compliance, information security program implementation and testing services.
  • EI3PA compliance should be implemented into business-as-usual (BAU) activities as part of an entity’s overall security strategy. This enables an entity to monitor the effectiveness of their security controls on an ongoing basis, and maintain their EI3PA compliant environment in between EI3PA assessments. RSI Security advisory, assessment and testing services can help your organization achieve EI3PA Compliance into business-as-usual activities.

Specific EI3PA
Compliance Requirements

EI3PA requires an evaluation of a Third Party’s information security program and controls by an independent assessor, based on requirements provided by Experian. EI3PA is based on PCI DSS Card Data Security Standards, in order to protect Experian provided consumer credit data. Experian requires third party providers to demonstrate EI3PA Compliance by way of security assessment performed by a PCI DSS QSA.

EI3PA differs from PCI-DSS in that it assesses how a Third Party provides protection of Experian provided data rather than cardholder data. It also differs in that it is approved solely by Experian, not by the card issuer, issuing bank or the assessor.

EI3PA is an annual assessment and certification. It must be renewed within one-year from the date of current certification.

Additionally, the following are EI3PA unique requirements that must also be met:

  • External vulnerabilities scans - to be submitted to EI3PA on a quarterly basis
  • Multi-Factor Authentication - for commercial users/non-direct to consumer access to web portals

Learn more by visiting the Experian website.


Value and Benefits of
Being EI3PA Compliant

  • Experian provided consumer Credit Data Environment Scope Identification and Reduction
  • Credit Data Security Risk Management
  • EI3PA Compliance
  • Increased Business Value
  • Increased Customer Trust and Organizational Reputation
  • Effective Information Security Program
  • Repeatable Compliance Processes and Compliance Activities as Business-As-Usual
  • Increased Credit Data Security Awareness
  • Effective Incident Response Planning
  • Quality Reporting on EI3PA Compliance

ORGANIZATIONS THAT TRUST RSI