The Credit Reporting Agencies face significant risks if sensitive consumer information is not adequately protected by all parties. To address this, Experian created a security standard referred to as EI3PA.
EI3PA is closely based on the Payment Card Industry Data Security Standard (PCI-DSS), EI3PA utilizes the current PCI-DSS Audit Framework as a standard for data handling and security requirements that we must comply with. EI3PA establishes 12 primary requirements for organizations to assess their security measures in protecting consumer data. Any entity that transmits, stores, processes, or provides consumer credit data from Experian is subject to EI3PA and must comply with and attest to compliance as performed by a third party Qualified Security Assessor (QSA).
TransUnion and Equifax, as well as Experian, also perform annual and random security and compliance audits in which they request information from CBC and subscribers to verify CBC and its subscribers are meeting security, policy, and procedure requirements. This is a very thorough process and may involve information we must obtain from our subscribers as well. This is noted in CBC’s subscriber agreement and is strictly enforced.