Equifax Internet Security Requirements
Equifax has a duty to protect the confidentiality and security of any consumer report information or other nonpublic consumer information (“Consumer Information”) it provides to its customers (the “Customers”). In addition, Equifax seeks to protect its proprietary information including subscriber codes, account information, and all other nonpublic business information (“Proprietary Information”) (Consumer Information and Proprietary Information being referred to cumulatively as “Equifax Information”). In order to discharge these responsibilities, Equifax must obtain from its Customers complete information on systems, applications, processes, and entities involved in the transmission of Equifax Information. Equifax requires a complete description of the intended use, resale, or transmission of the Consumer Information by a Customer. This document sets forth the policies and requirements of Equifax for Customers to access, obtain, repackage, and distribute Equifax Information over the Internet. These requirements are in addition to standard Equifax contractual terms and conditions, which must be fulfilled by any prospective Customer.
- Terms of Delivery:
- The terms of this agreement are as follows:
- Governs only the access of Equifax information through MicroBilt
- Governs only the access of information through MicroBilt's authorized website
- Covers only access via a browser. Access of Equifax information by screen-scraping or other automated system is not covered by this agreement. A separate agreement must be executed if access is through other than a browser.
- Data Security
- All Equifax Information and consumer End-User identifying information must be encrypted as it is transmitted over the Internet. 128-bit SSL/TLS or higher strength encryption is required.
- Equifax Information must also be protected when stored on servers, subject to at least the following requirements:
- Servers storing Equifax Information must be separated by firewall or other comparable method from publicly accessible web-servers;
- Equifax Information must not be on a server that can be accessed by TCP services directly from the Internet and should not be referenced in domain name services (DNS) tables;
- All security access to these servers, both physical and network, must include authentication and, in the case of network security, passwords that are changed at least every 90 days; and
- All servers must be kept current with all operating system patches, as they are available.
- Consumer Information shall not be shared with, or accessed by, any person other than an End-User or permitted Intermediary, and all transmission and/or storage of Consumer Information shall be subject to all of the terms and conditions stated in these Internet Security Requirements.
- All Proprietary Information, including Equifax subscriber codes and security digits must be protected from unauthorized use. If Proprietary Information must be communicated by Customer to an Intermediary for purposes of the transmission of Consumer Information to an End-User, the Intermediary must safeguard this Information and observe these Internet Security requirements.
- When displaying non-public information in HTML, no Equifax Information can be stored on the presentation server(s). Customer shall use the presentation server(s) only to provide the HTTP services. All HTML shall be dynamically created or interpreted by the application server. The presentation server(s) should only transmit/receive the data, and process it back and forth to the application server. Data transmitted between the End-User’s browser and the application server must not be cached, in any form, on the presentation server(s).
- Only those employees and agents of Customer who have reason to access the Equifax Information pursuant to the purposes permitted under Customer’s agreement with Equifax shall at any time access or use the Equifax Information. Computer network or terminal access shall be restricted to those employees/agents who have been properly trained and instructed as to all FCRA and other obligations with respect to the access and use of Equifax Information. In order to prevent use or access of the Equifax Information by any person other than the trained operators for authorized purposes, security measures shall be implemented, including, (i) limiting knowledge of the number(s), access codes, and telephone access number(s) Equifax provides, and any user passwords, to trained operators and other employees/agents with a need to know, (ii) changing the user passwords at least every one-hundred eighty (180) days, or sooner if a specific trained operator is no longer responsible for accessing credit reports, or if there is cause for belief that an unauthorized person has learned the password, and (iii) using all security features in the software and hardware utilized to access Equifax’s system. No hardware or software shall be transferred between locations without deletion of all Equifax subscriber number(s), access codes, telephone access number(s) and user passwords. If unauthorized access to Equifax Information is discovered or suspected, Customer shall immediately inform Equifax and shall further undertake all remedial efforts within its power and control to cure such unauthorized access or use. Customer shall inform its employees and agents that unauthorized access to consumer reports may subject them to civil and criminal liability under the FCRA, or other applicable laws or regulations, punishable by fines and imprisonment. The terms of this paragraph shall apply equally to a permitted Intermediary or business End-User and their respective employees/agents.
- Network Topology
- Customer’s Internet connection must be protected with dedicated, industry-recognized firewalls that are configured and managed to adhere to industry best practices.
- Equifax Information may only be held on a secure application server which can only be accessed by a secure presentation server, through one of the following:
- Dual or multiple firewall method (preferred) – This method consists of a firewall between the Internet and the presentation server(s) and another firewall between the presentation server(s) and the application server holding Equifax Information. The network firewall should ensure that only the presentation server(s) is/are allowed to access the application server holding Equifax Information.
- Single firewall method (acceptable) – When a dual firewall method is not feasible, a single firewall will provide acceptable levels of protection. The firewall should be installed between the Internet and the presentation server(s). Multiple interfaces to separate the presentation server(s) and the application server holding Equifax Information are required. The firewall should be configured to allow only the presentation server(s) access to the application server holding Equifax Information.
- All administrative access to the firewalls and servers should be through a secure internal network. Remote access must be configured so that the administrator dials into a LAN, is authenticated and verified, and then is granted access to the firewalls and servers from inside the network. No direct modem access should be available to the firewalls or servers.
- No internal Internet Protocol (IP) addresses should be publicly available or natively routed to the Internet.
- The network should not provide any access to any firewall or servers without proper strong authentication or through the firewalls.
- Any exceptions or alerts must be logged and reviewed by the Customer and maintained for at least one (1) year for review by Equifax.
- End-User Authentication
- [B2B] All Equifax Information, including Proprietary Information and Consumer Information, shall only be shared by Customer with an End-User who has been authenticated by strong authentication methodology.
- [B2B] When Consumer Information is accessed by an End-User, the specific individual with access to the Information must be identified, each access shall be logged, and a record of this access shall be maintained for at least one (1) year.
- [B2C] For access by a Consumer End-User, the Customer shall ensure that Consumer Information is only released to the Consumer to whom it relates, by establishing that the person who is the End-User is the actual Consumer.
- The Consumer must be authenticated through a high-assurance model that includes the use of at least three “shared-secrets”, which is information that should only be known by the Consumer and the Customer (via Equifax).
- At least one of the three “shared-secrets” should not normally be found in the End-User’s wallet. Examples include social security number, mortgage payment information, auto payment information, etc. (Equifax must approve all “shared-secret” applications).
- End-User Verification
- Once an End-User has been authenticated as described above, the Customer shall employ a verification scheme that identifies the End-User and no other person, and provides an acceptable measure of security for access to Consumer Information.
Acceptable forms of verification are:
- The issuance and use of X.509 V3 digital certificates issued to the End-User by, or on behalf of, the Customer and/or Equifax. With regard to End-User access of Consumer Information through the Customer, the Customer will be responsible for:
- Ensuring that each End-User’s private key is stored securely and protected by a password or pass phrase.
- Managing timely revocation of each End-User’s digital certificate to ensure that only valid and current End-Users access Consumer Information.
Note: This method of verification is preferred.
- If approved by Equifax, the Customer may utilize an alternative method of End-User verification, in the form of issuance by the Customer, and use by the End-User, of a User ID and password. Equifax requires that the Customer securely protect each End-User’s user ID and password. Password security procedures must offer appropriate protections against random access and provide for regular password changes. Normally, the initial password must be issued by the Customer and not created by the End-User.
- Strong password policies must be in place (minimum length of 6 characters in a combination of alpha and numeric);
- Passwords should be changed at least every 90 days; and
- Passwords and user-IDs should be encrypted with 128-bit encryption.
- For Consumer End-Users, the digital certificate method described above is the only acceptable End-User verification.
- The user ID’s / passwords and digital certificate information should be stored on a server protected by the security measures applicable to Equifax Information.
- The Customer must ensure that IDs or certificates of End-Users who are no longer authorized to obtain Equifax Information are disabled or revoked immediately.
- The Customer must have procedures in place that create appropriate audit trails for all transactions.
- The Customer must take steps to protect End-User access by timing out the End-User after a period of inactivity not to exceed 30 minutes.
- Network Security Certification
- Equifax endorses, and in certain cases requires, a third-party network security certification and review on a periodic basis. This is in addition to, and does not supplant, the obligation to comply with these Internet Security Requirements. The certification and review should include the following:
- A scan of all external IP addresses to determine if vulnerabilities exist in the Customer’s infrastructure.
- Intrusion testing on at least a calendar quarter basis.
- Review of security policies and procedures and incident management.
- The third party network security certification is required of the Customer and any Intermediary, if the Customer or Intermediary will transmit to any other person Consumer Information for any purpose.
- If the Customer will not transmit to any other person Consumer Information, but instead is only using the Internet to receive Consumer Information for its own Permissible Purposes, then the third party network security certification is recommended. If approved by Equifax, in lieu of a third-party security certification, the Customer may conduct its own periodic review with industry standard network and systems security software.
- The Customer agrees to comply with these Internet Security Requirements at all times.
- A breach of security or other circumstance which causes or may have caused or allowed, access to Equifax Information by unauthorized persons or systems, whether intentional, fraudulent, or accidental, must be reported to Equifax as soon as possible and, in any case, not later than one (1) business day after discovery.
The Customer shall assume all liability for the use and/or resale of Consumer Information and its delivery via the Internet, and shall hold Equifax harmless from all such liability.
- Approval of Exceptions
Equifax must approve, in writing, any variance from these Internet Security Requirements.
Equifax retains the right to update or modify, from time to time, these Internet Security Requirements. If Equifax updates or modifies these Internet Security Requirements, Equifax will require that the Customer conform its systems, applications, processes or procedures to comply with the update or modification within a reasonable time period, having regard to all relevant security and legal concerns, as may be determined in the discretion of the Equifax Group Executive, reasonably exercised.
Compliance by the Customer with these Internet Security Requirements shall not relieve the Customer of the obligation to observe any other or further contractual, legal, or regulatory requirements, rules or terms, nor shall Equifax’s review or approval of any of Customer’s systems, applications, processes, or procedures constitute or be deemed to constitute the assumption by Equifax of any responsibility or liability for compliance by the Customer with any contractual, legal, or regulatory requirements, rules, or terms. Customer shall remain solely responsible for the security of its system, the security of all Equifax Information received by it from Equifax, and for any breach of that security. Equifax retains the right, in its sole discretion, to withhold approval of Internet access to Equifax Information for any reason. Equifax may suspend or terminate access to the Equifax Information at any time if Equifax has reason to believe that Customer, an Intermediary, or a business End-User has violated any of these Internet Security Requirements or any contractual, legal, or regulatory requirements, rules or terms.