Download PCI DSS Terminology and Concepts and more Exams Data Communication Systems and Computer Networks in PDF only on Docsity!
AAA ✔✔Acronym for "authentication, authorization, and accounting." Protocol for authenticating a user based on their verifiable identity, authorizing a user based on their user rights, and accounting for a user's consumption of network resources Access Control ✔✔Mechanisms that limit availability of information or information-processing resources only to authorized persons or applications Account Data ✔✔consists of cardholder data and/or sensitive authentication data Acquirer ✔✔Also referred to as "merchant bank," "acquiring bank," or "acquiring financial institution". Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance Administrative Access ✔✔Elevated or increased privileges granted to an account in order for that account ot manage systems, networks and/or applications.
PCI ISA with verified questions & answers/Latest
update 2025 (Graded A+)
Adware ✔✔Type of malicious software that, when installed, forces a computer to automatically display or download advertisements AES ✔✔Abbreviation for "Advanced Encryption Standard." Block cipher used in symmetric cryptography adopted by NIST in November 2001 ANSI ✔✔Acronym for "American National Standards Institute" Private, non-profit organization that administers and coordinates the US voluntary standardization and conformity assessment system Anti-Virus ✔✔Program or software capable of detecting, removing, and protecting against various forms of malicious software including viruses, worms, Trojans AOC ✔✔Acronym for "attestation of compliance". The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self- Assessment Questionnaire or Report on Compliance AOV ✔✔Acronym for "attestation of validation". The AOV is a form for PA_QSAs to attest to the results of a PA_DSS assessment, as documented in the PA-DSS Report on Validation.
In the context of a a payment card transaction, authorization occurs when a merchant receives transaction approval after the acquirer to validates the transaction with the issuer/processor. Backup ✔✔A copy of data that is made in case the original data is lost or damaged. The backup can be used to restore the original data. BAU ✔✔An acronym for "business as usual". Bluetoot ✔✔ is a wireless protocol designed for transmitting data over short distances, replacing cables. Buffer Overflow ✔✔This attack occurs when an attacker leverages a vulnerability in an application, causing data to be written to a memory area (that is, a buffer) that's being used by a different application. Card Skimmer ✔✔A physical device, often attached to legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card.
Compensating Controls ✔✔may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Cross-Site Scripting (XSS) ✔✔Vulnerability that is created from insecure coding techniques, resulting in improper input validation. Egress Filtering ✔✔Method of filtering outbound network traffic such that only explicitly allowed traffic is permitted to leave the network. File Integrity Monitoring ✔✔Technique or technology under which certain files or logs are monitored to detect if they are modified. Index Token ✔✔A cryptographic token that replaces the PAN, based on a given index for an unpredicatable value. Ingress Filtering ✔✔Method of filtering inbound network traffic such that only explicitly allowed traffic is permitted to enter the network
Masking ✔✔a method of concealing a segment of data when displayed or printed Memory Scraping Attacks ✔✔Malware activity that examines and extracts data that resides in memory as it is being processed or which is has not been properly flushed or overwritten Merchant ✔✔defined as any entity that accepts payment cards bearing the logos of any of the five members of PCISSC as payment for goods or services. Network access control (NAC) ✔✔A method of implementing security at the network layer by restricting the availability of network resources to endpoint devices according to a defined security policy Network Address Translation (NAT) ✔✔also known as masquerading or IP masquerading. Change of an IP address used within one network to a different IP address known within another network, allowing an organization to have internal addresses that are visible internally, and external addresses that are only visible externally
Network Segmentaion ✔✔isolates system components that store, process, or transmit cardholder data from system components that store, process, or transmit cardholder data from systems that do not. Network Security Scan ✔✔Process by which the entity's system are remotely checked for vulnerabilities through use of a manual or automated tools Network Sniffing ✔✔a technique that passively monitors or collects network communications, decodes protocols, and examines contents for information of interest. NMAP ✔✔Security scanning software that maps networks and identifies open ports in network resources Non-Console Access ✔✔Refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component Network Time Protocol (NTP) ✔✔Protocol for synchronizing the clocks of computer systems, network devices and other system components
Payment Applicaiton ✔✔a software application that stores, processes, or transmits cardholder data as part of the authorization or settlement, where the payment application is sold, distributed, or licensed to third parties. Payment Cards ✔✔any card that bears the logo of a founding member of PCI SSC Payment Processor ✔✔Entity engaged by a merchant or other entity to handle payment card transactions on their behalf. PIN Block ✔✔a block of data used to encapsulate a PIN during processing. Defines the content of the PIN block and how it is processed to retrieve the PIN POI point of interaction ✔✔also POS - an electronic transaction accepted product. PTS PIN Transacdtion Security ✔✔a set of modular evaluation requirements managed by PCI SSC for PIN acceptance POI terminals PVV PIN verification Value ✔✔Discretionary value encoded in magnetic stripe of payment card
QIR ✔✔Qualified Integrator or Reseller RADIUS ✔✔- remote authentication dial in user service Rainbow Table Attack ✔✔Method of data attack using a pre-computed table of hash strings to identify the original data source, usually for cracking password or cardholder data hashes Re-Keying ✔✔Process of changing cryptographic keys. RFC 1918 ✔✔the standard identified by the Internet Engineering Task Force that defines the usage and appropriate address ranges for privatenetworks Risk Analysis/Risk Assessment ✔✔process that identifies valuable system resources and threats; quantifies loss exposures based on estimated frequencies and costs of occurrence; and recommends how to allocate resources to contermeasures so as to minimize total exposure Risk Ranking ✔✔a defined criterion of measurement based upon the the risk assessment
SAQ A-EP ✔✔applies to ecommoerce merchants who partially outsource all payment processing to PCI DSS compliant service providers SAQ B ✔✔applies to merchants with no electronic cardholder data storage and who process payments either by standalone terminals or imprint-only machines. SAQ B-IP ✔✔used for merchants who process payments via standalone PTS-approved point-of- interaction (POI) devices with an IP connection to the payment processor. SAQ C-VT ✔✔developed for a specific environment and contains some subtle differences toSAQ C. The VT stands for virtual terminals and applies to externally hosted web payment solutions for merchants with no electronic cardholder data storage. SAQ C ✔✔applies to merchants with a payment application connected to the Internet and no electronic storage of cardholder data. It normally applies to small merchants who have deployed out-of-the box software to a standalone machine for taking individual payments. SAQ P2PE ✔✔This new SAQ type has been introduced for merchants who process card data only via payment terminals included in a validated and PCI SSC-listed Point-to-Point Encryption (P2PE) solution.
SAQ D ✔✔applies to any merchants who do not meet the criteria for other SAQs, as well as all service providers.
