PCI ISA 2024 UPDATE COMPREHENSIVE QUESTION
AND VERIFIED CORRECT ANSWERS (GET ALL 100%
RIGHT) STUDY GUIDE GRADE A+
Administrative Access
Elevated or increased privileges granted to an account in order for that account ot
manage systems, networks and/or applications.
Adware
Type of malicious software that, when installed, forces a computer to automatically
display or download advertisements
Authentication
Process of verifying identity of an individual, device, or process.
Authentication Credentials
Combination of the user ID or account ID plus the authentication factors used to
authenticate and individual, device, or process
Authorization
In the context of access controls, authorization is the granting of access or other rights
to a user, program, or process.
In the context of a a payment card transaction, authorization occurs when a merchant
receives transaction approval after the acquirer to validates the transaction with the
issuer/processor.
AES
Abbreviation for "Advanced Encryption Standard." Block cipher used in symmetric
cryptography adopted by NIST in November 2001
ANSI
Acronym for "American National Standards Institute" Private, non-profit organization
that administers and coordinates the US voluntary standardization and conformity
assessment system
Anti-Virus
Program or software capable of detecting, removing, and protecting against various
forms of malicious software including viruses, worms, Trojans
AAA
Acronym for "authentication, authorization, and accounting." Protocol for authenticating
a user based on their verifiable identity, authorizing a user based on their user rights,
and accounting for a user's consumption of network resources
Access Control
Mechanisms that limit availability of information or information-processing resources
only to authorized persons or applications
Account Data
consists of cardholder data and/or sensitive authentication data
Acquirer
, Also referred to as "merchant bank," "acquiring bank," or "acquiring financial institution".
Entity, typically a financial institution, that processes payment card transactions for
merchants and is defined by a payment brand as an acquirer. Acquirers are subject to
payment brand rules and procedures regarding merchant compliance
AOC
Acronym for "attestation of compliance". The AOC is a form for merchants and service
providers to attest to the results of a PCI DSS assessment, as documented in the Self-
Assessment Questionnaire or Report on Compliance
AOV
Acronym for "attestation of validation". The AOV is a form for PA_QSAs to attest to the
results of a PA_DSS assessment, as documented in the PA-DSS Report on Validation.
Application
Includes all purchased and custom software programs or groups of programs, including
both internal and external applications.
ASV
Acronym for "approved Scanning Vendor". Company approved by the PCI SSC to
conduct external vulnerability scanning services.
Audit Log
Also referred to as audit trail. Chronological record of system activities. Provides an
independently verifiable trail sufficient to permit reconstruction, review, and examination
of sequence of environments and activities surrounding or leading to operation,
procedure, or event in a transaction from inception to final results.
Backup
A copy of data that is made in case the original data is lost or damaged. The backup
can be used to restore the original data.
BAU
An acronym for "business as usual".
Bluetoot
_____ is a wireless protocol designed for transmitting data over short distances,
replacing cables.
Buffer Overflow
This attack occurs when an attacker leverages a vulnerability in an application, causing
data to be written to a memory area (that is, a buffer) that's being used by a different
application.
Card Skimmer
A physical device, often attached to legitimate card-reading device, designed to
illegitimately capture and/or store the information from a payment card.
Compensating Controls
may be considered when an entity cannot meet a requirement explicitly as stated, due
to legitimate technical or documented business constraints, but has sufficiently
mitigated the risk associated with the requirement through implementation of other
controls.
Cross-Site Scripting (XSS)
Vulnerability that is created from insecure coding techniques, resulting in improper input
validation.
Egress Filtering
AND VERIFIED CORRECT ANSWERS (GET ALL 100%
RIGHT) STUDY GUIDE GRADE A+
Administrative Access
Elevated or increased privileges granted to an account in order for that account ot
manage systems, networks and/or applications.
Adware
Type of malicious software that, when installed, forces a computer to automatically
display or download advertisements
Authentication
Process of verifying identity of an individual, device, or process.
Authentication Credentials
Combination of the user ID or account ID plus the authentication factors used to
authenticate and individual, device, or process
Authorization
In the context of access controls, authorization is the granting of access or other rights
to a user, program, or process.
In the context of a a payment card transaction, authorization occurs when a merchant
receives transaction approval after the acquirer to validates the transaction with the
issuer/processor.
AES
Abbreviation for "Advanced Encryption Standard." Block cipher used in symmetric
cryptography adopted by NIST in November 2001
ANSI
Acronym for "American National Standards Institute" Private, non-profit organization
that administers and coordinates the US voluntary standardization and conformity
assessment system
Anti-Virus
Program or software capable of detecting, removing, and protecting against various
forms of malicious software including viruses, worms, Trojans
AAA
Acronym for "authentication, authorization, and accounting." Protocol for authenticating
a user based on their verifiable identity, authorizing a user based on their user rights,
and accounting for a user's consumption of network resources
Access Control
Mechanisms that limit availability of information or information-processing resources
only to authorized persons or applications
Account Data
consists of cardholder data and/or sensitive authentication data
Acquirer
, Also referred to as "merchant bank," "acquiring bank," or "acquiring financial institution".
Entity, typically a financial institution, that processes payment card transactions for
merchants and is defined by a payment brand as an acquirer. Acquirers are subject to
payment brand rules and procedures regarding merchant compliance
AOC
Acronym for "attestation of compliance". The AOC is a form for merchants and service
providers to attest to the results of a PCI DSS assessment, as documented in the Self-
Assessment Questionnaire or Report on Compliance
AOV
Acronym for "attestation of validation". The AOV is a form for PA_QSAs to attest to the
results of a PA_DSS assessment, as documented in the PA-DSS Report on Validation.
Application
Includes all purchased and custom software programs or groups of programs, including
both internal and external applications.
ASV
Acronym for "approved Scanning Vendor". Company approved by the PCI SSC to
conduct external vulnerability scanning services.
Audit Log
Also referred to as audit trail. Chronological record of system activities. Provides an
independently verifiable trail sufficient to permit reconstruction, review, and examination
of sequence of environments and activities surrounding or leading to operation,
procedure, or event in a transaction from inception to final results.
Backup
A copy of data that is made in case the original data is lost or damaged. The backup
can be used to restore the original data.
BAU
An acronym for "business as usual".
Bluetoot
_____ is a wireless protocol designed for transmitting data over short distances,
replacing cables.
Buffer Overflow
This attack occurs when an attacker leverages a vulnerability in an application, causing
data to be written to a memory area (that is, a buffer) that's being used by a different
application.
Card Skimmer
A physical device, often attached to legitimate card-reading device, designed to
illegitimately capture and/or store the information from a payment card.
Compensating Controls
may be considered when an entity cannot meet a requirement explicitly as stated, due
to legitimate technical or documented business constraints, but has sufficiently
mitigated the risk associated with the requirement through implementation of other
controls.
Cross-Site Scripting (XSS)
Vulnerability that is created from insecure coding techniques, resulting in improper input
validation.
Egress Filtering
