PCI ISA Latest 2023 Graded A
AAA ✔✔Acronym for "authentication, authorization, and accounting." Protocol for
authenticating a user based on their verifiable identity, authorizing a user based on their user
rights, and
...
PCI ISA Latest 2023 Graded A
AAA ✔✔Acronym for "authentication, authorization, and accounting." Protocol for
authenticating a user based on their verifiable identity, authorizing a user based on their user
rights, and accounting for a user's consumption of network resources
Access Control ✔✔Mechanisms that limit availability of information or information-processing
resources only to authorized persons or applications
Account Data ✔✔consists of cardholder data and/or sensitive authentication data
Acquirer ✔✔Also referred to as "merchant bank," "acquiring bank," or "acquiring financial
institution". Entity, typically a financial institution, that processes payment card transactions for
merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment
brand rules and procedures regarding merchant compliance
Administrative Access ✔✔Elevated or increased privileges granted to an account in order for
that account ot manage systems, networks and/or applications.
Adware ✔✔Type of malicious software that, when installed, forces a computer to automatically
display or download advertisements
AES ✔✔Abbreviation for "Advanced Encryption Standard." Block cipher used in symmetric
cryptography adopted by NIST in November 2001
ANSI ✔✔Acronym for "American National Standards Institute" Private, non-profit organization
that administers and coordinates the US voluntary standardization and conformity assessment
system
Anti-Virus ✔✔Program or software capable of detecting, removing, and protecting against
various forms of malicious software including viruses, worms, Trojans
AOC ✔✔Acronym for "attestation of compliance". The AOC is a form for merchants and
service providers to attest to the results of a PCI DSS assessment, as documented in the SelfAssessment Questionnaire or Report on Compliance
AOV ✔✔Acronym for "attestation of validation". The AOV is a form for PA_QSAs to attest to
the results of a PA_DSS assessment, as documented in the PA-DSS Report on Validation.
Application ✔✔Includes all purchased and custom software programs or groups of programs,
including both internal and external applications.
ASV ✔✔Acronym for "approved Scanning Vendor". Company approved by the PCI SSC to
conduct external vulnerability scanning services.
Audit Log ✔✔Also referred to as audit trail. Chronological record of system activities. Provides
an independently verifiable trail sufficient to permit reconstruction, review, and examination of
sequence of environments and activities surrounding or leading to operation, procedure, or event
in a transaction from inception to final results.
Authentication ✔✔Process of verifying identity of an individual, device, or process.
Authentication Credentials ✔✔Combination of the user ID or account ID plus the authentication
factors used to authenticate and individual, device, or process
Authorization ✔✔In the context of access controls, authorization is the granting of access or
other rights to a user, program, or process.
In the context of a a payment card transaction, authorization occurs when a merchant receives
transaction approval after the acquirer to validates the transaction with the issuer/processor.
Backup ✔✔A copy of data that is made in case the original data is lost or damaged. The backup
can be used to restore the original data.
BAU ✔✔An acronym for "business as usual".
Bluetoot ✔✔_____ is a wireless protocol designed for transmitting data over short distances,
replacing cables.
Buffer Overflow ✔✔This attack occurs when an attacker leverages a vulnerability in an
application, causing data to be written to a memory area (that is, a buffer) that's being used by a
different application.
Card Skimmer ✔✔A physical device, often attached to legitimate card-reading device, designed
to illegitimately capture and/or store the information from a payment card.
Compensating Controls ✔✔may be considered when an entity cannot meet a requirement
explicitly as stated, due to legitimate technical or documented business constraints, but has
sufficiently mitigated the risk associated with the requirement through implementation of other
controls.
Cross-Site Scripting (XSS) ✔✔Vulnerability that is created from insecure coding techniques,
resulting in improper input validation.
Egress Filtering ✔✔Method of filtering outbound network traffic such that only explicitly
allowed traffic is permitted to leave the network.
File Integrity Monitoring ✔✔Technique or technology under which certain files or logs are
monitored to detect if they are modified.
Index Token ✔✔A cryptographic token that replaces the PAN, based on a given index for an
unpredicatable value.
Ingress Filtering ✔✔Method of filtering inbound network traffic such that only explicitly
allowed traffic is permitted to enter the network
Injection Flaws ✔✔Vulnerability that is created from insecure coding techniques resulting in
improper input validation, which allows attackers to relay malicious code through a web
application to the underlying system.
Issuer ✔✔Entity that issues payment cards or performs, facilitates, or supports issuing services
including but not limited to issuing banks and issuing processors.
Issuing Services ✔✔may include but are not limited to authorization and card personalization.
Lightweight Directory Access Protocol -LDAP ✔✔Authentication and authorization data
repository utilized for querying and modifying user permissions and granting access to protected
resources.
Message Authentication Code (MAC) ✔✔a small piece of information used to authenticate a
message
MAC Address ✔✔Unique identifying value assigned by manufacturers to network adapters and
network interface cards.
Masking ✔✔a method of concealing a segment of data when displayed or printed
Memory Scraping Attacks ✔✔Malware activity that examines and extracts data that resides in
memory as it is being processed or which is has not been properly flushed or overwritten
Merchant ✔✔defined as any entity that accepts payment cards bearing the logos of any of the
five members of PCISSC as payment for goods or services.
Network access control (NAC) ✔✔A method of implementing security at the network layer by
restricting the availability of network resources to endpoint devices according to a defined
security policy
Network Address Translation (NAT) ✔✔also known as masquerading or IP masquerading.
Change of an IP address used within one network to a different IP address known within another
network, allowing an organization to have internal addresses that are visible internally, and
external addresses that are only visible externally
Network Segmentaion ✔✔isolates system components that store, process, or transmit cardholder
data from system components that store, process, or transmit cardholder data from systems that
do not.
Network Security Scan ✔✔Process by which the entity's system are remotely checked for
vulnerabilities through use of a manual or automated tools
Network Sniffing ✔✔a technique that passively monitors or collects network communications,
decodes protocols, and examines contents for information of interest.
NMAP ✔✔Security scanning software that maps networks and identifies open ports in network
resources
Non-Console Access ✔✔Refers to logical access to a system component that occurs over a
network interface rather than via a direct, physical connection to the system component
Network Time Protocol (NTP) ✔✔Protocol for synchronizing the clocks of computer systems,
network devices and other system components
National Vulnerability Database (NVD) ✔✔the US government repository of standards based
vulnerability management data
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) ✔✔a suite of
tools, techniques and methods for risk based information security strategic assessment and
planning
Organizational Independence ✔✔organizational structure that ensures there is no conflict of
interest between the person or department performing the activity and the person or department
assessing the activity
OWASP Open Web Application Security Project ✔✔a non profit organization focused on
improving the security application software
Pad ✔✔an encryption algorithm with text combined with a random key ore "pad" that is as long
as the plain-text and used only once
PAN primary account number ✔✔unique payment card number that identifies the issuer and the
particular cardholder account
Payment Applicaiton ✔✔a software application that stores, processes, or transmits cardholder
data as part of the authorization or settlement, where the payment application is sold, distributed,
or licensed to third parties.
Payment Cards ✔✔any card that bears the logo of a founding member of PCI SSC
Payment Processor ✔✔Entity engaged by a merchant or other entity to handle payment card
transactions on their behalf.
PIN Block ✔✔a block of data used to encapsulate a PIN during processing. Defines the content
of the PIN block and how it is processed to retrieve the PIN
POI point of interaction ✔✔also POS - an electronic transaction accepted product.
PTS PIN Transacdtion Security ✔✔a set of modular evaluation requirements managed by PCI
SSC for PIN acceptance POI terminals
PVV PIN verification Value ✔✔Discretionary value encoded in magnetic stripe of payment card
QIR ✔✔Qualified Integrator or Reseller
RADIUS ✔✔- remote authentication dial in user service
Rainbow Table Attack ✔✔Method of data attack using a pre-computed table of hash strings to
identify the original data source, usually for cracking password or cardholder data hashes
Re-Keying ✔✔Process of changing cryptographic keys.
RFC 1918 ✔✔the standard identified by the Internet Engineering Task Force that defines the
usage and appropriate address ranges for privatenetworks
Risk Analysis/Risk Assessment ✔✔process that identifies valuable system resources and threats;
quantifies loss exposures based on estimated frequencies and costs of occurrence; and
recommends how to allocate resources to contermeasures so as to minimize total exposure
Risk Ranking ✔✔a defined criterion of measurement based upon the the risk assessment
SDLC ✔✔phases of the development of software or computer system that includes planning,
analysis, design, testing, and implementation
Secure Coding ✔✔The process of creating and implementing applications that are resistant to
tampering and/or compromise
Service Provider ✔✔Business entity that is not a payment brand, directly involved in the
processing, storage, or transmission of cardholder data on behalf of anther intity.
SSH ✔✔Protocol suite providing encryption for network services like remote login or remote
file transfer
Truncation ✔✔method of rendering the full PAN unreadable by permanently removing a
segment of PAN data
SAQ A ✔✔applies to card not present merchants who have completely outsourced all cardholder
data processing functions
SAQ A-EP ✔✔applies to ecommoerce merchants who partially outsource all payment
processing to PCI DSS compliant service providers
SAQ B ✔✔applies to merchants with no electronic cardholder data storage and who process
payments either by standalone terminals or imprint-only machines.
SAQ B-IP ✔✔used for merchants who process payments via standalone PTS-approved point-ofinteraction (POI) devices with an IP connection to the payment processor.
SAQ C-VT ✔✔developed for a specific environment and contains some subtle differences
toSAQ C. The VT stands for virtual terminals and applies to externally hosted web payment
solutions for merchants with no electronic cardholder data storage.
SAQ C ✔✔applies to merchants with a payment application connected to the Internet and no
electronic storage of cardholder data. It normally applies to small merchants who have deployed
out-of-the box software to a standalone machine for taking individual payments.
SAQ P2PE ✔✔This new SAQ type has been introduced for merchants who process card data
only via payment terminals included in a validated and PCI SSC-listed Point-to-Point Encryption
(P2PE) solution.
SAQ D ✔✔applies to any merchants who do not meet the criteria for other SAQs, as well as all
service providers.
[Show More]