PCI ISA Latest 2023 Graded A

Document Content and Description Below

PCI ISA Latest 2023 Graded A AAA ✔✔Acronym for "authentication, authorization, and accounting." Protocol for authenticating a user based on their verifiable identity, authorizing a user based on... their user rights, and accounting for a user's consumption of network resources Access Control ✔✔Mechanisms that limit availability of information or information-processing resources only to authorized persons or applications Account Data ✔✔consists of cardholder data and/or sensitive authentication data Acquirer ✔✔Also referred to as "merchant bank," "acquiring bank," or "acquiring financial institution". Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance Administrative Access ✔✔Elevated or increased privileges granted to an account in order for that account ot manage systems, networks and/or applications. Adware ✔✔Type of malicious software that, when installed, forces a computer to automatically display or download advertisements AES ✔✔Abbreviation for "Advanced Encryption Standard." Block cipher used in symmetric cryptography adopted by NIST in November 2001 ANSI ✔✔Acronym for "American National Standards Institute" Private, non-profit organization that administers and coordinates the US voluntary standardization and conformity assessment system Anti-Virus ✔✔Program or software capable of detecting, removing, and protecting against various forms of malicious software including viruses, worms, Trojans AOC ✔✔Acronym for "attestation of compliance". The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the SelfAssessment Questionnaire or Report on Compliance AOV ✔✔Acronym for "attestation of validation". The AOV is a form for PA_QSAs to attest to the results of a PA_DSS assessment, as documented in the PA-DSS Report on Validation. Application ✔✔Includes all purchased and custom software programs or groups of programs, including both internal and external applications. ASV ✔✔Acronym for "approved Scanning Vendor". Company approved by the PCI SSC to conduct external vulnerability scanning services. Audit Log ✔✔Also referred to as audit trail. Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results. Authentication ✔✔Process of verifying identity of an individual, device, or process. Authentication Credentials ✔✔Combination of the user ID or account ID plus the authentication factors used to authenticate and individual, device, or process Authorization ✔✔In the context of access controls, authorization is the granting of access or other rights to a user, program, or process. In the context of a a payment card transaction, authorization occurs when a merchant receives transaction approval after the acquirer to validates the transaction with the issuer/processor. Backup ✔✔A copy of data that is made in case the original data is lost or damaged. The backup can be used to restore the original data. BAU ✔✔An acronym for "business as usual". Bluetoot ✔✔_____ is a wireless protocol designed for transmitting data over short distances, replacing cables. Buffer Overflow ✔✔This attack occurs when an attacker leverages a vulnerability in an application, causing data to be written to a memory area (that is, a buffer) that's being used by a different application. Card Skimmer ✔✔A physical device, often attached to legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card. Compensating Controls ✔✔may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Cross-Site Scripting (XSS) ✔✔Vulnerability that is created from insecure coding techniques, resulting in improper input validation. Egress Filtering ✔✔Method of filtering outbound network traffic such that only explicitly allowed traffic is permitted to leave the network. File Integrity Monitoring ✔✔Technique or technology under which certain files or logs are monitored to detect if they are modified. Index Token ✔✔A cryptographic token that replaces the PAN, based on a given index for an unpredicatable value. Ingress Filtering ✔✔Method of filtering inbound network traffic such that only explicitly allowed traffic is permitted to enter the network Injection Flaws ✔✔Vulnerability that is created from insecure coding techniques resulting in improper input validation, which allows attackers to relay malicious code through a web application to the underlying system. Issuer ✔✔Entity that issues payment cards or performs, facilitates, or supports issuing services including but not limited to issuing banks and issuing processors. Issuing Services ✔✔may include but are not limited to authorization and card personalization. Lightweight Directory Access Protocol -LDAP ✔✔Authentication and authorization data repository utilized for querying and modifying user permissions and granting access to protected resources. Message Authentication Code (MAC) ✔✔a small piece of information used to authenticate a message MAC Address ✔✔Unique identifying value assigned by manufacturers to network adapters and network interface cards. Masking ✔✔a method of concealing a segment of data when displayed or printed Memory Scraping Attacks ✔✔Malware activity that examines and extracts data that resides in memory as it is being processed or which is has not been properly flushed or overwritten Merchant ✔✔defined as any entity that accepts payment cards bearing the logos of any of the five members of PCISSC as payment for goods or services. Network access control (NAC) ✔✔A method of implementing security at the network layer by restricting the availability of network resources to endpoint devices according to a defined security policy Network Address Translation (NAT) ✔✔also known as masquerading or IP masquerading. Change of an IP address used within one network to a different IP address known within another network, allowing an organization to have internal addresses that are visible internally, and external addresses that are only visible externally Network Segmentaion ✔✔isolates system components that store, process, or transmit cardholder data from system components that store, process, or transmit cardholder data from systems that do not. Network Security Scan ✔✔Process by which the entity's system are remotely checked for vulnerabilities through use of a manual or automated tools Network Sniffing ✔✔a technique that passively monitors or collects network communications, decodes protocols, and examines contents for information of interest. NMAP ✔✔Security scanning software that maps networks and identifies open ports in network resources Non-Console Access ✔✔Refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component Network Time Protocol (NTP) ✔✔Protocol for synchronizing the clocks of computer systems, network devices and other system components National Vulnerability Database (NVD) ✔✔the US government repository of standards based vulnerability management data Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) ✔✔a suite of tools, techniques and methods for risk based information security strategic assessment and planning Organizational Independence ✔✔organizational structure that ensures there is no conflict of interest between the person or department performing the activity and the person or department assessing the activity OWASP Open Web Application Security Project ✔✔a non profit organization focused on improving the security application software Pad ✔✔an encryption algorithm with text combined with a random key ore "pad" that is as long as the plain-text and used only once PAN primary account number ✔✔unique payment card number that identifies the issuer and the particular cardholder account Payment Applicaiton ✔✔a software application that stores, processes, or transmits cardholder data as part of the authorization or settlement, where the payment application is sold, distributed, or licensed to third parties. Payment Cards ✔✔any card that bears the logo of a founding member of PCI SSC Payment Processor ✔✔Entity engaged by a merchant or other entity to handle payment card transactions on their behalf. PIN Block ✔✔a block of data used to encapsulate a PIN during processing. Defines the content of the PIN block and how it is processed to retrieve the PIN POI point of interaction ✔✔also POS - an electronic transaction accepted product. PTS PIN Transacdtion Security ✔✔a set of modular evaluation requirements managed by PCI SSC for PIN acceptance POI terminals PVV PIN verification Value ✔✔Discretionary value encoded in magnetic stripe of payment card QIR ✔✔Qualified Integrator or Reseller RADIUS ✔✔- remote authentication dial in user service Rainbow Table Attack ✔✔Method of data attack using a pre-computed table of hash strings to identify the original data source, usually for cracking password or cardholder data hashes Re-Keying ✔✔Process of changing cryptographic keys. RFC 1918 ✔✔the standard identified by the Internet Engineering Task Force that defines the usage and appropriate address ranges for privatenetworks Risk Analysis/Risk Assessment ✔✔process that identifies valuable system resources and threats; quantifies loss exposures based on estimated frequencies and costs of occurrence; and recommends how to allocate resources to contermeasures so as to minimize total exposure Risk Ranking ✔✔a defined criterion of measurement based upon the the risk assessment SDLC ✔✔phases of the development of software or computer system that includes planning, analysis, design, testing, and implementation Secure Coding ✔✔The process of creating and implementing applications that are resistant to tampering and/or compromise Service Provider ✔✔Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of anther intity. SSH ✔✔Protocol suite providing encryption for network services like remote login or remote file transfer Truncation ✔✔method of rendering the full PAN unreadable by permanently removing a segment of PAN data SAQ A ✔✔applies to card not present merchants who have completely outsourced all cardholder data processing functions SAQ A-EP ✔✔applies to ecommoerce merchants who partially outsource all payment processing to PCI DSS compliant service providers SAQ B ✔✔applies to merchants with no electronic cardholder data storage and who process payments either by standalone terminals or imprint-only machines. SAQ B-IP ✔✔used for merchants who process payments via standalone PTS-approved point-ofinteraction (POI) devices with an IP connection to the payment processor. SAQ C-VT ✔✔developed for a specific environment and contains some subtle differences toSAQ C. The VT stands for virtual terminals and applies to externally hosted web payment solutions for merchants with no electronic cardholder data storage. SAQ C ✔✔applies to merchants with a payment application connected to the Internet and no electronic storage of cardholder data. It normally applies to small merchants who have deployed out-of-the box software to a standalone machine for taking individual payments. SAQ P2PE ✔✔This new SAQ type has been introduced for merchants who process card data only via payment terminals included in a validated and PCI SSC-listed Point-to-Point Encryption (P2PE) solution. SAQ D ✔✔applies to any merchants who do not meet the criteria for other SAQs, as well as all service providers. [Show More]

Last updated: 1 year ago

Preview 1 out of 14 pages