PCI ISA EXAM QUESTIONS WITH SOLUTIONS
AAA - -Acronym for "authentication, authorization, and accounting." Protocol for
authenticating a user based on their verifiable identity, authorizing a user based on their
user rights, and accounting for a user's consumption of network resources
-Access Control - -Mechanisms that limit availability of information or information-
processing resources only to authorized persons or applications
-Account Data - -consists of cardholder data and/or sensitive authentication data
-Acquirer - -Also referred to as "merchant bank," "acquiring bank," or "acquiring financial
institution". Entity, typically a financial institution, that processes payment card
transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are
subject to payment brand rules and procedures regarding merchant compliance
-Administrative Access - -Elevated or increased privileges granted to an account in order
for that account ot manage systems, networks and/or applications.
-Adware - -Type of malicious software that, when installed, forces a computer to
automatically display or download advertisements
-AES - -Abbreviation for "Advanced Encryption Standard." Block cipher used in symmetric
cryptography adopted by NIST in November 2001
-ANSI - -Acronym for "American National Standards Institute" Private, non-profit
organization that administers and coordinates the US voluntary standardization and
conformity assessment system
-Anti-Virus - -Program or software capable of detecting, removing, and protecting against
various forms of malicious software including viruses, worms, Trojans
-AOC - -Acronym for "attestation of compliance". The AOC is a form for merchants and
service providers to attest to the results of a PCI DSS assessment, as documented in the
Self-Assessment Questionnaire or Report on Compliance
-AOV - -Acronym for "attestation of validation". The AOV is a form for PA_QSAs to attest to
the results of a PA_DSS assessment, as documented in the PA-DSS Report on Validation.
-Application - -Includes all purchased and custom software programs or groups of
programs, including both internal and external applications.
-ASV - -Acronym for "approved Scanning Vendor". Company approved by the PCI SSC to
conduct external vulnerability scanning services.
, -Audit Log - -Also referred to as audit trail. Chronological record of system activities.
Provides an independently verifiable trail sufficient to permit reconstruction, review, and
examination of sequence of environments and activities surrounding or leading to
operation, procedure, or event in a transaction from inception to final results.
-Authentication - -Process of verifying identity of an individual, device, or process.
-Authentication Credentials - -Combination of the user ID or account ID plus the
authentication factors used to authenticate and individual, device, or process
-Authorization - -In the context of access controls, authorization is the granting of access
or other rights to a user, program, or process.
In the context of a a payment card transaction, authorization occurs when a merchant
receives transaction approval after the acquirer to validates the transaction with the
issuer/processor.
-Backup - -A copy of data that is made in case the original data is lost or damaged. The
backup can be used to restore the original data.
-BAU - -An acronym for "business as usual".
-Bluetoot - -_____ is a wireless protocol designed for transmitting data over short distances,
replacing cables.
-Buffer Overflow - -This attack occurs when an attacker leverages a vulnerability in an
application, causing data to be written to a memory area (that is, a buffer) that's being used
by a different application.
-Card Skimmer - -A physical device, often attached to legitimate card-reading device,
designed to illegitimately capture and/or store the information from a payment card.
-Compensating Controls - -may be considered when an entity cannot meet a requirement
explicitly as stated, due to legitimate technical or documented business constraints, but has
sufficiently mitigated the risk associated with the requirement through implementation of
other controls.
-Cross-Site Scripting (XSS) - -Vulnerability that is created from insecure coding
techniques, resulting in improper input validation.
-Egress Filtering - -Method of filtering outbound network traffic such that only explicitly
allowed traffic is permitted to leave the network.
-File Integrity Monitoring - -Technique or technology under which certain files or logs are
monitored to detect if they are modified.
AAA - -Acronym for "authentication, authorization, and accounting." Protocol for
authenticating a user based on their verifiable identity, authorizing a user based on their
user rights, and accounting for a user's consumption of network resources
-Access Control - -Mechanisms that limit availability of information or information-
processing resources only to authorized persons or applications
-Account Data - -consists of cardholder data and/or sensitive authentication data
-Acquirer - -Also referred to as "merchant bank," "acquiring bank," or "acquiring financial
institution". Entity, typically a financial institution, that processes payment card
transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are
subject to payment brand rules and procedures regarding merchant compliance
-Administrative Access - -Elevated or increased privileges granted to an account in order
for that account ot manage systems, networks and/or applications.
-Adware - -Type of malicious software that, when installed, forces a computer to
automatically display or download advertisements
-AES - -Abbreviation for "Advanced Encryption Standard." Block cipher used in symmetric
cryptography adopted by NIST in November 2001
-ANSI - -Acronym for "American National Standards Institute" Private, non-profit
organization that administers and coordinates the US voluntary standardization and
conformity assessment system
-Anti-Virus - -Program or software capable of detecting, removing, and protecting against
various forms of malicious software including viruses, worms, Trojans
-AOC - -Acronym for "attestation of compliance". The AOC is a form for merchants and
service providers to attest to the results of a PCI DSS assessment, as documented in the
Self-Assessment Questionnaire or Report on Compliance
-AOV - -Acronym for "attestation of validation". The AOV is a form for PA_QSAs to attest to
the results of a PA_DSS assessment, as documented in the PA-DSS Report on Validation.
-Application - -Includes all purchased and custom software programs or groups of
programs, including both internal and external applications.
-ASV - -Acronym for "approved Scanning Vendor". Company approved by the PCI SSC to
conduct external vulnerability scanning services.
, -Audit Log - -Also referred to as audit trail. Chronological record of system activities.
Provides an independently verifiable trail sufficient to permit reconstruction, review, and
examination of sequence of environments and activities surrounding or leading to
operation, procedure, or event in a transaction from inception to final results.
-Authentication - -Process of verifying identity of an individual, device, or process.
-Authentication Credentials - -Combination of the user ID or account ID plus the
authentication factors used to authenticate and individual, device, or process
-Authorization - -In the context of access controls, authorization is the granting of access
or other rights to a user, program, or process.
In the context of a a payment card transaction, authorization occurs when a merchant
receives transaction approval after the acquirer to validates the transaction with the
issuer/processor.
-Backup - -A copy of data that is made in case the original data is lost or damaged. The
backup can be used to restore the original data.
-BAU - -An acronym for "business as usual".
-Bluetoot - -_____ is a wireless protocol designed for transmitting data over short distances,
replacing cables.
-Buffer Overflow - -This attack occurs when an attacker leverages a vulnerability in an
application, causing data to be written to a memory area (that is, a buffer) that's being used
by a different application.
-Card Skimmer - -A physical device, often attached to legitimate card-reading device,
designed to illegitimately capture and/or store the information from a payment card.
-Compensating Controls - -may be considered when an entity cannot meet a requirement
explicitly as stated, due to legitimate technical or documented business constraints, but has
sufficiently mitigated the risk associated with the requirement through implementation of
other controls.
-Cross-Site Scripting (XSS) - -Vulnerability that is created from insecure coding
techniques, resulting in improper input validation.
-Egress Filtering - -Method of filtering outbound network traffic such that only explicitly
allowed traffic is permitted to leave the network.
-File Integrity Monitoring - -Technique or technology under which certain files or logs are
monitored to detect if they are modified.
