QSA Glosary

Question 1

AAA

Answer 1

Authentication, Authorization, and accounting

Question 2

Account Data

Answer 2

Cardholder sensitive data to include account # and identifying data

Question 3

Acquirer

Answer 3

The Merchant Bank, acquiring bank, or acquiring financial institution. Runs the payment acceptance

Question 4

AOC

Answer 4

Attestation of compliance. A form that attests results of a self-assessment or Report on Compliance

Question 5

AOV

Answer 5

attestation of validation

Question 6

ASV

Answer 6

approved scanning vendor

Question 7

Audit Log

Answer 7

the record of system activities. same as audit trail

Question 8

BAU

Answer 8

business as usual. an organization’s normal routine

Question 9

Card Skimmer

Answer 9

an physical swiper data capture device

Question 10

CVV

Answer 10

Card verification code or value.
CAV = JCB
CVC = Mastercard
CVV = Visa and Discover
CSC = AmExp

Question 11

CDE

Answer 11

cardholder data environment. People, processes, and technology that store, process, or transmit cardholder data or sensitive cardholder Au data

Question 12

CERT

Answer 12

Carnegie-Mellon’s Computer Emergency Response Team

Question 13

CIS

Answer 13

center for internet security. NFP enterprise w mission to help organizations reduce risk of business and e-commerce disruptions resulting from inadequate technical security controls

Question 14

Compensation controls

Answer 14

Used to mitigate a risk that cannot be eliminated. Must: - Meet intent and rigor of original PCI DSS req

• Provide similar level of defense as original req
• be “above and beyond” other reqs
• be commensurate with the additional risk imposed by not adhering to original req

Question 15

CVSS

Answer 15

Common Vulnerability Scoring System. an open standard used to convey severity of computer security and vulnerability

Question 16

Dependency

Answer 16

in PA DSS world, hardware or software necessary for the payment application to meet PA DSS Reqs

Question 17

DSS

Answer 17

Data Security Standard

Question 18

Dual control

Answer 18

two or more separate entities working in conjunction to secure system function or information

Question 19

Egress Filtering

Answer 19

method of filtering outbound web traffic

Question 20

Entity

Answer 20

legal-eese for the organization going through the audit

Question 21

FIPS

Answer 21

federal info processing standards

Question 22

HSM

Answer 22

hosting security module or hardware security module. physically or logically controlled hardware that provides secure set of crypto devices and or key management

Question 23

IETF

Answer 23

internet engineering task force

Question 24

Masking

Answer 24

security data by displaying place values rather than actual numerical values

Question 25

MPLS

Answer 25

multi-protocol label switching

Question 26

NIST

Answer 26

National institute of standards and technology

Question 27

National Vulnerability DB

Answer 27

NVD

Question 28

OCTAVE

Answer 28

operationaly ciritcial threat, asset, and vul eval. A suite of tools, techs, and methods for risk-based info sect strategic assessment

Question 29

OWASP

Answer 29

open web application secuirty project. OWASP.org

Question 30

PED

Answer 30

Pin entry device

Question 31

PVV

Answer 31

PIN verification Value

Question 32

QIR

Answer 32

Qualified Integrator or Reseller

Question 33

RFC 1918

Answer 33

standard ID’d by the internet engineering TF that defines the usage and appropriate address ranges for private networks

Question 34

ROC

Answer 34

Report on compliance; our assessment of their compliance report

Question 35

SANS

Answer 35

SysAdmin, Audit, Networking, and Security. SANS.org

Question 36

SAQ

Answer 36

Self assessment questionnaire

Question 37

Split Knowledge

Answer 37

when two or more entities hold components of a cryptographic key; when separate, provide no indication of the key

Question 38

Wildcard

Answer 38

just what it sounds like however, in this case also can represent a non-security impacting change.

Question 39

What is PCI DSS?

Answer 39

Payment Card Industry Data Security Standard

Question 40

What is PCI PA-DSS

Answer 40

Payment Card Industry Payment Application Data Security Standard

Question 41

What does P2PE stand for?

Answer 41

Point-to-point encryption

Question 42

What is the PTS - POI acronym stand for?

Answer 42

PIN Transaction Security - point of interaction

Question 43

PTS - PIN

Answer 43

PIN Transaction Security PIN Standards

Question 44

PTS - HSM

Answer 44

PIN transaction Security - Hardware Security Modules