APRP Cheat Sheet 2026
The 30 highest-yield APRP facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
120 questions
210 min time limit
70.00% to pass
- Which of the following is a key component of a risk assessment process for payment systems? → Identifying potential threats and vulnerabilities
- What is real-time payments (RTP) and how does it differ from traditional payment processing? → Payments that are initiated, cleared, and settled within seconds, available 24/7/365
- Mastercard's 'Consumer Clarity' program is analogous to which Visa service designed to reduce friendly fraud chargebacks? → Visa Order Insight
- The Office of Foreign Assets Control (OFAC) is responsible for: → Administering and enforcing economic and trade sanctions.
- What is the primary purpose of the Dodd-Frank Wall Street Reform and Consumer Protection Act? → To increase oversight and prevent excessive risk-taking in the financial industry.
- What does 'compelling evidence' refer to in the context of a chargeback representment? → Documentation that disproves the cardholder's claim or confirms transaction legitimacy
- In Mastercard's chargeback process, what is the typical timeframe for an acquirer to respond to a chargeback with representment documentation? → 30 calendar days
- Which PCI DSS requirement specifically addresses the need to regularly test security systems and processes? → Requirement 11: Test security of systems and networks regularly
- Which metric is used to describe the maximum acceptable amount of time a payment system can be offline before causing serious business impact? → Recovery Time Objective (RTO)
- In payment risk management, what is a 'fat finger' error? → A human data entry mistake resulting in an incorrect transaction amount or routing
- Which of the following is the best example of a preventive control in payment operational risk? → Requiring dual approval before processing large-value wire transfers
- Which principle ensure that users only have access to the information and resources necessary for their job functions? → Least privilege
- Which of the following is a control measure to mitigate risks in ACH payment processing? → Implementing encryption for data in transit
- Which of the following best defines operational risk in the context of payment processing? → Risk of loss from inadequate internal processes, people, systems, or external events
- Which of the following describes a 'skimming' attack in the context of payment data security? → The theft of card data by attaching a covert device to a payment terminal or ATM
- Which metric is calculated by dividing the total number of chargebacks in a month by the total number of transactions processed in that same month? → Chargeback-to-transaction ratio
- Which Visa dispute reason code applies when a cardholder claims they did not receive the goods or services they paid for? → 13.1 - Merchandise/Services Not Received
- Which term describes the fee levied on a merchant's acquirer (and passed to the merchant) for each chargeback received? → Chargeback fee
- Which chargeback reason code category covers 'Cardholder Does Not Recognize' a transaction under Mastercard's reason code framework? → Fraud
- Which of the following is a common physical security measure to protect against unauthorized access to a data center? → Biometric access control
- Which of the following is a primary risk associated with card-not-present (CNP) transactions? → Data breaches leading to unauthorized transactions
- Which of the following operational risk tools helps quantify the frequency and severity of potential payment loss events using statistical distributions? → Loss Distribution Approach (LDA)
- What is the primary function of an incident response plan in payment risk management? → To ensure business continuity during a disruption
- A payment firm identifies that a key third-party processor has no documented disaster recovery plan. What risk management action should be taken first? → Issue a formal finding and require the vendor to remediate within a defined timeframe
- Which of the following is a key characteristics of the Automated Clearing House (ACH) network? → Batch processing of transactions
- What is the primary purpose of an arbitration chargeback in the card network dispute process? → To escalate an unresolved dispute to the card network for a binding decision
- What is the primary purpose of implementing a comprehensive security police in an organization? → To protect the organization's assets
- Which type of attack involves intercepting and potentially altering communication between two parties without their knowledge? → Man-in-the-middle attack
- A merchant stores customer PANs in a database. Under PCI DSS, which method is acceptable for protecting stored PANs? → Encrypting PANs using strong cryptography with proper key management
- Which payment system is most commonly used for recurring payments such as payroll and utility bills? → ACH
Turn these facts into recall: