What Is Sampling in PCI DSS Assessment?

A significant part of any security framework is the assessment. Different frameworks require different types of assessments, from self-managed diagnostics to extensive and annual third-party audits. PCI DSS is no different, requiring annual compliance validation for all relevant systems. 

The nature of these assessments may vary depending on the company and are beyond the scope of this article. For businesses that undergo full third-party audits, however, you may find your assessor performing a unique practice known as “sampling.” 

You may never even have to consider this practice if you’re not an auditor. But it does help to understand what assessors are looking at. 


What Are the Goals of PCI DSS Assessment?

A PCI DSS assessment aims to validate your company’s controls as to their capacity to handle cardholder information. Only IT systems that touch cardholder information (primary account numbers, customer information, verification codes, etc.) will be evaluated for compliance. 

Each system must adhere to one of the 12 requirements for compliance, each with relatively well-defined expectations outlined in the PCI DSS 4.0 documentation:

  1. Install and maintain network security controls
  2. Apply security configurations to all system components
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission over open, public networks
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to system components and cardholder data by businesses need to know
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security with organizational policies and programs

The goal of securing information along these requirements is to ensure that they work within your organization, not as a supplement, which leads to the concept of business-as-usual processes. 


Business-as-Usual Processes

Business as usual processes (BAU) are a program introduced in PCI DSS version 3.0 in 2013 to help businesses see compliance as an integral part of their business operations, rather than external requirements. 

This is important for two reasons: First, because it provides these organizations with the ability to readily integrate new and upgraded security and confidentiality standards into businesses without too many issues. Second, it allows a more streamlined approach to assessment that doesn’t just rely on yearly audits. 

BAU recommendations from the PCI Council include:

  • Responsibility: Relevant controls for necessary PCI DSS compliance should fall under the jurisdiction of a manager or a team, spelled out in company documentation. 
  • Metrics: Security and privacy systems should have solutions to measure performance and success/failure as embedded into existing business operations.
  • Review and Monitoring: Auditing and logging tools should also be integrated into security and business processes to gain insights outside the manual metrics collection.
  • Failure Response: Each department or LOB associated with specific controls should have access to failure detection, response and mitigation procedures tied into larger mitigation processes managed by security and compliance leadership. 
  • Change Management: Changes in relevant systems should be planned, documented, and regularly updated. 
  • Risk Assessment: Risk assessment should be a normal part of business operations at all levels to address new threats and vulnerabilities and changes to the PCI DSS standard. 
  • Vendor Relationships: Any division or LOB should be able to provide information related to third-party vendor assessments for potential risks. This includes using cloud software, data storage, or API connections. 


What Is PCI DSS Sampling for Assessments?


BAU is important because it helps organizations integrate PCI controls into their operations. This, in turn, aids in the practice of “sampling” used by assessors as part of their audits. 

Sampling is the process by which an assessor can test a selection of systems and controls, rather than the entire infrastructure, to determine that a company has met their PCI DSS requirements. While not required, sampling is a useful way to speed audits without sacrificing rigor.

Note that sampling doesn’t forego the assessment of any specific requirement, nor does it mean that the assessor only has to test a handful of systems over others. Rather, the assessor can test minor system “populations” that represent the larger whole, understanding that the smaller parts are indicative of the functioning of all related systems. 

When and how to sample is up to assessor judgment, but PCI DSS defines specific considerations that assessors must weigh when sampling systems for testing:

  • Population: Selection of tested systems must be independent of the judgment of the assessed organizations. 
  • Standardization: Assessors may use smaller population samples if the company can demonstrate a standardized control or process that manages the entire population. The sample must still be large enough to ensure an accurate assessment, and the assessor must also verify the effectiveness of the standardization processes. Conversely, a lack of standardization will lead to larger sample sizes. 
  • Processes Heterogeneity: If the company uses more than one standardization process, then the assessor must test samples across each process as they would for a single sample population.
  • Combinations: When systems use similar components, combinations of components, or components with different versions, the assessor must have sample populations representing all of these combinations.
  • Automation and Size: Sample sizes must be greater than one component unless there is only a single component in the population or if automation controls are used to manage a larger population and that control is assessed by the auditor. 

As is clear here, the goal is to ensure sample populations indicate compliance across an entire infrastructure. To ensure that this is true, each sample must be assessed with the following actions:

  • Document: The assessor must document their rationale for the how and why of their sampling techniques and size decisions. 
  • Validate: If the assessor based their sampling on automated controls or standard processes, the assessor must validate that these are effective and compliant. 
  • Explain: Explain why specific sample size is representative of the population it stands for. 


Automate Regular PCI DSS Assessment with Continuum GRC

The most important part of maintaining a streamlined system for PCI DSS compliance is ensuring that controls follow BAU principles. This will make managing these systems much easier and support better sampling opportunities during the assessment. 

If you’re ready to make PCI DSS part of your business, use the cloud-based Continuum GRC compliance and risk platform.

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • NIST 800-53
  • FARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2, SOC 3
  • IRS 1075
  • ISO 27000 Series

And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.

Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id=”43885″]