Site icon

What Is Sampling in PCI DSS Assessment?

sampling featured

A significant part of any security framework is the assessment. Different frameworks require different types of assessments, from self-managed diagnostics to extensive and annual third-party audits. PCI DSS is no different, requiring annual compliance validation for all relevant systems. 

The nature of these assessments may vary depending on the company and are beyond the scope of this article. For businesses that undergo full third-party audits, however, you may find your assessor performing a unique practice known as “sampling.” 

You may never even have to consider this practice if you’re not an auditor. But it does help to understand what assessors are looking at. 

 

What Are the Goals of PCI DSS Assessment?

A PCI DSS assessment aims to validate your company’s controls as to their capacity to handle cardholder information. Only IT systems that touch cardholder information (primary account numbers, customer information, verification codes, etc.) will be evaluated for compliance. 

Each system must adhere to one of the 12 requirements for compliance, each with relatively well-defined expectations outlined in the PCI DSS 4.0 documentation:

  1. Install and maintain network security controls
  2. Apply security configurations to all system components
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission over open, public networks
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to system components and cardholder data by businesses need to know
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security with organizational policies and programs

The goal of securing information along these requirements is to ensure that they work within your organization, not as a supplement, which leads to the concept of business-as-usual processes. 

 

Business-as-Usual Processes

Business as usual processes (BAU) are a program introduced in PCI DSS version 3.0 in 2013 to help businesses see compliance as an integral part of their business operations, rather than external requirements. 

This is important for two reasons: First, because it provides these organizations with the ability to readily integrate new and upgraded security and confidentiality standards into businesses without too many issues. Second, it allows a more streamlined approach to assessment that doesn’t just rely on yearly audits. 

BAU recommendations from the PCI Council include:

 

What Is PCI DSS Sampling for Assessments?

BAU is important because it helps organizations integrate PCI controls into their operations. This, in turn, aids in the practice of “sampling” used by assessors as part of their audits. 

Sampling is the process by which an assessor can test a selection of systems and controls, rather than the entire infrastructure, to determine that a company has met their PCI DSS requirements. While not required, sampling is a useful way to speed audits without sacrificing rigor.

Note that sampling doesn’t forego the assessment of any specific requirement, nor does it mean that the assessor only has to test a handful of systems over others. Rather, the assessor can test minor system “populations” that represent the larger whole, understanding that the smaller parts are indicative of the functioning of all related systems. 

When and how to sample is up to assessor judgment, but PCI DSS defines specific considerations that assessors must weigh when sampling systems for testing:

As is clear here, the goal is to ensure sample populations indicate compliance across an entire infrastructure. To ensure that this is true, each sample must be assessed with the following actions:

 

Automate Regular PCI DSS Assessment with Continuum GRC

The most important part of maintaining a streamlined system for PCI DSS compliance is ensuring that controls follow BAU principles. This will make managing these systems much easier and support better sampling opportunities during the assessment. 

If you’re ready to make PCI DSS part of your business, use the cloud-based Continuum GRC compliance and risk platform.

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.

Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id=”43885″]

Exit mobile version