In PCI DSS, “sampling” refers to the practice of an organization examining a smaller, representative component, such as a sample, to ensure that all aspects are being handled securely, as opposed to examining every single thing on a regular basis. To ensure that the soup is cooked through, you can taste a spoonful of it instead of having to finish the entire pot.

Sampling, then, enables businesses to make sure they are abiding by the regulations in PCI DSS without having to examine each and every transaction or piece of data. It functions as a means of effectively monitoring the situation and guaranteeing that your credit card information is being treated with the highest care.

Example

Let’s assume an organization consists of multiple virtual machines, say it’s 50. Now as an auditor, if you want to inspect the systems for existence of authentication and identification mechanisms, it would take you long hours before you are finished testing for all the virtual machines. This in-turn will increase the amount of man-hours required to complete an assessment, reducing efficiency and increasing the budget required. To avoid this situation, auditors are allowed to sample a few systems, say it’s 5, which would be considered a representative sample set for this testing requirement, based on the sampling rationale chosen by the auditor.

Published By: Ankit K J