What is sampling?

• A. The process of selecting a cross-section of a group that is representative of the entire group.
• B. Mandatory PCI DSS testing of all controls.
• C. Randomly testing only high-risk systems.
• D. Annual full-scope penetration testing.

Answer: (A)

Sampling is the process of selecting a cross-section of a group that is representative of the entire group. In PCI DSS assessments, you don’t typically test every single system or control because environments can be large and complex. Instead, you gather evidence from a subset that reflects the whole population—covering different system types, locations, and risk levels—to reasonably infer that controls are functioning across the entire environment. A defined, documented method guides what to sample, how many items to include, and how to ensure critical controls and high-risk areas are represented. This approach provides enough confidence in compliance while staying practical. It’s not about testing every control, nor about only testing high-risk systems randomly, nor about performing an annual full-scope penetration test.