A significant part of any security framework is the assessment. Different frameworks require different types of assessments, from self-managed diagnostics to extensive and annual third-party audits. PCI DSS is no different, requiring annual compliance validation for all relevant systems.
The nature of these assessments may vary depending on the company and are beyond the scope of this article. For businesses that undergo full third-party audits, however, you may find your assessor performing a unique practice known as “sampling.”
You may never even have to consider this practice if you’re not an auditor. But it does help to understand what assessors are looking at.