Understanding Your SOC 1 Report: How Does Sampling Work?

by Joseph Kirkpatrick / December 20, 2022

Sampling During a SOC 1 Audit When an auditor performs a test of control during a SOC 1 audit, it may be appropriate to apply sampling. Sampling is applying audit procedures to less than 100% of a population. The types of populations that could need to be tested include new hire training forms, employee acknowledgements of policies and procedures, antivirus reports, or access control logs. The PCAOB states that sampling…

PCI Requirement 9.10 – Ensure Policies and Procedures for Restricting Physical Access to Cardholder Data are Documented, In Use, and Known to All Affected Parties

by Randy Bartels / December 20, 2022

 Implementing PCI Requirement 9.10 PCI Requirement 9 states, “Restrict physical access to cardholder data.” Complying with PCI Requirement 9 is critical to ensuring that cardholder data is physically accessed only by authorized personnel. For this requirement, we’ve discussed aspects of physical security such as facility entry controls, visitor identification and access controls, how to physically secure media, controlling the distribution of media, how to destroy media, and more. But,…

PCI Requirement 9.9.3 – Provide Training for Personnel to Be Aware of Attempted Tampering or Replacement of Devices

by Randy Bartels / December 20, 2022

 Training on Tampering Your organization must protect the integrity of devices that physically interact with cardholder data. PCI Requirement 9.9.3 requires that your organization provide training for personnel to be aware of attempted tampering or replacement of devices. This training needs to include: Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Criminals often…

PCI Requirement 9.9.2 – Periodically Inspect Device Surfaces to Detect Tampering or Substitution

by Randy Bartels / December 20, 2022

 Inspect for Tampering or Substitution PCI Requirement 9.9.2 is focused specifically on the physical inspection of devices that physically interact with payment card information. It states, “Periodically inspect device surfaces to detect tampering or substitution.” Complying with PCI Requirement 9.9.2 minimizes the potential use of fraudulent card-reading devices because periodic inspections will help you more quickly detect tampering and substitution. Examples of Tampering Tampering could be detected in many…

PCI Requirement 9.9.1 – Maintain an Up-To-Date List of Devices

by Randy Bartels / February 7, 2023

 Keeping a List of Card-Reading Devices If your organization utilizes devices that physically interact with cardholder data (card-reading devices), PCI Requirement 9.9.1 requires that you maintain an up-to-date list of devices. This list should be updated whenever devices are added, relocated, decommissioned, etc. This list should include: Make and model of a device Location of a device Serial number of a device or other unique identification The maintenance of…