Sampling is a legitimate method under PCI DSS for assessing a representative subset of system components and locations.Section 6 – Sampling for PCI DSS Assessmentsoutlines thatsampling of business facilities and system componentsis allowed, as long as it’s justified, consistent, and documented.

Option A:Incorrect. PCI DSS requirements themselvescannotbe sampled.

Option B:Incorrect.Compensating controls must be assessed in full, not sampled.

Option C:Correct. Sampling may apply tobusiness facilities and system componentsto make the assessment more efficient.

Option D:Incorrect.Policies and proceduresmust be evaluated in full.