The Testing Methods for PCI DSS Requirements identified in the Testing Procedures for each requirement describe the assessor’s expected activities to determine whether the entity has met the requirement. The intent behind each testing method is described as follows:
Examine: The assessor critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.
Observe: The assessor watches an action or views something in the environment. Examples of observation subjects include personnel performing a task or process, system components performing a function or responding to input, environmental conditions, and physical controls.
Interview: The assessor converses with individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.
The Testing Methods for PCI DSS Requirements are intended to allow the assessed entity to demonstrate how they have met a requirement. They also provide the assessed entity and the assessor with a common understanding of the assessment activities to be performed. The specific items to be examined or observed and personnel to be interviewed should be appropriate for both the requirement being assessed and each entity’s particular implementation. When documenting the assessment results, the assessor identifies the testing activities performed and the result of each activity
