We are trying to understand the number of remote locations which need to be visited in order to provide a global certification for a company. Typically within the the ROC, the QSA would specify the locations which were included in the assessment.

If company has 15 remote locations (outside of the two data center) in which 13 locations are not considered inscope for PCI (e.g., Req 3 & 8 etc do not apply to the locations) but all locations are inscope for global controls (e.g., physical security, Awareeness programs, security patching etc), is it possible to represent in the ROC that the entire company is certified based on the onsite review of a % of locations which includes all PCI inscope locations? If yes, what % on the non PCI in-scope locations would need to be visited. Or is it just black & white in which the specific locations within a company are specified in the ROC?

I'm guessing the reason for your question is that your 15 locations are scattered all over the world and you are trying to avoid travel to each one.

That said, as an auditor that faces this issue a lot in our financial audits, you need to assess the sameness of these locations. If they are ALL 'cookie cutters' of each other with the same, common and consistent controls enforced at each location, then I would say that a sampling approach could be constructed and used. If you cannot ensure the sameness at ALL locations, then I would say that sampling is out of the question because of the inconsistencies.

Assuming that you can sample, based on your comment that two locations have to meet more requirements and critical requirements, I would say that you MUST visit those two sites regardless. Of the 13 other sites, I would say that if you visited 25% to 35% of these sites per year and a different group each year, you should be able to justify your sampling approach.

One wrinkle in sampling is how to handle any compliance issues that may come up at a location. To handle locations that have a compliance issue, I would recommend that you automatically include them in the next year's sample so that you ensure that any issues have been appropriately addressed. So, your sample size may be larger than expected in years after which issues were discovered at one or more locations.

I agree regarding the sampling of locations which have common processes and controls but if the remote location sampling approach is to taken how will the QSA represent this in the ROC?

Would they still list the locations sampled? Or could they also add a line to the ROC indicating that the sample locations provides assurance that all locations operate under the sample control structure which would provide the global PCI certification we are looking for?

You should always provide documentation that supports your reason(s) for using sampling. You need to document the environment so that you show that there really is commonality in the operations of all locations, therefore showing that because of the commonality, you can test a sample of locations and draw conclusions about all of the locations from your testing of a sample.

Then you need to document the methodology of how you selected the sample. You need to include documentation that shows that previous year issues are re-tested to ensure that the issues have been resolved.

Once you have documented your approach, then you need to document those locations that were tested.

If you identified a 'systemic' problem, i.e., a problem that occurs in a majority of locations, you need to document that the problem likely exists in almost all locations.

The objective of all of this is to make sure that another QSA can step in and re-perform your testing and achieve the same results as long as the control environment is the same.