312-50V10 · Question #8
When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing?
The correct answer is B. At least once a year and after any significant upgrade or modification. PCI-DSS mandates penetration testing at least once per year and after any significant infrastructure or application change. This ensures continuous validation of the cardholder data environment's security posture.
Question
When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing?
Options
- AAt least twice a year or after any significant upgrade or modification
- BAt least once a year and after any significant upgrade or modification
- CAt least once every two years and after any significant upgrade or modification
- DAt least once every three years or after any significant upgrade or modification
How the community answered
(38 responses)- A3% (1)
- B89% (34)
- C5% (2)
- D3% (1)
Why each option
PCI-DSS mandates penetration testing at least once per year and after any significant infrastructure or application change. This ensures continuous validation of the cardholder data environment's security posture.
PCI-DSS requires penetration testing at minimum annually, not twice a year - the twice-yearly frequency is not a PCI-DSS requirement for penetration testing.
PCI-DSS Requirement 11.3 specifies that organizations must perform external and internal penetration testing at least once every 12 months and after any significant upgrade or modification to the network infrastructure or applications. This annual cadence, combined with change-triggered testing, ensures that new vulnerabilities introduced by changes are identified before they can be exploited.
A two-year cycle would violate PCI-DSS Requirement 11.3, which explicitly mandates at least annual penetration testing to maintain compliance.
A three-year cycle is far outside the PCI-DSS requirement and would leave cardholder data environments unvalidated for unacceptably long periods between assessments.
Concept tested: PCI-DSS penetration testing frequency requirements
Source: https://www.pcisecuritystandards.org/document_library/?category=pcidss&document=pci_dss
Topics
Community Discussion
No community discussion yet for this question.