nerdexam
EC-Council

312-50V10 · Question #8

When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing?

The correct answer is B. At least once a year and after any significant upgrade or modification. PCI-DSS mandates penetration testing at least once per year and after any significant infrastructure or application change. This ensures continuous validation of the cardholder data environment's security posture.

Information Security and Ethical Hacking Fundamentals

Question

When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing?

Options

  • AAt least twice a year or after any significant upgrade or modification
  • BAt least once a year and after any significant upgrade or modification
  • CAt least once every two years and after any significant upgrade or modification
  • DAt least once every three years or after any significant upgrade or modification

How the community answered

(38 responses)
  • A
    3% (1)
  • B
    89% (34)
  • C
    5% (2)
  • D
    3% (1)

Why each option

PCI-DSS mandates penetration testing at least once per year and after any significant infrastructure or application change. This ensures continuous validation of the cardholder data environment's security posture.

AAt least twice a year or after any significant upgrade or modification

PCI-DSS requires penetration testing at minimum annually, not twice a year - the twice-yearly frequency is not a PCI-DSS requirement for penetration testing.

BAt least once a year and after any significant upgrade or modificationCorrect

PCI-DSS Requirement 11.3 specifies that organizations must perform external and internal penetration testing at least once every 12 months and after any significant upgrade or modification to the network infrastructure or applications. This annual cadence, combined with change-triggered testing, ensures that new vulnerabilities introduced by changes are identified before they can be exploited.

CAt least once every two years and after any significant upgrade or modification

A two-year cycle would violate PCI-DSS Requirement 11.3, which explicitly mandates at least annual penetration testing to maintain compliance.

DAt least once every three years or after any significant upgrade or modification

A three-year cycle is far outside the PCI-DSS requirement and would leave cardholder data environments unvalidated for unacceptably long periods between assessments.

Concept tested: PCI-DSS penetration testing frequency requirements

Source: https://www.pcisecuritystandards.org/document_library/?category=pcidss&document=pci_dss

Topics

#PCI-DSS#penetration testing frequency#compliance requirements#security standards

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice