PCI DSS requirement 11.2.1 and 11.2.2 states that internal and external network vulnerability scans must be performed at least quarterly and after any significant change to the environment. The control also requires rescans to be performed until all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability management program.
PCI DSS requirements 11.3.1 and 11.3.2 states that penetration testing must be performed at least annually and after any significant infrastructure or application upgrades or modifications. The control also requires exploitable vulnerabilities to be corrected and verified in accordance with the entity’s vulnerability management program.
PCI DSS requirements 11.3.4 requires segmentation testing be performed to verify segmentation methods are operational and effective, and isolate out-of-scope systems from the CDE.