The standard for payment card account data security includes the following:
Questions or request a quote?11.4 - External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
PCI DSS requires the following activities at least every 12 months to detect and mitigate vulnerabilities:
PCI DSS v3.2.1 will be retired on the 31st of March 2024, and version 4.0 is its successor.
The entire Cardholder Data Environment (CDE) perimeter and critical systems must be covered. If segmentation isolates the CDE from other networks, segmentation controls (11.4.5) should also be an explicit part of the scope.
Any exploitable vulnerabilities should be corrected, and mitigation should be validated with a re-test (11.4.4).