When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizatio

ns to perform external and internal penetration testing?

A. At least twice a year or after any significant upgrade or modification

B. At least once a year and after any significant upgrade or modification

C. At least once every two years and after any

significant upgrade or modification

D. At least once every three years or after any significant upgrade or modification