Inscrivez-vous ou connectez-vous pour rejoindre votre communauté professionnelle.
Both Are required, VA quarterly, and PT yearly....
The Both are required. quarterly vulnerability scanning and yearly PEN testing
you actually need both for PCI DSS compliance but in a different way...
for PEN testing you need one internal and one external test during the year and one after any major change affecting the environment (if any)
as for vulnerability scanning (both internal & external) you need to have a clean scan for each quarter of your annual PCI DSS assessment
According to PCI DSS 3.0 you need to perform penetration testing once a year as minimum and on every major change in the enviroment. This also makes sense as vulnerability scanning will not let you know about web apps vulnerabilities that needs manual testing. Also please bear in mind that scanners like Nessus do have modules to search for card numbers in your disk space for example, but in most cases you would like to use scripts to prove that you don't store them.