When establishing a vulnerability management program in an environment handling customer payment information, which of the following best practices aligns with the industry standards for securing transaction data?
Limit vulnerability assessments to external scans conducted biennially, relying primarily on other network defenses.
Conduct internal and external vulnerability scans every quarter and after each major alteration to the network infrastructure.
Implement vulnerability scans biannually, assuming no immediate threats are identified within the transaction processing systems.
Complete a comprehensive penetration test on an annual basis as the sole measure for identifying system vulnerabilities.