When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing? 

At least once a year and after any significant upgrade or modification 

At least once every three years or after any significant upgrade or modification 

At least twice a year or after any significant upgrade or modification 

At least once every two years and after any significant upgrade or modification