PCI (Payment Card Industry) 3.0 standard includes a requirement to conduct web penetration testing at least once a year. PCI guidelines 3.1 (mandatory in June 2016) spell frequency requirements out more clearly. A standalone penetration test will not protect your website from all risks, so you should always combine it with daily vulnerability and malware scanning, data integrity and threat monitoring. Daily vulnerability scanning is also useful to get notifications about the most recent vulnerabilities in your CMS, framework, web server, or any new SSL weaknesses something that is not yet discovered at the moment of your last penetration test.”]
Source: https://informationsecuritybuzz.com/articles/why-pcis-mandatory-pen-testing-is-no-silver-bullet/