"... For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations..."
"... Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain..."
-- THE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONS
OFFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE
Download The Guide for Conducting Risk Assessments from the National Institute of Standards and Technology (NIST).
The Council's five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. -- have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each founding member also recognizes the QSAs, PA-QSAs and ASVs certified by the PCI Security Standards Council.
What that means is that they are in charge of security for Credit Card merchants and they know a lot more about this than anyone else.
Given that background, when looking for a company to do Vulnerability testing, we believe that you should use a company approved by the PCI Standards Council: PCI Security Standards Council Approved Scanning Vendors