Re: PCI DSS

[evilwon12 () yahoo com]

PCI DSS is vague on certain things (at best).  However, you did not state what level of a Merchant you are, which adds 
or subtracts plenty of things that you must do.

My guess is that you are referring to Section 11.  Note, that for most of the time, you are only required to have 
quarterly scans - which is what you are probably being quoted on.  Only once a year does a pen test need to be done 
(unless their are major changes) and even then I think it depends on your level.  Even then, are you hosting the 
application and data or outsourcing it?  If you are outsourcing everything, you may not ever need to have a pen test 
done.

So, what is it that you are really asking?