Pen tests really aren't very high on the totem pole. One of the big things seems to be *when* you get hacked, who did it (logs), the database is encrypted if storing customer data, each process is on its own server (physical or virtual). All changes are logged, any failures on the security tests have an LOE with it or an acceptable risk clause. That's off the top of my head.
~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
