The larger team I work in is about to release a new ecommerce website that allows the secure storage and usage of personal and corporate credit cards. As far as system components go, the payment card info. is stored securely in Oracle and the DB itself is in the private network behind a special PCI-related firewall. Still, this application comes under PCI compliance regulations. What is required as far as the timings on when the initial scan is required with this application - is it needed before go-live, or some time after i.e. "90 days"? I don't think the team here is considering security testing in their final efforts.
Software/Hardware used: IBM Portal, IBM Commerce, Oracle Database, Sun hardware