Once a year we go through PCI compliance. There is an outside vendor that does this for us and they scan our site and servers. The scans are based on OWASP Top 10. The problem I am running into is that they are finding XSS issues and some other things that AppScan doesn't seem to find. I have run every available test AppScan Standard has to offer against the areas they found issues and it doesn't find anything. I am wondering if anyone else has had these issue and if anyone might have any insight into other test policies I can import that might catch the issues.