Maley: We don't store cardholder data here, but we do handle the transactions that are then passed on to the bank. This is where penetration testing is important. We use internal vulnerability scanning to find and mitigate vulnerabilities before bringing in an outside vendor for additional scanning. We've had a lot of success with this approach so far.

Maley: We have what's called CA2 -- Commonwealth Application Certification and Accreditation -- patterned after the Department of Defense's accreditation process for systems. We focus ours on Web-based applications. One of our challenges is that, like a lot of organizations, we have to be mindful that a lot of Web-based apps are the target of cross-site scripting and SQL injection attacks. Here in the Commonwealth we've had applications developed for years and years with no real underlying security process. So we have to constantly search for things that can be exploited and mitigate the problems before something happens. The bad guys are escalating their SQL injection attacks. We see these attacks constantly, in the thousands. Why are they doing that? Because there are so many vulnerabilities out there and they know they can eventually hit something.

Maley: It injects security in at the very beginning of a project now. Whether a Web application is developed in-house or outsourced it now has to go through the CA2 process before going live. Part of that process is that the programs have to be pen tested.