I've just used a security vendor's automated PCI scanning tool to scan my web server.
It only has the ability, out of the box, to scan URLs as an un-authenticated user. This means it is only scanning my login page and any other URLs it can crawl/guess, and only in one mode (that is, all of the pages have significantly more functionality available when logged in).
Is there any known PCI scanning tool that allows scans as an authenticated user for better coverage? I can imagine making a restricted login for the tool, and then specifying the login/password or a cookie as part of the scan configuration.
Perhaps I am confusing the purpose of PCI scanning, and it's meant to be a black box test. It seems if this is the case, the only next possible step in better penetration testing for me is to hire a security vendor to do manual white box testing.