We actually used TrustWave in the past.
We didn't actually 'ask' them to do it, it was the bank where our merchant account was set up that did it.
What we got back were reports of the results of their various scans on our site. There were items that were considered 'High Priority' clear down to 'Low Priority'. We quickly found out that the only things they were interested in actually having fixed were the 'High Priority' items. We, too, are in the <20,000 transaction tier.
Those weren't too difficult to handle from a coding standpoint (google is your friend) and the items that needed to be taken care of at the server end were simple enough. We just sent a copy of the report to our hosting server's support staff telling them what we were unsure of - they responded back with either directions on how to do it, or the things that had to be done at their end they just did them for us.
Some things I learned from my PCI experience that may be of value:
1. If you are using a database to store your information, it is better for that database to be housed on a separate server than the one actually hosting your web site pages. (Access databases would be a no-no)
2. On any page that requires customer information to be entered into a field, you have to validate every single field to make sure it is formatted correctly and does not contain any 'hacker code' before the form information has a chance to be run across the target page.
3. If you have the ability to do so, turn off your FTP server when you aren't actually using it, change the port it uses to something other than '21', and make sure you are using the latest version of whatever FTP software you run. (If you are using a shared system for your FTP, the host usually has taken care of all that for you)
4. On any page that runs a database query (even if that query isn't being triggered by a form on your site), you have to be sure you filter the form information AND/OR the URL string that was submitted to run that particular page to make sure it doesn't include anything that doesn't belong there.
5. If you take credit card information directly on your site from a customer, you must have SSL (pretty basic there)
Trustwave is nice because if you've got an issue that shows up, you can do what you think is needed to fix it (they even give you references and basic instructions on what to do to fix a problem in their reports), and when you're done you can have them re-scan the site and get an updated report to see if your 'fix' actually worked.
I think they call this their 'Compliance Validation Solution' or something.. pretty sure it was 'CVS'.
As far as cost, since our bank was the one that pointed Trustwave at our site, it didn't cost us a penny for any of it. I'm not sure, but I don't think Trustwave actually charges anything to simply have them scan your site for errors and give you reports. You would be a 'Tier 1' merchant.. or maybe they call it 'Level 1', so you are making less than umpty-million transactions a year. Where I think they make their money is when someone can't fix it on their own, and hires them to fix it.
I knew nothing at all about PCI compliance myself until we got hit with the Trustwave report through the bank. It took me about a week of fiddling around to figure out what some of the stuff meant, but it wasn't too hard (again, google is your friend).
Good Luck
WHeis