There are two parts to the issue, if you like - the security of the code internally, and the security of the code (and the platform) against external threats.
VISA compliance is just about the external threat, although they do make some suggestions (eg about data encryption etc) that relate to the internals. PCI compliance scans like Comodo are useful but are not a rigorous check of your external security or internal code.
Secure software coding has no 'official' certifications but there are standards and practices, and interesting directions evolving - eg from CERT -
www.securecoding.cert.org - around specific languages like C++ - and there a slew of broader standards around software development and security management more generally - eg the ISO/IEC 15408 security evaluation framework and of course the ISO/IEC 17799 information security standard.
There are people who you can ask to do audits against such standards or best practice guidelines - just look in the Yellow Pages or Google. The big consulting and IT houses can do these as well as a slew of security specialists.
Even without any adopting 'official' ISO standards or external audits, you can have your own strong internal procedures for ensuring secure coding - MS has evolved a whole set of them ( the Trustworthy Computing Security Development Lifecycle or SDL) and is using them when they write code that faces external threats (and products like IIS have benefited greatly from that), Google has done the same around the production of it's own code.
That is in fact the best way to do it, because code changes so fast in most modern 'software factories' you need an on-going system in place to constantly help ensure secure code is being produced day in day out.
When you do a software audit you really are only able to effectively do it on a frozen-in-time 'snapshot' of a particular build of a product. Meanwhile in the real-world the codebase may have moved on. So you need something in place all the time.
)