We have a Web App on Server Running in a Data Centre

How does one go about selecting a penetration tester to test site

What certifications/experience should one look for ?

How do you ensure you actually get a pen test and not just a vulnerability scan ?

What reports should one expect to get ?

i know that i'm probably asking how long is a piece of string but what would you expect to pay for such a service ?

any other advice on selecting pen tester would be appreciated