<---Begin Rant--->
Not to be a d!ck but if your not an experienced coder maybe letting webusers run commands that require elevated privleges on your box isn't the best idea. If this is a company you work for I'd suggest hiring a pro. If this is a company you are starting which it sounds like it is maybe some you should gain more experience before you start charging for professional level services like Penetration testing and PCI compliance testing. If your offering a service to customers who already use your penetration and compliance scanning why not just create a live cd for them with nmap, nessus, and some report generating software on it. This way they can run the scans on a weekly, monthly basis and provide you with reports for real penetration tests.
Again I'm not trying to be a prick but if you can't write a php script to safely run nmap scans how do you expect people to pay you. If you can't write a secure web app how can you tell them their web apps are secure? Just cause wa3f says so? You see what I mean. Any profesional penetration tester normally has at least a few years of network administration experience under there belt and probably know a few programming laguages both scripting (python,perl,ruby) and compiled (c,c#,asm)
Sorry to rant but I've been seeing alot of so called penetration testers who are charging for a bunch of automated tool scans that aren't properly configured or executed and there giving clients a false sense of security.
<---End Rant--->