Events such as these should be accounted for in any service contract you sign with a software vendor. The Council requires that approved PA-QSAs carry appropriate liability insurance.
Article Number 1128
If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?
What are the PA-DSS Expiry Dates?
Are PA-DSS applications considered valid if installed on an operating system that is not included in the payment application listing?
How does Triple DEA (TDEA) impact ASV Scan results?
Does PCI DSS, PA-DSS, or PTS apply to ATMs?