Events such as these should be accounted for in any service contract you sign with a software vendor. The Council requires that approved PA-QSAs carry appropriate liability insurance.
Article Number 1128
If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?
What is the Council’s guidance on the use of SHA-1?
Does PCI DSS, PA-DSS, or PTS apply to ATMs?
What version of PCI DSS should I use?
How does Triple DEA (TDEA) impact ASV Scan results?