Section 2.2 of the PCI Validation Requirements for Qualified Security Assessors (QSA) v. 1.1 calls for "auditor independence" within the QSA program precisely to avoid the type of conflict of interest that you are worried about. In discussing this issues with others in the industry, it is generally accepted that policies be put into place that mandate a separation of duties between QSA Auditors and QSAs, or other individuals within a QSA certified company who provide remediation support.
Dig Deeper on Regulatory compliance with cybersecurity laws and regulations
Related Q&A from John Kindervag
Learn how to ensure that your client's firewalls are compliant with PCI firewall configuration standards. Continue Reading
Learn whether a company with two distinct e-commerce brands must get them both compliant with the Payment Card Industry's Data Security Standard (PCI... Continue Reading
The PCI Security Standards Council identifies five levels of network security vulnerabilities, ranging from low to urgent. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.