The nightmare scenario plays itself out something like this: Apathetic ISV wants its app certified but nothing more, so the ISV shops for an assessor firm and looks only for the lowest price. There are assessment firms that pitch the lowest price, and they are only too happy to make the assessment as quick, painless and profitable (and useless) as possible. That brings us back to the original question: If both sides want to cut costs, who is going to stop them? Read more.
Can A PCI App Assessment Be Phoned In?
Here's a frightening question: "Who is going to report 'questionable' assessments of vendor applications when neither of the parties to the process (the vendor and the assessor) has any motivation to do so?"