The PCI SSC has developed a variety of rules that PA-QSAs must follow during these assessments -- including the use of a testing laboratory. Per these guidelines, the assessment can take place only in a lab controlled by the PA-QSA or the software vendor. Either way, the site must allow the assessor to utilize the application in a way that appropriately simulates real-world conditions -- for example, the testing should involve valid test card numbers, rather than authentic PANs.
Ideally, the assessor should perform the analysis at its own site, but the PCI SSC allows the use of the vendor's lab, so long as it is necessary -- because, for instance, the vendor has equipment unavailable to the PA-QSA -- and the facility is adequate to the purpose. To ensure that the environment has not been compromised, however, the PA-QSA in this case must ensure that the software vendor has not tampered with the lab environment. In addition, the lab must allow for a range of penetration test methodologies, including those that uncover forensic data and attempt-to-exploit vulnerabilities.
For further information on laboratory requirements, consult Appendix B of the Payment Application Data Security Standard Requirements and Security Assessment Procedures.