February 11, 2009, 11:11 AM — The deadline for compliance with the PCI DSS standard is coming up for small businesses, and in the tough economy, it's not going to be easy for some. Larger businesses have already passed their deadline for compliance. There's a big difference here though. Larger enterprises are more likely to already have many of the elements of compliance in place, like application-layer firewalls; along with a fully-staffed IT department to take care of it. Smaller businesses though, especially the very small and SOHO operations, are less likely to have rigorous security measures in place.
Naturally, this presents an opportunity for VARs who specialize in security to target the SMB and SOHO marketplaces right now. Unfortunately, it's going to present a big burden to the smallest businesses, but they will have to either comply or go out of business. Without compliance, a company faces stiff fines and the credit card companies will revoke their merchant accounts. For some, it's a dilemma, which reminds me of the new laws for lead-testing toys. A great idea, of course, but but an unfortunate side-effect. Very small second-hand shops and thrift shops just can't afford to do it. Lead-testing equipment is just too expensive. Those small mom 'n pop shops will either go out of business or stop selling second-hand toys. We may well see a similar side effect for the smallest ecommerce operations who can't afford to become compliant with PCI DSS. For vendors and VARs alike, there's an opportunity here to market lower-cost security solutions, products and services to these small operators.