My boss has asked me to figure out the effect on PCI DSS on small Independant Sales Organizations that sign up merchants and help them accept credit/debit cards. He thinks that the PCI DSS compliance will make small merchants hesitant to use smaller ISOs, and instead go with larger ISOs.

Does anyone think this is the case? I tend to think that merchants would be happy to go with smaller, cheaper ISOs as long as they knew their stuff regarding PCI DSS. I just don't think the larger guys will have the time to deal with smaller merchants and there will still be a place for small, hands on ISOs

Thanks!

We do PCI work for a number of smaller ISOs and while there is an appearance of "pressure" on them because of the PCI DSS, they are not seeing any migration of their clients to larger ISOs outside of the 'normal' changing that they've always seen.

In regards to compliance, our smaller ISOs are actually more compliant than our larger ISOs. If you think about it, while they may be short on dollars, they have an easier time getting decisions made and they get things remediated/fixed much faster than their larger counterparts.

I do not see any reason why PCI compliance would put smaller-anyone out of business. It's a matter of complying with the standards and smaller companies should have less to change as their operations are small.

The cost of compliance is a bit hand-in-hand with the size and complexity of the company.