According to The 451 Group, an IT security analyst firm, there are nine different security technologies required for PCI compliance alone: antivirus, firewalls, intrusion detection systems, encryption for data at rest, file integrity, log management, multifactor authentication, a Web application firewall (or a security development lifecycle), and a vulnerability management solution. Then there are the services: a qualified security assessor, an approved scanning vendor, and in the case of a breach, the qualified incident response assessor. For small and medium businesses, the costs can be overwhelming, says Joshua Corman, research director for The 451 Group’s security practice.