Not sure what it like in the US, but there are people you can speak to here in the UK for advice on setting up a business.
Things such as setting yourself up as a limited company, getting the right banking arrangements, accounts, sorting insurance and general advice on the laws and regulations that will have an impact on you. So I cant really help you out in this area.

With regards to is it a 9 - 5 job, I think it will depend on the customers requirements. Many tests to be considered appropriate will often be carried out on a production environment, unless a UAT environment is considered appropriate. So as you say a customer doesn want you to bring the systems down, they want you to evaluate the security posture of the environment, and report on vulnerabilities and exploits that a hacker would use to gain access / abuse their systems. So certainly in my experiance most Pen Tests are non intrusive / non damaging in that respect, but there are instances where a customer hires you to carry out a job, and wants you to be as realistic as possible.

With regards to PCI compliance, this is a hot and ever growing area at the moment, with less than 10% of companies globally being officially compliant with the PCI:DSS standards. If you want to be a QSA (Qualified Security Assessor), you need to be annually certified, subject to review and testing, and from what I gather its not cheap for a one man band. You can get more information from the PCI Security Standards Council.

if you dont have customers or a niche, i'm wondering why we need yet another pen test shop?

Everyone wants a piece of that PenTest Pie 

NO DOUBT, there are tons of "legit" companies walking around simply running a va scan and handing them a stock report. What a joke and nobody knows any better. As long as the box gets checked. I once had some idiot at an unamed company tell me that their pentest was only running firewalk from the outside. Apparently firewalk was their magic bullet for security.

I think a one man pen test shop could only cater to really small businesses. Anything bigger and your gonna want a whole team, with a few guys that specialize in various areas. I've thought about that idea, as far as doing it on the side. As long as you can line up customers and provide value, why not.

I tend to agree with Bill on Pen Testing is not a one man show. To give any organization a true value for thier money, it is a team effort. You need to have varied level of skill set from network  pen testing to web app testing to client side attacks and  we dont wanna forget about writing good a report.

I think gone are the days when you could hand over a VA report and be done with it. In my opinion if you cannot provide a value of the pen test in terms of business risks  it wont do any good.

out in the sticks and doing pentesting at an affordable price would be a good niche to me