1

I plan on deploying our new company website to a dedicated server through a hosting provider. I will personally maintain the server with the exception of dealing with the physical hardware. The company itself does possess credit card info through phone calls and other means, so we are subject to PCI compliance. However, this new website, which is not on the company's private network, has limited if not absent exposure to sensitive cardholder data. We will be using 2 online payment methods:

Payal Express (Totally third party, no sensitive data available)

Authorize.net Direct Post (The credit card form is generated on our site, but submitted directly to Authorize.net. Only a serious and unnoticed breach would make this info available to my server.)

With this setup, the database and web server at no point see any credit card data, which brings me to PCI DSS requirement 2.2.1:

Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

My hope is that because the database has no sensitive data (and for that matter, might as well be a database of all my favorite colors and films), then it is not considered a "different security level". My thoughts are that this requirement would apply to larger companies that host various services and applications, where separating the two is quite logical. Can anyone clarify this rule per my situation, or give any thoughts? I find it hard to believe that every VPS or dedicated server with the LAMP stack installed (as all the "PCI Compliant" managed solutions said they would happily setup for us) are all out of compliance. At the very least, is this a situation where special exceptions could apply?

In addition, the server is locked down with a software firewall, TLS 1.1 and up, IP restrictions, log storage and monitoring, file integrity checks, malware and network scanners, etc. Overall, I'd like to avoid the cost and complexity of a separate server to simply check a box.

AirmanAJK
  • 11
  • 1

2 Answers2

1

The requirement is that each server have a primary function rather than a single function. You can argue that the primary function of the server is as a web server and the database functionality is a secondary function. Consider a Domain Controller which can be a DHCP server, NTP server, DNS server, authentication server, security policy server.

In terms of security levels for PCI compliance, given that the database is not storing cardholder data, there is no requirement for this to be a separate server on an internal network segment. As the server itself is in scope, everything on the server is in scope so the database still needs to be hardened and logging so you're still securing the system and mitigating risk.

If you have a QSA, s/he should be able to provide guidance.

AndyMac
  • 3,149
  • 12
  • 21
0

pci has a lot of standards for merchant [run eCommerce website] and service provider [paypal] .
you need only to follow SAQ A you can download pdf from pcisecuritystandards.org
ps: SAQ A – Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced
so not all standards apply to you i think only 14 Qs you will find them in the saq A also you don't need any Authorized Scanning Vendor (ASV) to scan your system .
Feel free to ask additional questions if that would be helpful to you.

Ahmed Mohamed
  • 101
  • 1
  • Thank you for the quick response. Before this new website has even launched, we have been filling out "PCI SAQ D 3.2" and getting "Vulnerability Scan Reports" quarterly for the current (old) website. It really seems like this new website should be in its own world, since it has no direct connection to the rest of our business infrastructure. – AirmanAJK Jan 21 '17 at 05:38
  • Also, even with this new website, we wouldn't qualify for SAQ A due to the last line in the "Before You Begin" section (our web server generates the payment page, though it submits directly to Authorize.net): All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s). – AirmanAJK Jan 21 '17 at 05:47
  • I'm really relying on the notion of "different security level" to not apply when comparing my web server and database, as their isn't anything sensitive in terms of PCI compliance stored in the database. – AirmanAJK Jan 21 '17 at 05:58