I plan on deploying our new company website to a dedicated server through a hosting provider. I will personally maintain the server with the exception of dealing with the physical hardware. The company itself does possess credit card info through phone calls and other means, so we are subject to PCI compliance. However, this new website, which is not on the company's private network, has limited if not absent exposure to sensitive cardholder data. We will be using 2 online payment methods:
Payal Express (Totally third party, no sensitive data available)
Authorize.net Direct Post (The credit card form is generated on our site, but submitted directly to Authorize.net. Only a serious and unnoticed breach would make this info available to my server.)
With this setup, the database and web server at no point see any credit card data, which brings me to PCI DSS requirement 2.2.1:
Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)
My hope is that because the database has no sensitive data (and for that matter, might as well be a database of all my favorite colors and films), then it is not considered a "different security level". My thoughts are that this requirement would apply to larger companies that host various services and applications, where separating the two is quite logical. Can anyone clarify this rule per my situation, or give any thoughts? I find it hard to believe that every VPS or dedicated server with the LAMP stack installed (as all the "PCI Compliant" managed solutions said they would happily setup for us) are all out of compliance. At the very least, is this a situation where special exceptions could apply?
In addition, the server is locked down with a software firewall, TLS 1.1 and up, IP restrictions, log storage and monitoring, file integrity checks, malware and network scanners, etc. Overall, I'd like to avoid the cost and complexity of a separate server to simply check a box.