PCI DSS - only one primary function per server

Question

The PCI DSS says that a server can have only one primary function and i'm a little confused over what it means by 'one primary function'

we have a webserver with database - web pages and email

is this a breach of the rules? because just about all web servers come with a database, web server and email. We are only a very small merchant with a very small web shop i can't imagine everyone is splitting all these up into 3 servers? this would be very expensive?

2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

For example:

A database, which needs to have strong security measures in place, would be at risk sharing a server with a web application, which needs to be open and directly face the Internet. Failure to apply a patch to a seemingly minor function could result in a compromise that impacts other, more important functions (such as a database) on the same server.

This requirement is meant for all servers within the cardholder data environment (usually Unix, Linux, or Windows based). This requirement may not apply to systems which have the ability to natively implement security levels on a single server (e.g. mainframe).

I had a look at PCI-DSS - one application per server? but im still confused

Answer 1

Yes, they should be separate servers.

However, they don't need to be separate physical servers; they can be three virtual servers on one physical server.

There is some room for debate in the standard. Separating web and database is pretty much non-negotiable. But if email is a minor function - say, the web server just uses it to send the odd email notification - then you may be able to justify combining that with the web server. If you were large your QSA would guide on this, but given your size I expect you are on self assessment.

Answer 2

Yes, this is bad.

One primary application per server would mean that, given the functions you've listed, you would have three servers. One web server, one mail server, one database server. In fact, given that you're in a PCI environment and assuming that you are storing PCI data in the database, the database cannot be on a system that is able to communicate directly with the Internet. Obviously, aside from the single function requirement, this prevents putting the database on either a web or mail server.

A web server can certainly have syslog, ssh and other services running... These services are there because the primary service, the web service, requires them, in addition to the logging and management requirements for the organization.

A great way to figure out if you are meeting this requirement is to ask yourself this question: "If I removed this service from here and installed it on another system in the environment, could this system still achieve its goals?" If the answer is yes, then that service should be moved off of the server.

Hope this helps!

Answer 3

For the scenario you have described in your question and comments, you would be completing PCI-DSS v3 self assessment SAQ A-EP. It does seem somewhat unfair if not poorly thought out that a 46 page form is required even when as in your case, the entire cardholder data environment is outsourced and all you do is redirect customers to the payment acceptance company's website to make payment and receive some sort of confirmation or error message via an API from their website back to your. However it is what it is.

Without checking with a QSA I could not confirm whether it would be acceptable but to me the majority of questions would fall outside of scope due to them referring to the cardholder data environment and protecting cardholder data and so entire sections of the SAQ could be answered with N/A.

For requirement 2 (do not use vendor-supplied defaults for system passwords and other security paramters): this would include the hosting environment and so you would need to ask your hosting provider for assistance in completing this section, but also would include any application software you have installed into your designated disk space, such as e-Commerce software like PrestaShop, Magento etc and any other applications installed such as WordPress etc.

Personally I would probably choose N/A for 2.2.1 where it asks about one primary function per server due to the hosting environment falling outside the scope of the cardholder data environment and being completely separate from the outsourced payment acceptance provider's systems. This might be a point of controversy and you may need to consult your QSA on this point.

I would certainly be interested in the feedback from your QSA if you were to post it here after asking them.

---

Edit on 01-Feb-2015:

Just to clarify further, having now checked with PCI-DSS SSC it all comes down to whether your website hosts any payment pages at all. If your website literally has a cart system and checkout button and then the user is redirected to a third party payment acceptance provider where they proceed to enter card details etc, or the same is achieve via embedding this into an <iframe> then you can use SAQ A. If you are embedding into a <div> or capturing cardholder data directly on your website using HTML form elements, or any templating elements to improve the look and feel are hosted on your website, then due to the increased security risk an SAQ A-EP will be required. There is also a helpful article going in to more depth on the reasons for this on the PCI Security Standards FAQ.