Separate Web & DB Servers

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.
Post Reply
sweeperq
Commodore (COMO)
Commodore (COMO)
Posts: 497
Joined: Tue Jan 03, 2006 2:45 pm

Separate Web & DB Servers

Post by sweeperq » Wed Aug 18, 2010 4:24 pm

Was reading throught the PCI docs I agreed to when installing. If you have your installation set up to never store the credit card information, is there a reason why a separate web & db server implementation would be required? Technically, in this instance, one could argue that the Payment Gateway is the credit card database and they are in an isolated environment locked up behind a firewall outside of your DMZ.

I never really understood the whole drive behind separating the two, because if someone breaks into your web server, they can easily get into your database server. You can encrypt your connection string info and your credit card data all you want. All they need to do is create a new ASPX page using the application's database and encrypt/decrypt libraries and all your happy separation falls apart.

User avatar
mikek
Commander (CMDR)
Commander (CMDR)
Posts: 112
Joined: Wed Oct 15, 2008 9:30 pm
Location: Boston, MA
Contact:

Re: Separate Web & DB Servers

Post by mikek » Fri Aug 20, 2010 11:14 am

If you are running a small volume ecommerce site (less than 20,000 transactions/year) your site will fall into merchant level 4 category.

http://www.pcicomplianceguide.org/pcifaqs.php#5

In merchant level 4 category your site must pass a quarterly scan by an approved scanning vendor. In this category you can still have web and db running on the same server as long as
the database is not open for direct access from Internet (close port 1433, or disable tcp/ip db interface).

If you are processing more than 20,000 transactions/year then you may need separate mssql server simply because one server won't be able handle the high traffic volume to your site.
Mike Kolev

plugables
Captain (CAPT)
Captain (CAPT)
Posts: 276
Joined: Sat Aug 15, 2009 4:04 am
Contact:

Re: Separate Web & DB Servers

Post by plugables » Mon Sep 20, 2010 6:45 am

Beside the PCI requirement, it is important for performance of your server. The server load is an important factor in deciding. If you expect high traffic then there comes a threshold where you want to have the database on a different server. Then you can optimize the one server for web access and the other server for database access. You usually get much better throughput that way. Its a good idea to have SQL server behind a firewall so that its not directly accessible from outside.

sarama
Ensign (ENS)
Ensign (ENS)
Posts: 1
Joined: Fri Nov 18, 2011 4:56 pm

Re: Separate Web & DB Servers

Post by sarama » Fri Nov 18, 2011 5:41 pm

Thanks for the information guys, this is really helpful.

Kind regards, Sarama
rogaine for women reviews,rogaine foam reviews for hair regrowth.
"Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment."
Last edited by sarama on Mon Dec 12, 2011 12:57 pm, edited 1 time in total.

rymay
Ensign (ENS)
Ensign (ENS)
Posts: 5
Joined: Fri Nov 18, 2011 4:58 pm

Re: Separate Web & DB Servers

Post by rymay » Fri Nov 18, 2011 9:50 pm

sarama wrote:Thanks for the information guys, this is really helpful.

Kind regards, Sarama
rogaine for women reviews,rogaine foam reviews for hair regrowth.
"Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment."

Yeah I found this thread really useful, thank you for all of the input, it will come in handy for sure.
Last edited by rymay on Mon Dec 12, 2011 1:00 pm, edited 1 time in total.

dustin

Re: Separate Web & DB Servers

Post by dustin » Mon Nov 28, 2011 2:33 am

As of my knowledge all these credit card information’s are stored in an isolated environment which is locked up behind a firewall. To make us comfortable, they say they never store the credit card information. I don’t think it is easily accessible from outside as you think. If it was possible or that easy, someone must already had a trial on it. Thanks to you for bringing up this in front of us now we can be little careful.

Post Reply