Page 1 of 1

Separate Web & DB Servers

Posted: Wed Aug 18, 2010 4:24 pm
by sweeperq
Was reading throught the PCI docs I agreed to when installing. If you have your installation set up to never store the credit card information, is there a reason why a separate web & db server implementation would be required? Technically, in this instance, one could argue that the Payment Gateway is the credit card database and they are in an isolated environment locked up behind a firewall outside of your DMZ.

I never really understood the whole drive behind separating the two, because if someone breaks into your web server, they can easily get into your database server. You can encrypt your connection string info and your credit card data all you want. All they need to do is create a new ASPX page using the application's database and encrypt/decrypt libraries and all your happy separation falls apart.

Re: Separate Web & DB Servers

Posted: Fri Aug 20, 2010 11:14 am
by mikek
If you are running a small volume ecommerce site (less than 20,000 transactions/year) your site will fall into merchant level 4 category.

http://www.pcicomplianceguide.org/pcifaqs.php#5

In merchant level 4 category your site must pass a quarterly scan by an approved scanning vendor. In this category you can still have web and db running on the same server as long as
the database is not open for direct access from Internet (close port 1433, or disable tcp/ip db interface).

If you are processing more than 20,000 transactions/year then you may need separate mssql server simply because one server won't be able handle the high traffic volume to your site.

Re: Separate Web & DB Servers

Posted: Mon Sep 20, 2010 6:45 am
by plugables
Beside the PCI requirement, it is important for performance of your server. The server load is an important factor in deciding. If you expect high traffic then there comes a threshold where you want to have the database on a different server. Then you can optimize the one server for web access and the other server for database access. You usually get much better throughput that way. Its a good idea to have SQL server behind a firewall so that its not directly accessible from outside.

Re: Separate Web & DB Servers

Posted: Fri Nov 18, 2011 5:41 pm
by sarama
Thanks for the information guys, this is really helpful.

Kind regards, Sarama
rogaine for women reviews,rogaine foam reviews for hair regrowth.
"Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment."

Re: Separate Web & DB Servers

Posted: Fri Nov 18, 2011 9:50 pm
by rymay
sarama wrote:Thanks for the information guys, this is really helpful.

Kind regards, Sarama
rogaine for women reviews,rogaine foam reviews for hair regrowth.
"Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment."

Yeah I found this thread really useful, thank you for all of the input, it will come in handy for sure.

Re: Separate Web & DB Servers

Posted: Mon Nov 28, 2011 2:33 am
by dustin
As of my knowledge all these credit card information’s are stored in an isolated environment which is locked up behind a firewall. To make us comfortable, they say they never store the credit card information. I don’t think it is easily accessible from outside as you think. If it was possible or that easy, someone must already had a trial on it. Thanks to you for bringing up this in front of us now we can be little careful.