Page 1 of 1

SQL Server 2005 Express on different server?

Posted: Thu May 01, 2008 3:16 pm
by Haak
Was just reading the Secure Implementation Guide and was wondering do I have to have a 2nd server just for my database if I am not going to store credit card info? I will be using Pay Junction as my credit procesessing agent and info about order and customer will be stored there computer not ours.
My question then is can I have the SQL Server run on the same computer as my website if it is not storing credit cards?

Thank you,
Hawk

Re: SQL Server 2005 Express on different server?

Posted: Thu May 01, 2008 3:23 pm
by jmestep
It isn't a matter of you "have" to do it, it is what the card companies want for full compliance. It would be more of a security risk to have both on one, but I don't know how much more if you take all the precautions you can.

Re: SQL Server 2005 Express on different server?

Posted: Thu May 01, 2008 5:49 pm
by Haak
We will have an ssl certificate and will not store card info on our server but on the Pay Junction Server. That’s what the SSL will protect the communication between our server and Pay Junction.

I am wondering if we are required to be complaint or only if we want to be certified?

Re: SQL Server 2005 Express on different server?

Posted: Thu May 01, 2008 7:25 pm
by jmestep
Well, it's not "the law" as far as government goes and sometimes I think the same people wrote the PCI compliance requirements as the ones who wrote the HIPPA regulations.

Re: SQL Server 2005 Express on different server?

Posted: Thu Dec 04, 2008 10:42 am
by SteveHiner
From what I've seen while briefly going over the PCI documents I think Visa can make you pay a fine if you don't comply with the PCI standards as well as denying you the ability to take Visa cards. While that technically doesn't "force" you to comply, I'm guessing most merchants wouldn't want to lose the ability to take Visa cards so, in effect, you are forced to comply with their standards.

It makes perfect sense when you consider the massive financial damage done to Visa if their card numbers get compromised. It's in their best financial interest to make sure their merchants are protecting the card numbers.

I'm certainly no expert in PCI compliance. I'm just reviewing the documents right no to try to figure out if my client will be in compliance. He wants to change some of the defaults in AC and I need to know if that would prevent him from being able to take Visa cards.

Re: SQL Server 2005 Express on different server?

Posted: Wed Dec 10, 2008 7:12 pm
by kastnerd
What if the site and the database are on different accounts and IP's but still on the same server? or different VPS but same server.

I know most web hosts let you have 5 to 30 different accounts on one main account.

Re: SQL Server 2005 Express on different server?

Posted: Wed Dec 10, 2008 8:16 pm
by afm
kastnerd wrote:What if the site and the database are on different accounts and IP's but still on the same server? or different VPS but same server.
The purpose of separating the website and database servers is to prevent internet access to the database server (obviously you can't prevent internet access to the website server).

Many VPS hosts will give you database space on a separate physical database server. As long as that database server is not accessible to the internet, it is compliant with that aspect of the current PCI spec.

Re: SQL Server 2005 Express on different server?

Posted: Tue Jan 13, 2009 11:21 am
by mut3a7
I've been looking into the same issue. We are not going to be storing credit card numbers, only processing them using a gateway. Do we need a separate database server? Based on the PCI DSS docs, I think we technically do.
However, AbleCommerce offers a dedicated server hosting package in which the SQL Server instance lives on the web server and claims to be PCI compliant. They don't seem to know the answer to the question either because they haven't responded to my inquiries.
Can anyone at AbleCommerce advise me?

Re: SQL Server 2005 Express on different server?

Posted: Thu Feb 05, 2009 7:20 am
by kastnerd
If your not storing the card it dose not matter.

Re: SQL Server 2005 Express on different server?

Posted: Mon Sep 05, 2011 12:00 pm
by dgoranov
Hi Hawk,

If you are not storing credit card data in your AbleCommerce database then your site requires PCI-DSS SAQ-C Form which does not require separate web and database servers.

https://www.pcisecuritystandards.org/se ... uments.php