SQL Server 2005 Express on different server?
SQL Server 2005 Express on different server?
Was just reading the Secure Implementation Guide and was wondering do I have to have a 2nd server just for my database if I am not going to store credit card info? I will be using Pay Junction as my credit procesessing agent and info about order and customer will be stored there computer not ours.
My question then is can I have the SQL Server run on the same computer as my website if it is not storing credit cards?
Thank you,
Hawk
My question then is can I have the SQL Server run on the same computer as my website if it is not storing credit cards?
Thank you,
Hawk
- jmestep
- AbleCommerce Angel
- Posts: 8164
- Joined: Sun Feb 29, 2004 8:04 pm
- Location: Dayton, OH
- Contact:
Re: SQL Server 2005 Express on different server?
It isn't a matter of you "have" to do it, it is what the card companies want for full compliance. It would be more of a security risk to have both on one, but I don't know how much more if you take all the precautions you can.
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx
Re: SQL Server 2005 Express on different server?
We will have an ssl certificate and will not store card info on our server but on the Pay Junction Server. That’s what the SSL will protect the communication between our server and Pay Junction.
I am wondering if we are required to be complaint or only if we want to be certified?
I am wondering if we are required to be complaint or only if we want to be certified?
- jmestep
- AbleCommerce Angel
- Posts: 8164
- Joined: Sun Feb 29, 2004 8:04 pm
- Location: Dayton, OH
- Contact:
Re: SQL Server 2005 Express on different server?
Well, it's not "the law" as far as government goes and sometimes I think the same people wrote the PCI compliance requirements as the ones who wrote the HIPPA regulations.
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx
-
- Lieutenant (LT)
- Posts: 58
- Joined: Thu Jun 21, 2007 8:27 pm
Re: SQL Server 2005 Express on different server?
From what I've seen while briefly going over the PCI documents I think Visa can make you pay a fine if you don't comply with the PCI standards as well as denying you the ability to take Visa cards. While that technically doesn't "force" you to comply, I'm guessing most merchants wouldn't want to lose the ability to take Visa cards so, in effect, you are forced to comply with their standards.
It makes perfect sense when you consider the massive financial damage done to Visa if their card numbers get compromised. It's in their best financial interest to make sure their merchants are protecting the card numbers.
I'm certainly no expert in PCI compliance. I'm just reviewing the documents right no to try to figure out if my client will be in compliance. He wants to change some of the defaults in AC and I need to know if that would prevent him from being able to take Visa cards.
It makes perfect sense when you consider the massive financial damage done to Visa if their card numbers get compromised. It's in their best financial interest to make sure their merchants are protecting the card numbers.
I'm certainly no expert in PCI compliance. I'm just reviewing the documents right no to try to figure out if my client will be in compliance. He wants to change some of the defaults in AC and I need to know if that would prevent him from being able to take Visa cards.
Steve
Re: SQL Server 2005 Express on different server?
What if the site and the database are on different accounts and IP's but still on the same server? or different VPS but same server.
I know most web hosts let you have 5 to 30 different accounts on one main account.
I know most web hosts let you have 5 to 30 different accounts on one main account.
Re: SQL Server 2005 Express on different server?
The purpose of separating the website and database servers is to prevent internet access to the database server (obviously you can't prevent internet access to the website server).kastnerd wrote:What if the site and the database are on different accounts and IP's but still on the same server? or different VPS but same server.
Many VPS hosts will give you database space on a separate physical database server. As long as that database server is not accessible to the internet, it is compliant with that aspect of the current PCI spec.
Re: SQL Server 2005 Express on different server?
I've been looking into the same issue. We are not going to be storing credit card numbers, only processing them using a gateway. Do we need a separate database server? Based on the PCI DSS docs, I think we technically do.
However, AbleCommerce offers a dedicated server hosting package in which the SQL Server instance lives on the web server and claims to be PCI compliant. They don't seem to know the answer to the question either because they haven't responded to my inquiries.
Can anyone at AbleCommerce advise me?
However, AbleCommerce offers a dedicated server hosting package in which the SQL Server instance lives on the web server and claims to be PCI compliant. They don't seem to know the answer to the question either because they haven't responded to my inquiries.
Can anyone at AbleCommerce advise me?
Re: SQL Server 2005 Express on different server?
If your not storing the card it dose not matter.
Re: SQL Server 2005 Express on different server?
Hi Hawk,
If you are not storing credit card data in your AbleCommerce database then your site requires PCI-DSS SAQ-C Form which does not require separate web and database servers.
https://www.pcisecuritystandards.org/se ... uments.php
If you are not storing credit card data in your AbleCommerce database then your site requires PCI-DSS SAQ-C Form which does not require separate web and database servers.
https://www.pcisecuritystandards.org/se ... uments.php
Dimi Goranov
Drundo Software Inc.
AbleCommerce Hosting and Management
Email: dgoranov@drundo.com
Ph: 888.464.2140
Drundo Software Inc.
AbleCommerce Hosting and Management
Email: dgoranov@drundo.com
Ph: 888.464.2140