SQL Server 2005 Express on different server?

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.
Post Reply
Haak
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 43
Joined: Thu Sep 20, 2007 10:10 am

SQL Server 2005 Express on different server?

Post by Haak » Thu May 01, 2008 3:16 pm

Was just reading the Secure Implementation Guide and was wondering do I have to have a 2nd server just for my database if I am not going to store credit card info? I will be using Pay Junction as my credit procesessing agent and info about order and customer will be stored there computer not ours.
My question then is can I have the SQL Server run on the same computer as my website if it is not storing credit cards?

Thank you,
Hawk

User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: SQL Server 2005 Express on different server?

Post by jmestep » Thu May 01, 2008 3:23 pm

It isn't a matter of you "have" to do it, it is what the card companies want for full compliance. It would be more of a security risk to have both on one, but I don't know how much more if you take all the precautions you can.
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

Haak
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 43
Joined: Thu Sep 20, 2007 10:10 am

Re: SQL Server 2005 Express on different server?

Post by Haak » Thu May 01, 2008 5:49 pm

We will have an ssl certificate and will not store card info on our server but on the Pay Junction Server. That’s what the SSL will protect the communication between our server and Pay Junction.

I am wondering if we are required to be complaint or only if we want to be certified?

User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: SQL Server 2005 Express on different server?

Post by jmestep » Thu May 01, 2008 7:25 pm

Well, it's not "the law" as far as government goes and sometimes I think the same people wrote the PCI compliance requirements as the ones who wrote the HIPPA regulations.
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

SteveHiner
Lieutenant (LT)
Lieutenant (LT)
Posts: 58
Joined: Thu Jun 21, 2007 8:27 pm

Re: SQL Server 2005 Express on different server?

Post by SteveHiner » Thu Dec 04, 2008 10:42 am

From what I've seen while briefly going over the PCI documents I think Visa can make you pay a fine if you don't comply with the PCI standards as well as denying you the ability to take Visa cards. While that technically doesn't "force" you to comply, I'm guessing most merchants wouldn't want to lose the ability to take Visa cards so, in effect, you are forced to comply with their standards.

It makes perfect sense when you consider the massive financial damage done to Visa if their card numbers get compromised. It's in their best financial interest to make sure their merchants are protecting the card numbers.

I'm certainly no expert in PCI compliance. I'm just reviewing the documents right no to try to figure out if my client will be in compliance. He wants to change some of the defaults in AC and I need to know if that would prevent him from being able to take Visa cards.
Steve

kastnerd
Commodore (COMO)
Commodore (COMO)
Posts: 474
Joined: Wed Oct 22, 2008 9:17 am

Re: SQL Server 2005 Express on different server?

Post by kastnerd » Wed Dec 10, 2008 7:12 pm

What if the site and the database are on different accounts and IP's but still on the same server? or different VPS but same server.

I know most web hosts let you have 5 to 30 different accounts on one main account.

afm
Captain (CAPT)
Captain (CAPT)
Posts: 339
Joined: Thu Nov 03, 2005 11:52 pm
Location: Portland, OR
Contact:

Re: SQL Server 2005 Express on different server?

Post by afm » Wed Dec 10, 2008 8:16 pm

kastnerd wrote:What if the site and the database are on different accounts and IP's but still on the same server? or different VPS but same server.
The purpose of separating the website and database servers is to prevent internet access to the database server (obviously you can't prevent internet access to the website server).

Many VPS hosts will give you database space on a separate physical database server. As long as that database server is not accessible to the internet, it is compliant with that aspect of the current PCI spec.
Andy Miller
Structured Solutions

Shipper 3 - High Velocity Shipment Processing

mut3a7
Ensign (ENS)
Ensign (ENS)
Posts: 1
Joined: Tue Jan 13, 2009 11:04 am

Re: SQL Server 2005 Express on different server?

Post by mut3a7 » Tue Jan 13, 2009 11:21 am

I've been looking into the same issue. We are not going to be storing credit card numbers, only processing them using a gateway. Do we need a separate database server? Based on the PCI DSS docs, I think we technically do.
However, AbleCommerce offers a dedicated server hosting package in which the SQL Server instance lives on the web server and claims to be PCI compliant. They don't seem to know the answer to the question either because they haven't responded to my inquiries.
Can anyone at AbleCommerce advise me?

kastnerd
Commodore (COMO)
Commodore (COMO)
Posts: 474
Joined: Wed Oct 22, 2008 9:17 am

Re: SQL Server 2005 Express on different server?

Post by kastnerd » Thu Feb 05, 2009 7:20 am

If your not storing the card it dose not matter.

User avatar
dgoranov
Lieutenant (LT)
Lieutenant (LT)
Posts: 55
Joined: Sun Jan 16, 2011 3:58 pm
Location: Boston, MA
Contact:

Re: SQL Server 2005 Express on different server?

Post by dgoranov » Mon Sep 05, 2011 12:00 pm

Hi Hawk,

If you are not storing credit card data in your AbleCommerce database then your site requires PCI-DSS SAQ-C Form which does not require separate web and database servers.

https://www.pcisecuritystandards.org/se ... uments.php
Dimi Goranov
Drundo Software Inc.
AbleCommerce Hosting and Management
Email: dgoranov@drundo.com
Ph: 888.464.2140

Post Reply