Re: need database on separate server now for PCI Compliance??

Rob,

It is true that PCI requires your database to be on a different server than your store. I'm checking with David to see if we could possibly offer you a shared database on a different server (I don't know your usage needs at all), but one way or another to be PCI Compliant you need to separate your servers for data and site.

Re: need database on separate server now for PCI Compliance??

We have not had a dedicated server customer do this before, but yes, it would be possible for a dedicated hosting customer to have what would effectively be a shared hosting account added for use of its separated database. The downside to doing that is it removes the primary benefits of having a dedicated server. Most dedicated server customers have their own server for reasons of performance and stability; i.e. sites that have heavy resource requirements that can't be accommodated on a shared server, sites where their owners do not want any risk of issues being caused by other customers on the same server, etc. Moving the database that a store is dependent on to a shared database server basically downgrades the hosting back to shared since the store is now dependent on a system other customers' stores also use and if someone causes a problem on that database server, it causes a problem for all the stores using it. We of course monitor and react quickly to issues like that, but the possibility of them occurring still exists and normally wouldn't in the dedicated hosting environment.

Re: need database on separate server now for PCI Compliance??

So, the bottom line is that any store that DOESN'T have their database on a separate server is not PCI compliant.
I wonder how many people actually realize that?
Seems to me that this is something that will need to be addressed by e-commerce hosts here...

Re: need database on separate server now for PCI Compliance??

PCI DSS SAQ A seems more appropriate for the majority of store owners who are relying on a gateway to process their orders. Is it MIVA's position that we should all be PCI DSS SAQ D compliant instead?

Re: need database on separate server now for PCI Compliance??

We don't hold a view on which SAQ you should fill out.

I can tell you our auditor believes that the SAQ-A is essentially worthless and that in case of a breach you'll be held to the SAQ-D regardless of what you've done or said.

According to our auditor if you are ever in possession of the card number you should be on SAQ-D and in virtually all cases, there are at least some times that a business owner is in possession of the card number and it's not always in the way you imagine. For example if you get a Chargeback, in most cases that includes documentation (often electronic) that includes the card number, and that alone could put you back into scope for SAQ-D.

Ultimately I think PCI is designed to leave you (the Merchant) holding the hot potato regardless of what precautions you take, when a breach happens.

Re: need database on separate server now for PCI Compliance??

Any site not certified PCI compliant is not PCI compliant. Those going through the compliance process will not be able to complete it without the database being on a separate server. This means that dedicated server owners who want to retain the benefits of dedicated hosting would need a dedicated database server if they want to meet that part of the compliance guidelines. Shared hosting customers can also have such a setup, it just has the same characteristics of shared hosting; i.e. customers can affect each other and each customer is drawing from the same pool of resources.

Business owners going through the compliance process should be aware of this due to the SAQ which is always the first step since you have to go through it line by line checking that you're meeting each requirement, and correcting those that you are not meeting. The questions related to the database specifically include:

Re: need database on separate server now for PCI Compliance??

Here's a question, would it be possible to partition a portion of the dedicated server's drive and install a second server on that drive and installing the database onto the new drive? You would basically have one box, but two servers operating out of it?? Not even sure if that would work so asking the guru's out there to see if it would be possible.

Re: need database on separate server now for PCI Compliance??

I know from a PCI Perspective you can do that, as long as the traffic goes back out via the network and through the firewall before coming back in.

I'll leave it to David to explain if/how we'd handle that on your box.

Re: need database on separate server now for PCI Compliance??

Yep that could be made into a compliant configuration but would be complex. You'd need some type of virtualization software that allows the two 'servers' to function independently while also not having access to the data directly. VMware would be an example that would work while an OS-based virtualization software where a master operating system runs guests in a pseudo-virtual environment under the same filesystem would not since it would have access to all the data and files, giving someone who breaks into that OS access to the other two directly. Next up, you'd need to define two networks within the virtualization software, one public one private. The 'web server' guest gets two network interfaces, one that talks to the internet, one that talks to the private network. The 'database server' guest gets one interface that can only talk to the private network. The database server would need a firewall active; linux's built-in iptables meets the requirements for PCI if it's in stateful inspection mode, or, as Rick said, you could also have an external firewall where traffic passes out and back in, you'd just need two interfaces on the physical server, or virtual lans (VLANs) defined on the network hardware.

Now, would you want to do this, possibly, but the hardware would need to be fairly high end and of course it makes management a lot more complex. The reason I say that about the hardware is because my experience has been that virtualization software run on local storage (internal to the server) tends to degrade the performance by about 50% at the guest level compared to running on a storage area network (SAN) where the virtualization software can pass I/O commands issued by the guests directly to the external storage rather than having to take a request and re-write it for the local storage on the inbound and outbound side. So you'd need to buy hardware that gives you double your minimum acceptable performance level; i.e. if you want 75 MB/sec reads and writes, your storage needs to do 150 MB/sec, so probably a 4+ disks and hardware raid.

Re: need database on separate server now for PCI Compliance??

Sounds like it would be more advantageous to just set up a new server that handled just the database. If you were running multiple Miva stores, could you place all the databases for all the stores onto the second server and be PCI compliant for all stores, or do you need a separate database server for each store?

Re: need database on separate server now for PCI Compliance??

You could use the second server to host the dbases for all of your stores.

Re: need database on separate server now for PCI Compliance??

Yep one DB server can be shared for multiple stores, just keep in mind there are some little 'fine print' requirements in the SAQ D that you have to abide by. For example, the database server can only be accessed by 'database administrators.' There are a few things like that which may require you having some additional administrative tasks to complete on the business side to designate someone as a database administrator, etc. if they have a need to connect to the database outside of the application.