Marc Zucchelli on 25 Dec 2007 09:36:26 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] PCI DSS (data security standard) - networking question


I hope this isn't too off topic.  I've been hosting my client's websites for a while, and I want to completely automate the billing, as well I want a place for my clients to be able to sign in and update billing/credit card info.  The problem I run into is, I believe that if I am to store credit card's, I have to be PCI DSS compliant.  Networking isn't one of my strong points, so I don't entirely understand the PCI DSS spec, but there is one item that concern's me.  Item 1.3.4 of the spec says:

"Placing the database in an internal network zone, segregated from the DMZ"

The spec can be found here:
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

This concern's me because I am simply renting a dedicated server, and it appears that this is saying that I have to have another server running which is blocked off from the public internet, with a firewall.  It seem's the cost's involved are not worth it for my small operation.

I may be reading into this too much.  There is plenty of popular billing software available for webhost's that store the credit card's encrypted directly on the public server itself.  I am wondering if I am reading the spec wrong, or if all this software isn't compliant after all?

I would appreciate everyone's thoughts.

Merry Christmas!

Marc


Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug