Re: [PLUG] PCI DSS (data security standard)

Bob Heise on 25 Dec 2007 09:44:27 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] PCI DSS (data security standard) - networking question

From: Bob Heise <heise2k@gmail.com>

To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Subject: Re: [PLUG] PCI DSS (data security standard) - networking question

Date: Tue, 25 Dec 2007 18:54:33 +0100

Reply-to: heise2k@gmail.com, Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: KMail/1.9.6 (enterprise 20070904.708012)

Den Tuesday 25 December 2007 18.36.05 skrev Marc Zucchelli: > I hope this isn't too off topic. I've been hosting my client's websites > for a while, and I want to completely automate the billing, as well I want > a place for my clients to be able to sign in and update billing/credit card > info. The problem I run into is, I believe that if I am to store credit > card's, I have to be PCI DSS compliant. Networking isn't one of my strong > points, so I don't entirely understand the PCI DSS spec, but there is one > item that concern's me. Item 1.3.4 of the spec says: > > "Placing the database in an internal network zone, segregated from the DMZ" > > The spec can be found here: > https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf > Marc, Would maybe running a box with a hypervisor a la xen, with several virtualised servers on top of it suffice? You could have your credit card db on one domu that is firewalled and your webservers on another domu. So long as your dom0 is beefy enough it should work, provided the spec doesn't mean separate hardware. Merry Christmas -Bob > This concern's me because I am simply renting a dedicated server, and it > appears that this is saying that I have to have another server running > which is blocked off from the public internet, with a firewall. It seem's > the cost's involved are not worth it for my small operation. > > I may be reading into this too much. There is plenty of popular billing > software available for webhost's that store the credit card's encrypted > directly on the public server itself. I am wondering if I am reading the > spec wrong, or if all this software isn't compliant after all? > > I would appreciate everyone's thoughts. > > Merry Christmas! > > Marc > > > > --------------------------------- > Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it > now. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] PCI DSS (data security standard) - networking question
From: Marc Zucchelli <marcz908@yahoo.com>

Prev by Date: [PLUG] PCI DSS (data security standard) - networking question

Next by Date: [PLUG] [Fwd: Broken courier - SOLVED]

Previous by thread: [PLUG] PCI DSS (data security standard) - networking question

Next by thread: [PLUG] [Fwd: Broken courier - SOLVED]

Index(es):

Date

Thread