Looking for experts on the PCI DSS today. I ran a question by our ASV Scanner folks and got some interesting information not too long ago, but I'm not entirely sure he/she understood the question and now I want to verify what I've learned.
Let's say I have an internal corporate network that contains, amongst other things, a SQL server. Let's also say that this SQL Server contains cardholder data. According to the PCI DSS, I now have to implement the wide array of requirements listed in the DSS on all of the systems in the internal network.
Now let's say I create a second SQL server, and set it on it's own, seperate network. I move the DB that contains the cardholder data onto that SQL server, and place a firewall between my new network and my old internal network (thereby creating two networks: the internal network and the network with cardholder data present). I open a few ports between the networks, such as 25 for SMTP and any others that are needed.
After all of this, do I still need to apply all of the PCI DSS standards to the original, internal network? Or do I have to apply the standards to just the new, cardholder data network?
For instance, DSS requirement 8.3 states: "Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties." Does this requirement apply to my old, internal network if no cardholder data is stored there, with the proviso that there is a firewall between the internal network and the network that stores cardholder data?
I've attached an image to illustrate my Q. Thanks in advance for your help!