awakenings
asked on
PCI Internal Web Servers
I am fighting this same question from 2 sides. Clearly PCI states that the presentation web server (HTTP and HTTPS) should be separated from the database through a firewall. Here are the scenarios though and why they want an exception.
1. Some internal people (not in a PCI environment, but work for the organization) want reports. They currently VPN from the non-PCI environment to the PCI environment to get the PCI related reports. It is the only way to access them. It seems to me that these should be separated. Will auditors scream at this?
2. The same set of servers are accessed by multiple systems. The web servers and the data again reside on the same box. Is this an issue?
1. Some internal people (not in a PCI environment, but work for the organization) want reports. They currently VPN from the non-PCI environment to the PCI environment to get the PCI related reports. It is the only way to access them. It seems to me that these should be separated. Will auditors scream at this?
2. The same set of servers are accessed by multiple systems. The web servers and the data again reside on the same box. Is this an issue?
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
FYI, the reports would probably not have PCI data. It is just high level reports about the data.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER