Link to home
Create AccountLog in
Avatar of awakenings
awakenings

asked on

PCI Internal Web Servers

I am fighting this same question from 2 sides.  Clearly PCI states that the presentation web server (HTTP and HTTPS) should be separated from the database through a firewall.  Here are the scenarios though and why they want an exception.

1. Some internal people (not in a PCI environment, but work for the organization) want reports.  They currently VPN from the non-PCI environment to the PCI environment to get the PCI related reports.  It is the only way to access them.  It seems to me that these should be separated.  Will auditors scream at this?

2. The same set of servers are accessed by multiple systems.  The web servers and the data again reside on the same box.  Is this an issue?
SOLUTION
Avatar of CoccoBill
CoccoBill
Flag of Finland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of awakenings
awakenings

ASKER

This seems clear to me.  Just to validate question 2, that even though these are internal web servers, the database server needs to be separated from the web server.
FYI, the reports would probably not have PCI data.  It is just high level reports about the data.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.