{"id":2292,"date":"2013-02-27T00:00:00","date_gmt":"2013-02-27T00:00:00","guid":{"rendered":"http:\/\/otava.test\/pci-compliance-breakdown-a-tale-of-two-servers\/"},"modified":"2013-02-27T00:00:00","modified_gmt":"2013-02-27T00:00:00","slug":"pci-compliance-breakdown-a-tale-of-two-servers","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/","title":{"rendered":"PCI Compliance Breakdown: A Tale of Two Servers"},"content":{"rendered":"

When thinking about PCI compliance<\/a>, there are many implementations that people understand are important. High Availability and Security are words that get used like a mantra for people on the path to compliance. Having redundancy for firewalls, routers, and ISPs help preserve availability; vulnerability scanning<\/a>, daily log review<\/a>, and an SSL certificate<\/a> are in place for strong security; these are crucial for the protection of a company\u2019s cardholder data, and make a lot of sense to the merchant putting these in place. One implementation that seems to still be foggy for some businesses is the need for two separate servers; one for the application, and one for the database.<\/p>\n

Pulled straight from the PCI DSS (Payment Card Industry Data Security Standards), requirement 1.3 states that direct public access should not be available between the internet and components within the CDE (Cardholder Data Environment). Specifically, 1.3.7 explains that the systems holding cardholder data can\u2019t be internet-facing:<\/p>\n

1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.<\/em><\/strong><\/p>\n

The DMZ they refer to is called the \u2018demilitarized zone\u2019, and is a subnetwork that holds and allows access to a company\u2019s external-facing features to an untrusted network (it\u2019s likened to the buffer zone between nations where no military action is allowed to take place). Simply, the DMZ is comprised of the parts of your network that touch the internet.<\/p>\n

Therefore, in order to be PCI compliant, you\u2019ll need to have two servers.<\/strong> The first one will be your application server, and it\u2019ll be in the DMZ so your customers on the internet can access it. The second will be your database server, where the cardholder data is stored. This database server will not have an external IP, and will have a secure connection between it and your application server to transmit (encrypted) cardholder data as necessary.<\/p>\n

But even if it wasn\u2019t mandatory for PCI compliance, it makes sense to do it this way for the security of your customers. Every pathway from the internet to cardholder data is an opportunity that attackers will try to exploit. Having this buffer in place allows another layer of security between the customers you\u2019re protecting and the outside world.<\/p>\n

Resources:
\nPCI DSS Requirements and Security Assessment Procedures, Version 2.0<\/a>
\nPCI Compliant Hosting<\/a> white paper<\/p>\n

Further Reading:
\nWho Needs PCI Compliance, Exactly?<\/a>
\nYour Cloud Hosting Provider May Be PCI Compliant, But That Doesn\u2019t Mean You Are<\/a>
\nTackling PCI Compliance Challanges In The Cloud<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

When thinking about PCI compliance, there are many implementations that people understand are important. High Availability and Security are words that get used like a mantra for people on the path to compliance. Having redundancy for firewalls, routers, and ISPs help preserve availability; vulnerability scanning, daily log review, and an SSL certificate are in place for strong security; these are crucial for the protection of a company\u2019s cardholder data, and make a lot of sense to the merchant putting these in place. One implementation that seems to still be foggy for some businesses is the need for two separate servers; one for the application, and one for the database. Pulled straight from the PCI DSS (Payment Card Industry Data Security Standards), requirement 1.3 states that direct public access should not be available between the internet and components within the CDE (Cardholder Data Environment). Specifically, 1.3.7 explains that the systems holding cardholder data can\u2019t be internet-facing: 1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. The DMZ they refer to is called the \u2018demilitarized zone\u2019, and is a subnetwork that holds and allows access to…<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-2292","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"\nPCI Compliance Breakdown: A Tale of Two Servers | OTAVA<\/title>\n<meta name=\"description\" content=\"When thinking about PCI compliance, there are many implementations that are important. High availability and security are like a mantra to compliance.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PCI Compliance Breakdown: A Tale of Two Servers\" \/>\n<meta property=\"og:description\" content=\"When thinking about PCI compliance, there are many implementations that are important. High availability and security are like a mantra to compliance.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2013-02-27T00:00:00+00:00\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"PCI Compliance Breakdown: A Tale of Two Servers\",\"datePublished\":\"2013-02-27T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/\"},\"wordCount\":432,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/\",\"url\":\"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/\",\"name\":\"PCI Compliance Breakdown: A Tale of Two Servers | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"datePublished\":\"2013-02-27T00:00:00+00:00\",\"description\":\"When thinking about PCI compliance, there are many implementations that are important. High availability and security are like a mantra to compliance.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PCI Compliance Breakdown: A Tale of Two Servers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"PCI Compliance Breakdown: A Tale of Two Servers | OTAVA","description":"When thinking about PCI compliance, there are many implementations that are important. High availability and security are like a mantra to compliance.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/","og_locale":"en_US","og_type":"article","og_title":"PCI Compliance Breakdown: A Tale of Two Servers","og_description":"When thinking about PCI compliance, there are many implementations that are important. High availability and security are like a mantra to compliance.","og_url":"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/","og_site_name":"OTAVA","article_published_time":"2013-02-27T00:00:00+00:00","author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"PCI Compliance Breakdown: A Tale of Two Servers","datePublished":"2013-02-27T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/"},"wordCount":432,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/","url":"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/","name":"PCI Compliance Breakdown: A Tale of Two Servers | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"datePublished":"2013-02-27T00:00:00+00:00","description":"When thinking about PCI compliance, there are many implementations that are important. High availability and security are like a mantra to compliance.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/pci-compliance-breakdown-a-tale-of-two-servers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"PCI Compliance Breakdown: A Tale of Two Servers"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2292","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=2292"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2292\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=2292"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=2292"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=2292"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=2292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}