[PCI DSS 1.x] 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.

[PCI-DSS] 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.

1.3.2 Verify that inbound Internet traffic is limited to IP addresses within the DMZ.

I have a database on the local network. It doesn’t store any cardholder data and is used for stock levels, order details etc. A remotely hosted web server needs access to this for real time stock information and creation of eCommerce orders. Putting the database server in a DMZ seems like a strange thing to do in this scenario.

I would normally set up a firewall rule to allow traffic between the database server and the web server and filter out traffic from any other IPs, but this seems to be ruled out by point 1.3.3 (Do not allow any direct routes inbound or outbound
for traffic between the Internet and the cardholder
data environment.) Another option would be an IPSec tunnel, but this still a “direct route”.

Are there any compensating controls that would be applicable in this scenario?

since it does not have cardholder data I would figure out way to put it in a non-cardholder segment and then you at least don’t need to worry about that issue from a PCI perspective. Otherwise maybe look at a web services layer to deliver the information in a more secure manner

Probably irrelevant, but I forgot to mention that that the database runs on a server that “processes” cardholder data (internal apache server that sends card data over ssl to th payment gateway).

I think I’ll implement an IPSec tunnel from the web server to the database, it should be easier than rewriting the entire web site.

I thought a DMZ was NOT required. Im my set-up all traffic will be segmented including new FW’s.

Not required if you don’t have any Internet exposed services.

Regardless, it is good practice to segment using default deny firewall ruleset to separate hosts by using a reasonable risk matrix.