[PCI DSS 1.x] 2.2.1 Implement only one primary function per server.

[PCI-DSS] 2.2.1 Implement only one primary function per server.

2.2.1 For a sample of system components, verify that only one primary function is implemented per server. For example, web servers, database servers, and DNS should be implemented on separate servers.

Question on this requirement. We have a server that’s primary FUNCTION is a collections application that comprises of a internally facing web server and an internal database server, residing on the same internal system.

Would we have to separate the database and web applications in this case to conform with this requirement?


You should separate those functions for several reasons. The first is that PCI DSS says you should. The second is that it is a well-accepted security best practice to separate functions, which is why PCI DSS wants you to. From a security compartmentalization perspective this prevents an exploit on the web server from getting directly to the data base contents.

That’s what I figured, but wanted to make sure.

Router + NTP

Do you guys reckon a Choke Router performing NTP services as a Dual Primary function? should it be split?

Technically it should be split if it processes, stores, or transmits sensitive CHD, or is in the CHD environment. I would have to understand the data flow (you must have a diagram) to understand where this router sits. You might be able to construct a compensating control (hardened OS on the router, strong passwords, etc.)

Thanks for the answer, Roger. The question was risen mainly because of the overwhelming number of customers complaining that PCI-DSS is unreasonable in some senses. Moreover, there is frequently a discussion around splitting the services into 2 different servers and widening your attack surface, which I partly agree with.


Earth, Air, Fire.

It’s not just widening the attack surface, it’s also compartmentalizing failure modes. A compromised NTP server can’t be used to pivot onto other more sensitive machines. Also, hardening one service is often easier if you can eliminate other running processes that might share code paths.

Hi I am new here. Please bear with me.

  1. If I have to audit as a third party whether server “A” has only one function or not how will i do that ? Using tools ? Looking for well known ports opened on that server or how ?

  2. What does primary function signify ? Does that mean my server “A” may have secondary functions as well ? i.e. more than one functions…

Does anyone if an AD having DNS setup on it is considered as 2 primary role or can you have an AD with DNS on it?

it depends of your QSA, but for most of them, it’s OK. DNS and AD function are by default mixed.

Mark from PCI Initiative