Question on this requirement. We have a server that’s primary FUNCTION is a collections application that comprises of a internally facing web server and an internal database server, residing on the same internal system.
Would we have to separate the database and web applications in this case to conform with this requirement?
You should separate those functions for several reasons. The first is that PCI DSS says you should. The second is that it is a well-accepted security best practice to separate functions, which is why PCI DSS wants you to. From a security compartmentalization perspective this prevents an exploit on the web server from getting directly to the data base contents.
Technically it should be split if it processes, stores, or transmits sensitive CHD, or is in the CHD environment. I would have to understand the data flow (you must have a diagram) to understand where this router sits. You might be able to construct a compensating control (hardened OS on the router, strong passwords, etc.)
Thanks for the answer, Roger. The question was risen mainly because of the overwhelming number of customers complaining that PCI-DSS is unreasonable in some senses. Moreover, there is frequently a discussion around splitting the services into 2 different servers and widening your attack surface, which I partly agree with.
It’s not just widening the attack surface, it’s also compartmentalizing failure modes. A compromised NTP server can’t be used to pivot onto other more sensitive machines. Also, hardening one service is often easier if you can eliminate other running processes that might share code paths.