支付卡行业 DSS - 在未连接到互联网的系统中存储持卡人数据
背景
虽然我已经浏览了一些关于堆栈溢出的帖子,部分涵盖了这一点,但我还没有找到一个提供全面的问题/答案的帖子。
作为 POS 系统的开发人员,PCI DSS 有两个我感兴趣的组件:
- PA DSS(支付应用程序),它涉及我开发的软件
- PCI DSS(商户),它涉及我所有使用该软件的客户
PA DSS 似乎将最直白的一点是:
“9.1 支付应用程序的开发必须确保数据库服务器和 Web 服务器不需要位于同一服务器上,也不要求数据库服务器与 Web 服务器位于 DMZ”
测试程序:
9.1.a 要验证支付应用程序是否将持卡人数据存储在内部网络中,而不是存储在 DMZ 中,请获取证据证明支付应用程序不需要将数据存储在 DMZ 中,并且允许使用 DMZ 来分隔持卡人数据。来自存储持卡人数据的系统的互联网(例如,支付应用程序不得要求数据库服务器和 Web 服务器位于同一服务器上,或与 Web 服务器位于 DMZ 中)。
9.1.b 如果客户可以将持卡人数据存储在连接到 Internet 的服务器上,请检查供应商准备的 PA-DSS 实施指南,以验证客户和经销商/集成商是否被告知不要将持卡人数据存储在可访问 Internet 的系统(例如 Web 服务器)上。并且数据库服务器不得位于同一服务器上)。
并根据商家的 PCI DSS:
1.3.5 限制从持卡人数据环境到 Internet 的出站流量,使得出站流量只能访问 DMZ 内的 IP 地址。
问题
我的问题很简单 - 数据库和应用程序服务器在逻辑上可以不同(在不同的虚拟化操作系统上),还是在物理上必须不同(在不同的物理/专用服务器上)?
另外,我有点担心必须放置一个没有任何互联网连接的数据库服务器。我应该如何远程管理该服务器? 或者可以通过应用程序服务器访问数据库服务器——尽管这肯定达不到目的?
Background
Though I've looked through some posts on stack-overflow that partially cover this point I'm yet to find one that provides a comprehensive question/answer.
As a developer of POS systems the PCI DSS has two components I'm interested in:
- PA DSS (Payment Application) which regards the software I develop
- PCI DSS (Merchants) which regards all my clients that use the software
The PA DSS seems to put the point most bluntly:
"9.1 The payment application must be developed such that the database server and web server are not required to be on the same server, nor is the database server required to be in the DMZ with the web server"
Testing Procedures:
9.1.a To verify that the payment application stores cardholder data in the internal network, and never in the DMZ, obtain evidence that the payment application does not require data storage in the DMZ, and will allow use of a DMZ to separate the Internet from systems storing cardholder data (e.g., payment application must not require that the database server and web server be on the same server, or in the DMZ with the web server).
9.1.b If customers could store cardholder data on a server connected to the Internet, examine PA-DSS Implementation Guide prepared by vendor to verify customers and resellers/integrators are told not to store cardholder data on Internet-accessible systems (e.g., web server and database server must not be on same server).
And from the merchant's PCI DSS:
1.3.5 Restrict outbound traffic from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ.
Question
My question is quite simple - can the database and application server be logically different (on different virtualised OS) or must they be physically different (on different physical/dedicated servers)?
Also, I'm a bit concerned about having to place a database server with no connection to the Internet whatsoever. How am I supposed to administer this server remotely?
Or is it okay to access the database server via the application server - though surely that defeats the purpose?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
可悲的是,没有简单的答案。
SSC 发布了有关虚拟化的新补充,其中包含一些相关信息:https://www.pcisecuritystandards。 org/documents/Virtualization_InfoSupp_v2.pdf
虽然不禁止在同一虚拟机管理程序上混合不同功能的来宾操作系统,但您需要表明您已经考虑过这带来的额外风险。
它们还必须在逻辑上与从一个虚拟机到另一个虚拟机的网络流量分开,并通过某种防火墙来保护不同的操作系统和应用程序。位于同一物理主机上并不是跳过防火墙等控制措施的借口,因此您可能必须创造性地考虑如何满足这些要求。
No simple answer, sadly.
The SSC has released a new supplement on virtualisation which has some relevant information: https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf
While mixing guest OSs of different functions on the same hypervisor is not prohibited, you will need to show that you've thought about the extra risk that this brings.
They will also have to be logically separated with network traffic from one VM to the other going through a firewall of some sort to protect the different OSs and applications. Being on the same physical host is not an excuse for skipping controls like firewalling so you may have to be creative about how you meet these requirements.