Quote:
|
Originally Posted by Duramax 6.6L
This is a paragraph from the pdf that BSCE has in their email this month.
""PCI compliance requires that certified and non‐certified processes be run on different servers
(see SAQ‐D section 2.2.1). As a result, certified code (X‐Payments) cannot run on a machine that is also
running uncertified code (X‐Cart). X‐Payments must run on a separate server to be fully compliant.
Many companies cannot afford to have a second server that is dedicated to running software such as XPayments.
As a solution, BCS Engineering is providing X‐Payments software as a service on a PCIcompliant
system for a much lower cost than a second dedicated host. BCS Engineeringâ–“s Hosted XPayments
solution is also cheaper than a virtual host. Not all virtual hosts can be considered PCICompliant
and are not all equal. Very cheap virtual hosts can be considered, from a security standpoint,
to be equivalent to a shared hosting solution.""
I can attach the pdf if you need it.
|
This is not correct. 2.2.1 is directed at the system component (web server, database server, mail server, etc.) level, not the application level. Its intent is to move components that don't need to be directly accessed from the internet off of servers that are directly accessed from the internet. If you are a merchant that must fill out SAQ D (most of us aren't unless you store credit card numbers) then 2.2.1 means you must run your web server software and database server software on separate servers and that the database server can't be accessed from the internet. If you meet the requirements to fill out SAQ C (mostly meaning you don't store credit card numbers) 2.2.1 doesn't even apply to you.
Besides, PA-DSS allows only the payment module portion of a software package to be certified. If you aren't allowed to run the non-certified core application alongside the certified payment module the payment module would be useless.