When thinking about PCI compliance, there are many implementations that people understand are important. High Availability and Security are words that get used like a mantra for people on the path to compliance. Having redundancy for firewalls, routers, and ISPs help preserve availability; vulnerability scanning, daily log review, and an SSL certificate are in place for strong security; these are crucial for the protection of a company’s cardholder data, and make a lot of sense to the merchant putting these in place. One implementation that seems to still be foggy for some businesses is the need for two separate servers; one for the application, and one for the database.
Pulled straight from the PCI DSS (Payment Card Industry Data Security Standards), requirement 1.3 states that direct public access should not be available between the internet and components within the CDE (Cardholder Data Environment). Specifically, 1.3.7 explains that the systems holding cardholder data can’t be internet-facing:
1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.
The DMZ they refer to is called the ‘demilitarized zone’, and is a subnetwork that holds and allows access to a company’s external-facing features to an untrusted network (it’s likened to the buffer zone between nations where no military action is allowed to take place). Simply, the DMZ is comprised of the parts of your network that touch the internet.
Therefore, in order to be PCI compliant, you’ll need to have two servers. The first one will be your application server, and it’ll be in the DMZ so your customers on the internet can access it. The second will be your database server, where the cardholder data is stored. This database server will not have an external IP, and will have a secure connection between it and your application server to transmit (encrypted) cardholder data as necessary.
But even if it wasn’t mandatory for PCI compliance, it makes sense to do it this way for the security of your customers. Every pathway from the internet to cardholder data is an opportunity that attackers will try to exploit. Having this buffer in place allows another layer of security between the customers you’re protecting and the outside world.
PCI DSS Requirements and Security Assessment Procedures, Version 2.0
PCI Compliant Hosting white paper