Mon, Mar 30 2009 0:26
Separation of duties the PCI DSS way
Filed under: Security
"For a firm to be compliant with some parts of regulations these days you need separation of duties that SBS 2003 and SBS 2008 can't muster."
Maybe I am missing the whole point here.
I think your statement is FUD. MS sells additional licenses to Windows 2008 server separately; you may add as many as you need to your SBS domain for isolation of services. What regulation requires more than that?
Honestly it's not FUD. And I'm specifically referring to SBS 2003 and SBS 2008 standard. It's PCI-DSS requirements that I don't think SBS can pass, but I don't think we should be trying to pass them honestly, because I don't think any server should be storing credit card data.
Check out the PCI-DSS requirements. 2.2.1 requires -- "Implement only one primary function per server" among other requirements including DMZs and isolation of the data. Mind you they aren't just about storage of credit card data but if you haven't read them before, do so.
That's why in cases where you transacting credit card data I'd ask if it truly needs to be stored on that server in the first place. I think we should question ANY company's storage of credit card data for any reason, regardless if it's on a SBS server or not.