Read the PCI/DSS standards – https://www.pcisecuritystandards.org/tech/pci_dss.htmAnd it states in 2.2.1 that servers shall…
2.2.1Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)
Now it’s clear that SBS will fail this rigid rule. But so will just about every modern server out there.
Nor does Windows 2008 for that matter with it’s role wizards.
Show me a virtualized server. Is that “one function per server”? Show me a File and print server. It’s storing files ‘and’ printing. Isn’t that more than one primary function per server? Short of anyone running a server farm, to me this is an unrealistic guideline. This is why I would recommend that you take the issue off the table. When ensuring that you are dealing with credit card data, don’t store it. Period. End of discussion. Then the PCI/DSS standard at 2.2.1 has no relevance.