Read the PCI/DSS standards – 

And it states in 2.2.1 that servers shall…

2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)

Now it’s clear that SBS will fail this rigid rule.  But so will just about every modern server out there.

“I would be more concerned about meeting requirement 2.2.1 that asks the QSA to “verify that only one primary function is implemented per server.” Based on what you describe, this server is nowhere close to meeting this requirement.”

Nor does Windows 2008 for that matter with it’s role wizards.

Show me a virtualized server.   Is that “one function per server”?  Show me a File and print server.  It’s storing files ‘and’ printing.  Isn’t that more than one primary function per server?  Short of anyone running a server farm, to me this is an unrealistic guideline.  This is why I would recommend that you take the issue off the table.  When ensuring that you are dealing with credit card data, don’t store it.  Period.  End of discussion.  Then the PCI/DSS standard at 2.2.1 has no relevance.


Don’t store credit card data on your networks, period.  Then there is no questions.



4 Responses to One function, one server – is it realistic today?

  1. David Mertz says:

    You are interpreting the one server/one function requirement to literally. What they are referring to is this:

    Database servers should only serve databases.

    Application servers should only serve applications – the application and the database should be on separate boxes.

    Ideally, the web and application layer can be segregated to separate boxes. So there would be a separate web server and an application server.

    The key word here is function. What purpose does the server perform (and it includes all the supporting software so the function can occur – anti-virus, O/S, etc.).

    The comment about storing card data may not be applicable either. The requirement is store, process, and/or transmit. If a server performs any of these three functions, the server and the network(s) it is connected to must be PCI Compliant.

  2. bradley says:

    Meanwhile there are way other parts of my network that are more insecure than the SBS box that is not PCI compliant.

  3. alunj says:

    This requirement becomes a little less than clear in the case of virtual servers – if you’ve got a virtual server environment where one physical box serves two virtual servers, are those separate servers or not? How about if they’re each tied to their own processor, memory, hard drive?
    As with all PCI/DSS requirements, of course, if it’s too onerous to follow the requirement, all you have to do is convince the auditor that you have a compensatory control in place.
    It’s a little tricky to imagine what a compensatory control would be for SBS, though. Have someone else process your credit card payments for you, perhaps.