Building a secure PCI compliant SQL Install

  • I have been assigned a project that will be to build a SQL server 2008 R2 instance that is secure and PCI compliant. We are going to be securing credit card data in a single database. That is basically all that will be on this server. We are talking about using auditing, TDE, column level encryption. We are using this deployment as a baseline for future development efforts and possibly using the experience we gain for changing existing solutions. Possible use of Policy Based Management to perform audit and checks on the server to verify security maintains specifications.

    My question is does anyone have any good resources to suggest. (Books, online articles or resources, etc.)

  • TDE might be a bit overkill if all your encrypting is the PAN, for that column level encryption would probably be the better choice to make on its own.

    This might be a good starting point to read upon https://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx

  • Thanks for the information, I will check it out.

  • Hire an expert who's familiar with PCI-DSS implementations and audits to give you advice and show you the references they use, and the caveats for their use; security is an area where it's easy to find web pages or books, follow their advice, and end up with a system that appears to work but is actually tremendously insecure.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply