December 6, 2010 at 11:50 am
We all know highest level of PCI complaince (as far as DB part) can be acheived with SQL Server.
To those who are working towards PCI or to those who acheived it ,
Can that be acheived with a STD edition or do i need to go with Enterprise?
We are hosting our Databases with a thirdparty which gives these assurances for intrusion protection, Vulnerability. firewalls etc. I was wondering if the PCI requirements can be accomplished with a SQL Server 2005 standard Edition.
I have the follwoing four options
SQL 2005 STD
SQL 2005 ENT
SQL 2008 STD
SQL 2008 ENT
Which one do i choose ? I know choosing SQL 2008 ENT , i wuld be on safe side, but my budget doesnt take me that far. So i was wondering which woudl be most cost effective approach ?
Please suggest .
Thanks
[font="Verdana"]
Today is the tomorrow you worried about yesterday:-)[/font]
December 6, 2010 at 12:39 pm
It depends on how you intend to encrypt sensitive data that you keep, if you intend to keep any at all.
If, for example, you will never store credit card numbers, et al, in your database, then it doesn't matter which one you will use.
If you will store them, then you need to encrypt them. This can be done by SQL 2008 Enterprise, or you can do it through the data access layer of your application. If you encrypt before you store, and decrypt only with the correct credentials, then it probably doesn't matter HOW you do that, just THAT you do it.
Note, I am not a lawyer, etc, blah blah blah. Check with the people who will be auditing your compliance before you implement any plan on this subject.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
December 6, 2010 at 2:46 pm
Hey Allin,
As it was previously mentioned if you are not storing PII and Credit Card#'s your requirments go way down.
However you need to encrypt the sensitive data at rest in some fashion, in SQL 2005 you could use column level encryption or you could try disk level encryption as well.
There are draw backs to any of these, so you should test extensively. Keep in mind that if you encrypt a column that it has to be varbinary, and that you cannot index on it.
Website:
Abbreviations:
https://www.pcisecuritystandards.org/pdfs/pci_dss_glossary_v1-1.pdf
Of course TDE in SQL 2008 EE, that will handle the data at rest, it is not available in Standard Edition. but that only takes care of the data at rest, any one who can access the data with read access on the database will see the data in an un-encrypted state.
Twitter: @SQLBalls
Blog: http://www.SQLBalls.com
Channel: https://www.youtube.com/@Tales-from-the-Field
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply