From: Mike Cunningham
Would you say that PCI rules prohibit both of these because
everything is running on one piece of hardware?
I stirred up a hornets nest by quoting the following:
"2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)"
Here's a relevant part that I left out:
"This requirement is meant for all servers within the cardholder data environment (usually Unix, Linux, or Windows based)."
"This requirement may NOT apply to systems which have the ability to natively implement security levels on a single server (e.g. mainframe)."
As Rob pointed out, complexity often leads to LESS security. I would further suggest that distributed application architecture leads to LESS security. Notwithstanding, how might PCI standards address such when the majority of the world divides workloads across server farms?