PCI Compliance - Non authenticated DB

Question

I have no idea where to go for PCI compliance questions, so I'd thought I'd give SO a shot. If someone can point me in the right direction of where I can go to ask questions, please share. I'll be happy to mark that as an answer as well.

If a PCI compliant site connects to a database that stores no user info, but does contain HTML and JavaScript snippets that could get rendered during the payment process, would this database need to have authentication to remain PCI compliant? I am evaluating MongoDB and found that it does not provide auth when configured with replica sets.

Answer 1

A several part answer:

• As I said in my comment up top, I am not a QSA (specifically not your QSA), and not authorized to permit you one way or the other. For a definitive answer you need your QSA to sign off on it. (Hmm, IANAQSA is the new IANAL....?)
• Strictly speaking, PCI does not: "Authenticate all access to any database containing cardholder data"
• While you might not need Authentication to the DB, you do need to segregate it on an internal network, seperated from the DMZ, as per PCI DSS requirement 1.3.7.
• According to requirement 6.1 you still need to ensure patches (it mentions databases, but nothing about CHD databases).
• All that said, from a security standpoint, you should consider that while stealing data from the database might be a non-issue, injecting code into your database could be a critical vulnerability, ala Persistent XSS. Which would of course indirectly invalidate your PCI compliance, as per requirement 6.5.1.

Again, you might get some better answers over on http://security.stackexchance.com/ ...