Remote MySQL PCI Compliance

Question

Using Stripe to process credit card payments and storing client payments and information in a mysql database. Only storing the id of the transaction, and the client ID. Stripe takes on a majoring of the PCI compliance issues. Currently we are fulfilling PCI compliance, by serving content over ssl, and using stripes secure stripe.js connection.

We have been isolating our payments to a single box that hosts the database and payment site.

My question is that if I move to a remotely hosted database, like Amazon RDS, and continue to host the site on this server or a hosting PaaS, does this change pci compliance if I am not storing and credit card info, and only pointers to Stripes records? Anything I need to consider here or can I keep using the php mysqli connection as I am now and just use the remote connection string instead of localhost? Would block all ip's except that of the web host from db access.

Would still serve site content over SSL and use stripe.js. Only thing changing would separating the database and the site on different servers.

Answer 1

https://stripe.com/us/help/faq#my-pci-requirements

Anyone accepting credit card payments must be PCI compliant—but with Stripe, it's easy:

• Serve your payment page over SSL, i.e., the page's web address should begin with "https", not "http".
• Use Stripe.js as the only means by which you accept payment information and transmit it directly to Stripe's servers.

By taking these steps, you completely avoid handling sensitive card data, and keep your systems out of PCI scope.

Storing Stripe tokens is not covered by PCI regardless of where you put your DB, so you're good to go.

Were you storing card data, I don't believe RDS can be made compliant as you can't encrypt the disk it runs on. You'd need to build your own EC2 instances and follow all the other myriad rules.