We are working with a Qualified Security Assessor on our PCI compliance. He said to reduce the scope of the assessment we should segment off our credit card environment from the rest of our internal network/users (which includes Tessitura clients/users who process credit cards - we thought it was just the Tessitura database and Transcend). I was wondering how other people are doing this? They recommended a citrix or terminal server behind an internal firewall with a separate domain controller. But this means that users who access Tessitura will need to be on a separate domain/computer without access to the rest of our internal network/internet?
I have researched this and ran some tests with our Test Database. In our plan I wasn't going quite as far as your description though. We were looking at a separate subnet coming out of an independent port on our firewall. This would allow us to create rules to allow certain traffic between the two yet still have granular control over what and whom we allow into the CC and Tessitura environment. The access rules could allow for NTFS and AD traffic to pass through removing the need for a separate domain controller. This is not something we have implemented yet. The only downside to this plan is that it addes more traffic for the firewall to process and could add the firewall connection as a possible bottleneck.