We are working with a Qualified Security Assessor on our PCI compliance. He said to reduce the scope of the assessment we should segment off our credit card environment from the rest of our internal network/users (which includes Tessitura clients/users who process credit cards - we thought it was just the Tessitura database and Transcend). I was wondering how other people are doing this? They recommended a citrix or terminal server behind an internal firewall with a separate domain controller. But this means that users who access Tessitura will need to be on a separate domain/computer without access to the rest of our internal network/internet?
Our setup is that we have “Tessitura” (SQL server, ancillary services, credit card) on a separate network segment with it’s own switch. (192.2168.2.x network). All regular client PC’s and the servers are on a different switch and segment (10.1.2.x for servers, 10.1.4.x for clients). Any client traffic to Tessitura is routed through the firewall (Tessitura switch is connected on one of the trusted interfaces) – a route and security policy are defined in the firewall to allow only authorized traffic and ports to and from the Tessitura segment. The API lives in a DMZ and only the IP address of our web server is allowed in the firewall and it directly NATs to the web api IIS and only allows port 80 / 443.
I do agree that you should definitely segregate the Tessitura environment from your client and other server infrastructure because as your QSA said, it will reduce the scope of work and what all needs to be 100% PCI compliant. However, you should be able to meet the requirements without the need for a separate DC. But, not having all of the details of your environment I am reluctant to say that they are 'wrong'.
Good luck!