We currently process, but do not store, credit card data. We authorize the cards via a self developed application using the authorize.net API.
If possible, we would like to limit all requirements of PCI that effect our servers (such as installing Anti-Virus) to an isolated separate environment. Is that possible to do while still maintaining compliance?
If so, what would constitute sufficent isolation? If not, is there somewhere where that scope is clearly defined?
The last time I read the PCI standards, they had the isolation requirements pretty well stated (the technical term in PCI language is to reduce the scope of the PCI compliant environment). So long as those flagrantly un-compliant servers have zero access to the compliant zone, it should fly. That would be a network segment that is fully firewalled from your normal network, and the rules on that firewall are themselves PCI-compliant.
We did much the same thing ourselves at my old job.
The key thing to keep in mind is that from the perspective of the PCI-compliant zone everything not in the zone is to be treated like the public Internet, no matter if it is also the same network that also warehouses your corporate IP. So long as you do that, you should be good.
This is actually quite common. We routinely refer to/designate computers as "in-scope for PCI".
Also, "clearly" is sometimes not part of the PCI lexicon. The language can be vague. We have found that sometimes the simplest approach can be to ask the auditor if a proposed solution would work. Consider the following from the PCI-DSS V2:
"Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network."
Does that mean that a normal network switch meets the requirements? It would be easy for them to say so, but there you go. It is "other technologies that restrict access to a particular segment of a network." Another of my favorites about scope:
" ...Applications include all purchased and custom applications, including internal and external (for example, Internet) applications. "
I'm not sure about the AD part, but we do have HIDS and antivirus on all of our DC's, so I suspect that it may be.