22

I've read this nice question:

Should SSL be terminated at a load balancer?

And I have the same question, but with PCI-DSS compliance in mind.

Is SSL terminated at the load balancer, with clear communication between the load balancer and the web servers, PCI compliant?

I'm using AWS Elastic Beanstalk, which under the hood uses EC2 instances and load balancers.

BenMorel
  • 909
  • 1
  • 7
  • 13
  • 1
    What threat are you eliminating by having SSL between the Load Balancer and the target host? Thinking though this may guide you to an answer. (I'm not a PCI guru) – makerofthings7 Sep 27 '13 at 23:26

3 Answers3

14

According to section 4.1 of the PCI Data Security Standard any merchant handling credit card data should:

"...use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”

This means that Front End SSL is allowed, as once the data reaches the LB, it is considered to have entered a secure private network.

Also, the PCI Approved Scanning Vendors Program Guide states that all servers behind a load balancer are exempt from internal scans if they share a similar configuration.

David Houde
  • 5,504
  • 1
  • 27
  • 22
  • 4
    you are still responsible for securing the network between the load balancer and the servers. One possibility is to isolate that segment on its own VLAN. You could also secure it with IPSec. I'd check with the QSA to see if he has any special requirements. (A big negative to the IPSec approach is managing yet another set of keys.) – John Deters Sep 28 '13 at 04:30
  • 2
    @JohnDeters In AWS terms, would that mean using their [Virtual Private Cloud](http://aws.amazon.com/vpc/)? – BenMorel Sep 28 '13 at 10:43
  • 1
    I'm working in a top notch PCI compliant company. And we only have SSL between browser and netscalar LB. – Novice User Sep 28 '13 at 14:21
  • 1
    @Benjamin, it has to be secure enough to assure your assessor that it won't be the source of a breach. Your assessor may not notice; he may notice but decide it's a low risk; or he may require you to put compensating controls around it (such as IPSec or an isolated segment.) It's a judgement call on his part. It's also a call you can voluntarily choose to make even if your QSA doesn't require it. (Sorry, I'm not familiar enough with AWS to answer that for you.) – John Deters Sep 28 '13 at 15:22
  • [This link](http://support.rightscale.com/Security/4_FAQs/Can_I_meet_PCI_Requirement_4.1(data_security_over_public_networks)_in_the_Cloud%3F) confirms that instances are on a private network, and cannot sniff traffic from each other, hence this does not fall in the "open, public networks" category. I'm keeping this solution then, and hence accepting this answer. – BenMorel Jan 27 '14 at 15:09
  • I any case (ssl termination or not) I would argue that the load balancer is in scope for pci compliance, as the load balancer decrypts the data (possibly containing card numbers) it receive and then forward to the appropriate servers. – mic.sca Nov 18 '16 at 14:34
5

The answer isn't a very good one. This is one of those Grey areas of PCI and it really depends on your QSA...

At companies I've worked at in the past, we have gotten away with it, although we worked to re-establish SSL on the back end of the load balancers because it's general best practice and minimal overhead. This comes down to the "open, public networks" portion of PCI DSS 4.1 (version 2.0).

4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.

Your internal network is not consider an "open, public network" and therefore is not subject to the encryption requirement. Honestly, I would still suggest encrypting on the back end, especially if you're using a public cloud.

Keep in mind that PCI DSS 3.0 is slated to come out soon, and compliance will be slated for 2015 in most cases (draft here). There does not seem to be any chances in the spec to require SSL on the back end.

JZeolla
  • 2,966
  • 1
  • 19
  • 25
  • 1
    Good answer. I would disagree that SSL/TLS on the backend is "minimal overhead". In terms of performance, you are right. In terms of configuration and complexity, only having to manage certs on an (AWS) load balancer is a much easier to manage solution. – Jason Sep 25 '18 at 01:06
0

I any case (ssl termination or not) I would argue that the load balancer is in scope for pci compliance, as the load balancer decrypts the data (possibly containing card numbers) it receives and then forwards it to the appropriate servers.

Established that it is in scope, to be considered compliant it should respect all the PCI requirements applicable to a server that processes cardholder data.

mic.sca
  • 31
  • 8