We have a website that processes credit card data and uses a load balancer for our two web servers. The SSL connection terminates on the webservers and not the load balancer. Is the load balancer in scope for PCI?
Asked
Active
Viewed 226 times
3
-
Is the **router** in scope for the PCI? I suspect the answer would be the same as for your **load balancer**. They both handle the data, and can both mis-route the connection, but neither has sufficient means to decipher sensitive information. – 700 Software Jul 25 '16 at 19:24
-
1It will be in scope. Infact, everything that the card data passes through, even if it's not modified by that device or appliance, will be in scope. – yetdot Aug 24 '16 at 22:45
-
@yetdot, *"everything that the card data passes through"* The ISP's uplinks fit that description, yet it seems they would be outside the scope of PCI? I also wonder about the router that the ISP consigns its customer? – 700 Software Aug 24 '16 at 23:02
-
That would be covered by the ISP's AOC, as the security of their equipment is their responsibility. This is where the concept of line of demarcation will come in the play. Having said that, the auditor may always ask 'you' the customer of the ISP to also do some due diligence on whether or not your your service provider provides adequate security for data passing through their infrastructure. – yetdot Aug 24 '16 at 23:25
-
@mic.sca, Read the OP's question again. The decryption does not take place on the balancer here. – 700 Software Nov 18 '16 at 14:35
1 Answers
1
First, IANAQSA (I am not a QSA), but I do deal with PCI a lot.
Using the open scoping toolkit as guidance, the Load Balancer would not be a category 1 system. That is because it does not directly store, process, or transmit unencrypted cardholder information. Given that it opening network connections to the web server (which is a category 1 system), then it would likely be a category 2 system. A category 2 system is still in scope for PCI as it can affect the security of the cardholder data environment (CDE).
I would suggest following the scoping toolkit yourself or engaging a QSA for more information.
John Downey
- 1,915
- 13
- 12
-
@mic.sca, Read the OP's question again. The decryption does not take place on the balancer here. – 700 Software Nov 18 '16 at 14:35