Is SSL terminated at a load balancer PCI compliant?

According to section 4.1 of the PCI Data Security Standard any merchant handling credit card data should:

"...use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”

This means that Front End SSL is allowed, as once the data reaches the LB, it is considered to have entered a secure private network.

Also, the PCI Approved Scanning Vendors Program Guide states that all servers behind a load balancer are exempt from internal scans if they share a similar configuration.


The answer isn't a very good one. This is one of those Grey areas of PCI and it really depends on your QSA...

At companies I've worked at in the past, we have gotten away with it, although we worked to re-establish SSL on the back end of the load balancers because it's general best practice and minimal overhead. This comes down to the "open, public networks" portion of PCI DSS 4.1 (version 2.0).

4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.

Your internal network is not consider an "open, public network" and therefore is not subject to the encryption requirement. Honestly, I would still suggest encrypting on the back end, especially if you're using a public cloud.

Keep in mind that PCI DSS 3.0 is slated to come out soon, and compliance will be slated for 2015 in most cases (draft here). There does not seem to be any chances in the spec to require SSL on the back end.