PCI Compliance with Workers - External Scanning
I am trying to transfer cardholder data to CF Workers that process payments through a PCI Compliant gateway given by an acquiring bank. They require me to be PCI Compliant. No data is stored other than the cardholder name on MongoDB Atlas (Also PCI Compliant).
Going through PCI SAQ D, I noticed that an external network scan by an "Authorized Scanning Vendor" is necessary for compliance. What do I do in this case? Do I literally just pay to have CF's anycast ip scanned? (Sounds like a waste of money as CF has already done it) Cloudflare's PCI Responsibility Matrix says scanning is to be done by the customer as well.
I don't have any servers; the "CDE" is CF Workers & MongoDB Atlas.
P.S. I know this may not entirely be a developer question, but it's something I can't get answered for weeks.
27 Replies
I’m not a lawyer but workers and KV are PCI compliant according to https://www.cloudflare.com/trust-hub/compliance-resources/
Cloudflare
Certifications and Compliance Resources | Cloudflare
Cloudflare adheres to industry-standard security compliance certifications and regulations to help our customers earn their users’ trust.
Yuh, but I can't just use Cloudflare's compliance docs. I have to create my own: https://listings.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf
82 page document for me to fill out, and it requires me to do an "External IP Scan
Gotcha don’t know in this case.
Appreciate it
I feel like it's a weird spot you'd typically be told to do scans since they will hit your own hosting/infra, but in the case of Workers/Pages/R2 then your hosting/infra is also Cloudflare
exactly my thoughts
The issue with scanning Cloudflare is also that there's nothing that differentiates it from a normal proxied setup to a Worker - the anycast IPs are the same, listen on ports that you won't actually use, etc
I've never dealt with PCI DSS stuff - does CF's attestation do anything or is that something you need on top of your own self-assessment?
Yeah, I saw a post by someone saying they scanned CF IPs for their PCI needs and they ended up failing because CF accepted SYN packets from some ports that other CF customers needed.
Yeah, you have to attach all your service providers' AoCs to your own AoC and report
I don't think we ever needed to do a SAQ, since we used Barclaycard/Stripe/etc, but we did have to do AVS and fight with insurers constantly
"why is this port open" well it's a GCP IP and I've sent you the docs that say it listens on all ports three times 
have forwarding rules for 443 only but their tool told them another port was open and they didn't want to hear anything else - which probably isn't their fault but their hand is forced by the tickbox.
have forwarding rules for 443 only but their tool told them another port was open and they didn't want to hear anything else - which probably isn't their fault but their hand is forced by the tickbox.😂 yeah i feel like they were probably just following a checklist
Personally I know all my environments are secure but this SAQ is making me do all sorts of stuff that costs a whole lotta money
It's inescapable - I used to work for a company that fit the networking gear, like switches & APs, for new school buildings. The Department of Education still had an tickbox exercise on a spreadsheet where we had to walk around site with BBC iPlayer and show that it doesn't buffer or have dead spots.
Lmaoo
Having to show them us unplugging one of the core switches to show the network doesn't implode if you take out 1 of 2 devices in a HA pair, who knew
<a:PE_PandaFire:806808235150671893>
This is definitely a boomer problem
Everything
The issue is that I don't know anyone at Cloudflare who'd be able to assist other than Enterprise sales who'd probably expect that you're getting an Enterprise plan before they engage the teams who can give you the actual answers.
Workers being a relatively new thing is included in their attestation and whatnot as compliant, but not exactly differentiated in their responsibility matrix.
Yeah, I'm tempted to just put Not Applicable for some of them and just hope for the best if I don't find any answers
Well, it's there but the scans are under shared.
ye
I saw no checks under workers iirc
like literally nothing
true
I guess the issue is that Workers can be your origin, but also just JS at the edge which still talks to your services hosted elsewhere
If you did mark it as NA, what sort of follow-up/justification do they look for?Only uh mongodb atlas atm (which has their own AoC n goodies)
They don't, they just trust you
But if you get breached, they do an internal audit, and if they find any incorrect information, you may be liable for fines up to $50,000 USD
spooky
The community might have some threads or better answers, since this Discord tends to be a lot more focused on the development side of things so we don't have many people like Solutions Engineers who'd probably run into this pretty frequently.
https://community.cloudflare.com/search?q=PCI%20DSS
That said, people are mostly just pointed to the compliance docs pages
https://developers.cloudflare.com/ssl/reference/compliance-and-vulnerabilities/ is intended for people who have AVS false-positives, there isn't much else documented about PCI compliance.
😭
You think I should just say fudge it and do the Not Applicable thing
I process like 50 transactions a month and don't store card info, and the card info is only sent to CF Workers, then directly to a gateway
a breach of any "sensitve" data is inherently impossible
I'd probably go with NA - with Workers, there isn't that much you can do other than making sure you don't have a supply chain issue like a malicious dependency.
Stuff like https://developers.cloudflare.com/workers/reference/security-model/ is just part of how Workers works and you don't have any control over it, or the ability to modify it.
Gotcha
Thanks so much, you're like the only one in 3 weeks I was able to talk to that's knowledgeable at all about how the PCI scheme works
Do I need to do anything to close this thread?
Nope - closing a thread in Discord doesn't do a whole lot anyhow, it gets put into the old threads part if it isn't talked in for awhile
The only other thing I'd think about is that I've seen scans before where they tell you to remove the WAF so they can test your origin direct, which doesn't make a whole lot of sense since WAF is part of the security but I guess it covers for when you disable CF in an emergency.
Which, of course, you can't do with Workers
I guess you can justify that as "it's on CF, not CF in-front"
fax