I have a payment gateway application which will be used to process payment transactions hosted on Kubernetes cluster. Total of 4 microservices will be used to communicate using REST API and Kafka. Is it mandatory to use SSL/TLS encryption to encrypt the data between microservices?
1 Answer
As of 05/2023, PCI DSS V4.0 https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf states:
4.1 Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.
4.2 PAN is protected with strong cryptography during transmission
If the 4 microservices (supposed in scope for PCI-DSS) transmit cardholder data on a public network (including, but not limited to, internet and Wi-fi), or transmit PAN, you should use encryption with a secured cipher suite.
Also:
2.2.7 All non-console administrative access is encrypted using strong cryptography.
8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components
Since your services use REST APIs, another mandatory requirement for your microservices considering compliance would be to use encryption on authentication factors with a secured cipher suite if they use any form of authentication, even so for administrative access.
