We created a reverse proxy appliance (bridge) that transmit all the data in and out of the network. see diagram below.
|------------------------LAN----------------------------|
User --- Access Point --- Switch ---- Proxy --- Gateway --- WAN
Assume that payments are being done through that LAN but none of an HTTPS data is being stored or processed in the proxy.
Does the reverse proxy (uses Ubuntu 14.04 with bridge-utils) need to be PCI-DSS compliant?
Scope is a complicated part of PCI-DSS. The general rule is that if a device can connect to the CDE, it is in scope.
The easiest way to figure this out is to figure out exactly where your CDE lies and then isolate it with an extremely restrictive firewall. As you open up firewall ports to allow services (ie - your reverse proxy) to connect to the CDE, add those services to your scope. Alternately, you could go through a thought experiment. If a highly malicious actor took control of device a, could he/she direct credit card data somewhere else?
