What Does End Of Life Mean for Magento 1 PCI Compliance?
As of June 30th, Magento 1 has officially reached its End of Life date, rendering the M1 Enterprise and Community platforms unsupported by Adobe. This means that eCommerce sites that are still running on the Magento 1 platform will no longer receive official support updates or security patches, and their Magento 1 PCI compliance status could be at risk. These updates are essential for keeping eCommerce websites secure and in good standing with PCI compliance standards.
There are several reasons why merchants may have chosen to stay on Magento 1 after the EOL date. Completing a Magento 2 migration is time consuming and can be prohibitively expensive. Many merchants have taken the “If it’s not broken, don’t fix it” approach to migrating; their eCommerce websites are successful, and taking on the cost of migrating to Magento 2 simply doesn’t make sense. The Magento 1 platform has historically been one of the best performing eCommerce platforms in the world. Earlier this year, with less than 6 months until EOL, over 150,000 merchants were still utilizing the Magento 1 platform; a large number of these sites will not have migrated by the cut off date for EOL. While the decision to stay on the M1 platform is risky, additional security measures can help to keep these websites viable.
Partnering with a managed services provider, like Forix, can help you protect your eCommerce site and maintain the compensating controls necessary to keep your website compliant. Continuing to run your website on an unsupported platform comes with its share of risks, but it can be done safely. By ensuring that your site has the proper monitoring, scanning, and planning in place that’s necessary to meet compensating controls guidelines, you can keep your site secure in an increasingly vulnerable digital environment.
How Will My Magento 1 PCI Compliance Status Be Affected by EOL?
According to the Acquirer Advisory report from Visa, merchants need to leave the unsupported Magento 1 platform as soon as possible to ensure that their sites are able to stay in compliance with PCI DSS standards.
From Visa: “Merchants must be cognizant of their responsibilities in securing their environment to help prevent the loss of payment card data. Acquirers should use this information to take risk-based decisions and encourage their merchants to migrate to a supported version or alternate platform to remain PCI compliant.” (Source)
This statement, released in April of this year, encourages merchants to migrate away from Magento 1, ideally to the Magento 2 platform, or another supported eCommerce platform, such as Shopify. PayPal released a similar statement soon after, notifying merchants of the impending risks of remaining on the unsupported M1 platform after End of Life.
According to the official statement from PayPal,
“Requirement 6 of the PCI DSS requires merchants to “develop and maintain secure systems and applications by installing applicable vendor-supplied security patches.” Without future security patches, Magento 1 merchants will no longer be able to meet this requirement, which could result in costly and time-consuming remediation.” (Source)
These statements seem gloomy, but there’s more to the story than Visa and PayPal would have you believe.
So, Can I Keep My Site PCI Compliant?
While these statements seem to assert that PCI compliance will not be possible after EOL, that’s not entirely truthful. Although official security patches won’t be provided by Adobe or the official Magento company, they will still be available. Because Magento is an open source software, there are third party web developers around the world who are capable of, and willing to, create security patches and updates for Magento 1 after the End of Life date. German- based Mage-One has already committed to creating security patches after EOL, which will be widely available to users on the platform. Managed service providers, like Forix, will continue to work with third party developers to create and implement security patches to keep M1 sites supported and compliant.
What Really Happens to Magento 1 Websites After EOL
Now that End of Life has come to pass for the Magento 1 platform, websites still running on M1 will find themselves increasingly vulnerable to cyber attacks and security threats. It’s no secret that M1 is now unsupported, and hackers, scammers, and other unsavory denizens of the internet know that Magento 1 eCommerce websites will be vulnerable targets.
Some of the main security concerns facing eCommerce sites are:
- Theft of User Data
- Distributed Denial-of-Service (DDoS) Attacks
If your eCommerce website falls prey to these cyber attacks, your business could be on the hook for tens of thousands of dollars in damages, losses, and fees or fines. Additionally, you’ll lose not only your Magento 1 PCI compliance status, but the trust and good will of your customers, too. Many times, online businesses are unable to recover from a large scale cyber attack, especially one that results in user data being compromised or stolen. The risks associated with staying on Magento 1 are serious; however, they are not insurmountable.
Aside from the security risks associated with running on an unsupported platform, there are practical risks that can affect the functionality of your website. Running the site and software applications after the EOL date includes several risks, such as:
- Without official regular upgrades or security patches, ecommerce sites will begin to degrade and become unstable
- Extensions or plug-ins built for the outdated platform may begin to break or become unavailable, affecting essential functions of the site
- Magento developers will increasing be familiar with Magento 2 only
- Merchants may fall out of compliance with PCI DSS
- Ecommerce sites will be increasingly vulnerable to security threats, and the likelihood of a data compromise event due to the lack of security upgrades will increase
Staying on Magento 1 without extended support is not recommended. With no more forthcoming support or security updates from Adobe, it is essential for M1 merchants to partner with a managed services provider, like Forix. A certified Magento agency can provide regular updates and essential monitoring services to keep eCommerce sites running smoothly.
Magento 1 PCI Compliance with Compensating Controls
There are many eCommerce sites on the web that continue to function on outdated versions of their platforms without issue, but they must retain the services of a third party to ensure that they have the support and security measures in place necessary to keep their sites secure. Compensating Controls refers to the amount of support and security in which you have invested in order to keep your site safe in lieu of official support. This includes increased monitoring and scanning, Firewall applications, and planning for your site’s security.
What are Compensating Controls?
While it is undoubtedly risky to run on an unsupported platform, there are steps that can be taken to ensure that your site can maintain PCI compliance. Compensating controls are extra measures that can be taken to ensure that your website is secured and protected from cyber attacks and malicious web security threats. This includes additional scanning and monitoring, enhanced Firewall protections, and creating a detailed plan to maintain security services on your site.
Proving that you are adhering to compensating controls policies and utilizing additional services to maintain security on your site can help you maintain PCI compliance status, even after the Magento 1 End of Life date. Without compensating controls, failure to maintain PCI compliance could result in the ability to process credit card payments on your site being revoked. Adhering to high levels of security is essential to keeping your eCommerce site compliant and preserving your ability to continue accepting credit payments on site.
How to Keep Your Magento 1 Site Supported After June 2020
To help you maintain security and Magento 1 extended support after June 2020, Forix has created a comprehensive M1 security and support plan. This package allows clients who have chosen to stay on Magento 1 to maintain site security and preserve their Magento 1 PCI compliance status. The compensating controls included in our M1 support package will help you to meet industry standards of security and compliance. Extended support means you’ll be able to continue accepting credit card payments on your site, an essential element for any eCommerce business.
Our Magento 1 Extended Support package features regular scanning and around the clock monitoring to ensure that no potential issues or threats are overlooked. Additionally, we’ll install Firewalls and provide ongoing support to keep your site in compliance. Our extended support package includes
- Malware Scanner: Sucuri Site Checks protects your website from cyber attacks.
- Up-time Monitoring: StatusCake up time monitoring and performance testing ensures that your website is online and shoppable.
- Patch and Version Notification: Know when a new security patch or option is available for your site.
- PCI Compliance Scans: Serverscan PCI scans ensure ongoing PCI Compliance.
- SSL Monitoring: SSL monitoring of certificates and applications to prevent website downtime.
- Magento Site Speed: GT Metrix Pro monitors page speed and performance to keep websites running fast.
- Server Monitoring: Zabbix server monitoring identifies potential overloads or space issues before they become a problem.
- Firewall Implementation and Configuration: Advanced Web Application Firewall (WAF) from either Cloudflare or Fastly for additional security.
It’s essential to maintain Magento 1 support after EOL in order to keep your eCommerce site secure and in good standing with PCI compliance standards. By working with managed services provider Forix for your compensating controls and extended support services, you’ll be able to stay on Magento 1 until you’re ready to migrate to the Magento 2 platform on your own terms.
Keep Your Website Protected with Magento 1 PCI Compliance and Support Services
There’s no denying that staying on Magento 1 comes with its share of security risks. However, it is possible to maintain security and find extended support to keep your website protected from cyber threats. You can continue to do business on the M1 platform, as long as you maintain Magento 1 extended support and ongoing security services from a qualified managed services provider like Forix. With over 60 certified Magento developers on our team, we have the skill and experience necessary to provide your Magento 1 eCommerce site with the high level of support and security needed.