Magento EOL: Am I able to retain PCI Compliance on Magento 1?

Update: Please see our article on M1 stores without the PCI stress – Sonassi Assurance for more details on what to do if you can't upgrade in time.

With Magento’s end of life (EOL) fast approaching we’ve had some clients raise the question – ‘Are we still PCI compliant after June?’.

PCI compliance can be very ambiguous with the PCI Council rarely commenting on specifics. This has led some actors to jump in and claim that they’ll look after clients wanting to stay on Magento 1, even though there have been statements issued that Magento1 stores will not be compliant after June. Fortunately, we’ve finally had some clarity on this.

What’s the TL;DR?

  1. Magento1 stores are not PCI compliant after EOL in June.
  2. The ability to continue to take card payments is between you and your acquiring bank.
  3. If you get breached on M1 after June, you will face higher costs and a full PCI investigation.
  4. Sonassi have a low-cost option for moving to M2.
  5. Sonassi is able to host M1 and M2 stores on the same platform stack, and offer all the tools and services to remain as secure as you can possibly be.

What do the payment providers say?

VISA has issued an urgent appeal for all Magento 1 customers to upgrade before the EOL kicks in. They quote the PCI DSS requirement point 6.2 which clearly addresses this:
6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release
Mage One has tried to argue that they could potentially be a vendor but their reasoning is not endorsed by any payment providers. As a store-owner, you are liable for PCI compliance and to continue on a system without official support from the original manufacture (in this case Magento) is not something we would ever recommend.

There’s also an extra point to consider; keeping a Magento 2 store up to date isn’t just about Magento but also the modules used to add additional functionality. Many modules are becoming deprecated as developers move onto their Magento 2 modules instead. Any module can prove an entry point for a hacker and as such would need to be updated alongside the core Magento platform.

How risky is remaining on Magento 1 after EOL?

As the most popular ecommerce platform Magento has always been an attractive target for criminals. Magento 1 websites make up 68% of the hacked sites on some scans.

As the EOL occurs it will only become more of a target to criminals who will be well aware that it is no longer actively being supported. This is the very reason that Visa has identified Magento 1 as a risk to the industry and that’s why they will not accept Magento 1 websites as PCI Compliant after June 2020.

What does it mean to not be compliant?

The UK Card’s association explain in their article on non-compliance that if your site is hacked due to not being compliant that
fines can range from ten to hundreds of thousands of pounds [and] Many non-compliant merchants have ceased trading because the fines could not be accommodated
If you are found in breach of PCI compliance (as is the case with unsupported software) and your store is hacked the investigation goes from a meeting the criteria for a ‘Lite’ investigation to a full PFI investigation. For this store owners are expected to hire an external PCI forensic investigator at their expense which is both costly and hugely time-consuming.

And that’s if you can take payments….

If the store owner is unable to take the costs of the fines their bank must then pick up the bill. Making the problem the bank’s problem could mean your bank will be contacting you and no longer offering the service. At this stage store owners are at risk of not having the ability to take payments, leaving the store effectively worthless.

The majority of payment providers develop their own module for integration between Magento and their endpoint. By developing it themselves if they chose to update their API they can also update their module to keep the integration working. As the majority of their customers move to Magento 2 updating the module will be far less likely leading to broken integrations in the future.

From our dealings with card-issuers, some have taken action to contact their customers and say they will stop processing payments after the June, but all we have spoken to are insisting that customers have a migration plan to move to Magento 2 imminently.

The bottom line

Sadly, there is no silver bullet here and Magento’s end of life should mean just that. Those that continue to use it are gambling with their PCI compliance and if caught the costs could far exceed the cost of a new build. see this article showing that 60% of breached small businesses are out of business within 6 months following a breach.

What if I can’t upgrade in time?

We’ve seen a few hosts come out of the woodwork to proudly announce that they will continue to host Magento 1 sites after June, for a fee of course… At Sonassi we have always been Secure by Default™, and as such we will continue to look after customers on Magento 1 after June, at no extra fee.

We always recommend customers take our proactive store scanning services.  For M1 stores that are even more relevant beyond June, as any vulnerability could result in a breach and a higher cost for the store owner.

We are very active within the Magento community and if we do see any patches, we will, of course, let our merchants know. We will also install any patches supplied to stores within our standard development costs (typically under £30 for a patch install).

Our advice, of course, is simple, we’re here to help, we work with many agencies who can accelerate the process of moving to Magento 2 whilst avoiding the huge costs, get in touch to find out more.