As of now, many Magento merchants are choosing to stay on their Magento 1 stores despite their June 2020 official end of life date. Now that June has arrived, what can Magento 1 users expect to happen to their webstores in the coming months?
Security and PCI Compliance Failure
While your webstore will continue to work past June 2020, Adobe will officially no longer release security patches for Magento 1 users. Without these security updates for Magento from Adobe themselves, merchants are putting themselves at serious risk for failing to meet PCI compliance requirements.
PCI DSS Requirements 6.1 and 6.2 address the need to keep systems up to date with vendor-supplied security patches to protect systems from known vulnerabilities. Merchants may also fail to get passing Approved Scanning Vendor (ASV) scans because they weren’t able to address security issues detected in their Magneto 1 sites.
Recognizing this serious issue, third-party vendors like VISA and PayPal are putting pressure on merchants to migrate off of Magento 1. They recognize that sites on this framework are vulnerable to security breaches and are an increased risk to secure payment card data. Payment processors can contact Magento 1 users directly to ensure they’re taking the proper steps to secure their websites.
If your Magento 1 site is breached, you could face serious consequences since you’re knowingly on unsupported software. This can lead to security audits, monthly fines and penalties, and even a credit card provider revoking your ability to accept payment online. By the end of it, you could be found responsible and owe tens of thousands of dollars. Both your customers and the viability of your business are at risk!
How to Protect Your Magento 1 Site Past June 2020
If you’re still on Magento 1 without any immediate plans to migrate off of it, there are fortunately still ways to protect your site in the short term through additional security measures.
Work with your Hosting Provider for Security Coverage
It’s imperative you work with your hosting provider to understand what measures are in place to protect your Magento 1 site past June 30, 2020. Some hosting providers like JetRails are preparing to provide additional security coverage like virtual firewalling, security scans, and site monitoring for Magento 1 sites.
(Also note that vendors like Mage-One are also providing security patches, even though these do not qualify as vendor-supplied as stated in PCI DSS requirements.)
Review Your Site Extensions
Another vulnerable part of your site is your extensions. Some developers have already stopped supporting extensions for Magento 1 instances. You should review your current extensions to remove any unnecessary ones or any that won’t be viable for Magento 1.
Perform a Security Audit
If you haven’t done so already, you should perform a security audit to assess your current performance. In general, this is best practice for maintaining your site and proactively searching for any vulnerability issues.
Prepare a Security Compensating Controls Plan
In the meantime, merchants can also prepare a Compensating Controls plan. Payment processors understand that come June 30, 2020, many Magento 1 users will be in a sticky situation for meeting PCI compliance requirements. To deal with this, payment processors can allow for merchants to “make up” for any requirements they can’t satisfy by putting in an alternative measure that is equivalent or even better.
This is referred to as a Compensating Controls plan. It shows that a merchant has sufficiently mitigated the risk associated with the unmet requirement through implementation of other controls. In other words, you must demonstrate that your alternative security measures are “as good or even better” than the required level of defense as the original PCI DSS requirement.
If you’re asked to present a Compensating Controls plan to a payment processor, be aware that it’s now someone’s opinion on whether you’re doing enough to meet PCI compliance! It’s important then that your plan thoroughly demonstrates your alternative security measures.
To navigate this difficult situation, we recommend reading the full explanation from the eCommerce agency Best Worlds. They collaborated with a certified PCI assessor to create a recommended Compensating Controls checklist document for Magento 1 users that you can review there.
Migrating Off of Magento 1
We want to be clear that the efforts above are only to buy you more time in the short term to plan your migration off of Magento 1. The reality is that Magento 1 is aged software and eventually even these alternative security measures won’t be enough.
Merchants should be forming plans to move off Magento 1 as soon as possible and migrate to new eCommerce software whether it’s Magento 2, Shopify Plus, BigCommerce, or another platform of your choice.
To aid your research, check out these helpful articles: