Payment processors like Visa, Mastercard, and Adobe along with PayPal have already announced Magento 1.x End of Life and given warnings to all Magento 1.X merchants to perform Magento 1 to Magento 2 Migration as soon as possible. This is due to Magento has ended the life support for older versions. And there will be no foreseeable release of upgrades from the eCommerce giant. It also means that no security patches for stores running on any version of the Magento 1.X.
Now, we have crossed 30th June 2020 already, the official date of Magento 1.X EOL. Still, there are thousands of online eCommerce stores running on the said platform. We don’t have to elaborate on the multiple risks involved and what happens to your store if you continue to use Magento 1.X.
Still, if your website is running on Magento 1.X installation, then it becomes a prime target of hackers and spammers. Magecart is one of the hacking organizations, active since 2016. It has assaulted and hacked many eCommerce especially Magento stores running on older versions. They have stolen payment data of customers through the shopping carts of websites.
Magento 1.X EOL Update by Adobe
Magento launched a much-needed flagship platform Magento 2 in 2015. And with this launch, it was also announced that Magento 1.X will come to the end of support in Nov 2018. But many Magento store owners didn’t want to go through the hassle of transitioning to Magento 2 yet. The reason was quite obvious that they have to build and use a completely different platform. So, most Magento 1.X merchants stayed with the older version. So that they don’t have to develop already established stores from scratch and the potential downtime.
Later, Magento was acquired by Abode to integrate it with Adobe Enterprise Cloud. Then, many Magento 1.X retailers requested Adobe to extend the end of life. Adobe approved their request and extended it till the end of June 2020. And now, this end of the support timeline has also ended on 30th June.
In a recent Magento update, Adobe has also made aware that it won’t respond to any query related to the security of Magento 1 software after June 30th, 2020. So, Magento 1.X merchants have to take responsibility for resolving any issues arising after June 30th. And also have to stay compliant with PCI DSS guidelines. In the long run, it will be quite an impossible task for any retail merchant to take it into their hands. So, the only option Adobe indirectly indicates is to migrate to a stable version of Magento 2.
Warnings from Payment Processors
In the last week of June 2020, the payment processor Mastercard has also issued a notice indicating the potential security concerns over the subject. And it is not the only payment process to have done so. Before Mastercard, Visa and PayPal have already warned the Magento 1.X merchants about the potential risks involved if they stay on the platform after the end of support. And they have already sent out a notification asking Magento 1.X merchants to migrate before EOL.
In an advisory guide issued by the Visa includes the consequences of not migrating from Magento 1.X platform as listed below.
Similar consequences were also stated by PayPal in its official announcement. However, none of the announcements stats when they will stop supporting the platform. But they do stress on the subject to migrate to Magento 2 as early as possible to stay compliant with PCI DSS guidelines.
Mastercard’s Account Data Compromise (ADC) security breach investigation team found that web skimming and hacking incidents have grown in numbers in the past few years. And most of the incidents have taken place on the Magento websites running on the older version. Almost 77% of the companies investigated by the ADC team were in non-compliance with the PCI DSS’ requirement no. 6.
Therefore, Mastercard has also sent out notice similar to Visa’s and PayPal’s notifying Magento 1.X merchants to upgrade to the latest stable version of Magento 2. Migrating to the latest stable version of the Magento 2 is important to stay compliant with PCI DSS’ requirement no. 6.
What is PCI DSS Requirement no.6?
First, let’s understand what PCI DSS is. The PCI DSS (Payment Card Industry Data Security Standards) are standards set by the various payment processors. It aims to secure transactions made through the use of credit or debit cards against theft and fraud on online platforms. Complying with PCI DSS guidelines is the best way to build long-lasting relationships with customers by safeguarding their sensitive card data.
The requirement 6.1 and 6.2 of PCI DSS guidelines stats that all the system components of software should be upgraded to the latest vendor-supplied stable security patch within one month of launch to protect it from vulnerabilities.
The same thing is also stressed out particularly in Visa’s statement. It also adds that failing to do so will cause merchants to fall out of PCI DSS compliance. Hence, non-compliant with PCI DSS can result in fines ranging from $5,000 to $10,000 by payment processors per month. And if the data breach occurs, then you may have to pay bank reversal charges to your customer. This number is relatively small for one customer but turns into a huge number if you have a large customer database. Large organizations non-compliant with PCI DSS can have FTC audits from Governments, which is not a good thing at all.
Since the data breach occurs due to non-compliant with PCI DSS, your customers would not return to your store resulting in loss of customers and sales. Also, some customers may file a lawsuit against you since you failed your promise to keep their data safe. So many other things could happen to your business if your website is not compliant with PCI DSS.
But there is a way to come out of this mess and it is already suggested by Mastercard, Visa, PayPal, and Adobe. They all have stressed the subject to migrate to the latest stable version of Magento 2. Adobe has also given the final push back to Magento 1.X store owners with the last Magento 1.X upgrade and asked to Migrate to Magento 2.