Enter your details below and we'll get back to you.
Share this article
Businesses using Magento 1 have a decision to make before June. Here are the options and the Magento PCI compliance implications to be aware of.
First released to the public in 2007, Magento has become the world’s single most popular e-commerce CMS platform over the course of 13 years. In fact, it is estimated that Magento is responsible for powering between 25% and 30% of all e-commerce sites on the web.
The ‘Community Edition’, or ‘Magento Open Source’, has been updated and upgraded regularly over the years, ensuring the latest functionality and security features for users. This was the case until version 1.9.3 – the last update to Magento’s ‘version one’ branch.
In November 2015 Magento 2 was released and, while many e-commerce businesses have already migrated over, there remain a large number of organisations on the trusty old version. For the past five years this hasn’t been a significant problem. Despite the arrival of its successor, ongoing support has still been available in the form of patches and vulnerability updates.
Now, however, the end of Magento 1 support is imminent, and merchants must decide what their next steps will be.
Magento 2 takes what made Magento 1 great and delivers all this and more, promising greater functionality and security. It is a completely new branch of the Magento software – a rebuild of the entire platform from the ground up rather than simply an update or a patch.
This means that merchants currently using a version of Magento 1 will not be able to upgrade their system to Magento 2 simply by applying a patch or performing an upgrade. Instead, websites will need to be rebuilt entirely.
When Magento 2 was released in 2015, it was originally announced that support for the first version of the platform would end in November 2018. However, the creators of the platform soon realised that the sheer number of v.1 sites around the world meant that there were simply not enough Magento developers to meet the demand for rebuilds by that ambitious cut-off date
As such, much to the delight of the many panicked merchants, this date was revoked in May 2017. Patches would still be available to ensure that Magento 1 remained up to date for users.
However, a new cut-off date has been announced for 30th June 2020.
Magento will not support either Enterprise Edition or Community Edition customers on its v.1 platform after this date. The only support available to users will come from within the community but, importantly, this does not constitute official support.
If your business is currently using a Magento 1 site, you will need to consider your options. To put it simply, this means that anyone staying on Magento 1 is likely to become more vulnerable after this date. If a vulnerability is identified from 1st July onwards, an official patch will not be made available and so you will be at a far greater risk of a data breach, putting both your business and your customers at risk.
This lack of support has a domino effect, and the clearest impact will be felt in online transactions made through Magento 1 sites. E-commerce stores are still held to the same card industry requirements as physical retailers, and card companies such as Visa and Mastercard will not consider merchants trading with outdated programs to be taking suitable measures to protect information security.
This creates a PCI compliancy issue which businesses will need to consider.
There are several options for businesses currently trading on Magento 1. These are:
There is always the option to stay of Magento 1 and forego migrating. And in fact, you may find that your website continues to function as normal for months are even years. However, choosing this route will almost certainly leave you more vulnerable to data breaches over time. What’s more, if you accept credit card payments, you won’t be considered PCI DSS compliant no matter how secure you consider your website to be.
If you want further support but don’t want to migrate, there are many alternatives being offered by third party companies. A quick search on Google reveals a range of malware detection, patching and protection offerings for Magento 1 merchants. However, it is crucial to state that you will not be able to achieve PCI DSS compliance by opting for this route.
Migrating is the most secure option for businesses in the long-term. By migrating to Magento 2, businesses will be able to access software support and benefit from regular patches and updates. Migrating to Magento 2 will also keep your business in line with best practice, making it possible to achieve PCI DSS compliance.
Of course, you don’t have to stick to Magento when migrating. Choosing to migrate away from Magento to a new platform altogether is another viable option for e-commerce stores. But in order to remain PCI DSS compliant it is important to ensure that any new platform features continued support from the software developers.
No matter what avenue you’re considering for your business’s e-commerce platform, seeking out support and advice from security experts will help you weigh up the pros and cons of each option. While a lack of action doesn’t necessarily mean an immediate increase in vulnerability, it does however expose a business to instant non-compliance with Payment Card Industry Data Security Standards (PCI DSS).
At SRM, our team of qualified security assessors (QSAs) can work with your organisation to choose the best solution for your business in line with PCI requirements, with minimal fuss.
Make your move a smooth one with help from our expert team. Call us today on 03450 21 21 51 or fill out our contact form by clicking here.