In this article we’ll help ease your mind and give you a temporary path forward on Magento 1 past June 2020. We’ll also go in depth on each important aspect so you can understand the risks and make plans to mitigate them.
In September of 2018, Magento announced that it would stop supporting Magento 1 at the end of June 2020.
As we roll into Q2 of 2020 there are still thousands of Magento stores running on Magento 1. If you’re one of them, chances are that you won’t be off Magento 1 before it reaches end of life.
You should. Your ability to convince your payment processor or merchant bank to let you continue charging credit cards could get a lot tougher starting in July. If you get breached, you could be in for a very painful ride and could even have your credit card processing suspended. But even if you just get a boilerplate email from your payment processor saying “FIX THIS” and there’s a checkbox next to “Magento – unsupported version”, you still could be facing fines and a lot of new administrative work trying to help them figure out whether this is ok.
So what’s the big deal?
The problem is that your company promised the Payment Card Industry (PCI) Council that you would stay compliant when you signed the agreement with your payment processor. That same Council puts requirements on the companies underwriting your credit card charging to make sure they are verifying your compliance as well. If they fail to do this, the PCI Council can fine them or suspend them too. It’s all an attempt to reduce fraud and push the liability for that fraud down the chain to the people who have control over the places where cards are accepted.
Under PCI DSS section 6.2, you are required to apply vendor-supplied patches within one month of release:
“6.2: Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.”
From the perspective of the PCI Council, and the people they certify to assess these things, you will fail this requirement come July. That’s because the “vendor” in this case – Adobe – will no longer be supplying patches. There are plenty of stats that show that a majority of breaches are the result of unpatched or unsupported software. So this isn’t one of the requirements on the list that will get glossed over. So any discussion about life on Magento 1 past June needs to take into account PCI compliance. That’s why we’ve done some deep research into this topic with our advisors RSI Security, a firm certified by the PCI Council to assess and advise companies on matters of compliance.
So what could happen to us?
Let’s start by exploring the worst case scenario. If you’re breached, and you are found to be responsible for thousands of compromised credit cards getting syphoned off to the bad guys, the fact that you’re on unsupported software could land you in hot water. Your payment processor would likely see you as negligent and would require you to hire a Qualified Security Assessor to do a full audit of your situation. And that’s not cheap. On top of that you could face a fine for every card that was compromised – usually adding up to tens of thousands of dollars. They could even go so far as to require an expensive “PCI forensic investigation” to get crystal clear on how the hackers got in and what you’ll have to do to plug it. We were contacted by a merchant in 2019 that was in that situation and had to stop accepting orders on their store until they satisfied all of the security changes recommended by their assessor. They were down for months and in the end were forced to replatform to get going again. The costs were huge.
However, the more likely scenario is that you’ll be forced to answer to your payment processor after one of their periodic scans finds that your site is running on unsupported software. In this case you’ll likely start paying a monthly fine, but you could end up in a situation where you’re having to submit documentation to convince them that you’re still safe enough to be handling credit cards. That process could lead you to have to make changes too. And if you’re not prepared you may have to pay your agency or a third party security firm to pull together all of the documentation being requested and go through many rounds of emails and phone calls to get clear of it.
So the bottom line is this: if you’re still running on Magento 1 come July, and do nothing to prepare, you could be putting your business in jeopardy.
So what can I do? Are there any magic bullets?
Fortunately there are things you can do to dramatically reduce your risk and pass a compliance review. But I think it’s important to point out that it’s unlikely that any ONE tactic by itself is likely to satisfy your payment processor or the PCI Council come July. Let’s explore these.
This organization out of Germany is going to pick up where Magento and Adobe are leaving off. They’re going to offer a bounty program for security experts to find vulnerabilities and then they’re going to write the patches necessary to plug them. They’re also going to work on making sure Magento 1 will work on new versions of PHP, MySQL and Apache as those pieces continue to upgrade and may reach end of life for versions Magento 1 was written for. This is great – and we’re grateful that someone is taking this challenge on. But the question is how will this be perceived by your payment processor or assessor? These patches will not qualify as “vendor-supplied patches” as required by Section 6.2 of the PCI DSS, so while they would certainly help bolster the case that you’re taking extra steps to keep your unsupported software safe, it’s unlikely that just subscribing to the service without any other planning or security would be seen as enough.
Magento 1 Hosting Plans?
Some hosting companies have come out with packages to support Magento 1 past end of life. These plans typically have additional security features in place that will not only reduce the risk of a breach dramatically, but will also make any PCI assessor feel warm and fuzzy. These include a bunch of three letter acronyms like WAF, CSP and FIM that security folks will recognize and that do a lot to reduce the places the bad guys can get in or the mechanisms to detect them if they do. So can you just sign up for that hosting and consider yourself compliant? Unfortunately no. It’s unlikely that just being on that hosting package alone will satisfy your payment processor or assessor. It’s without a doubt the most efficient way to get some of the most important security pieces recommended by our PCI compliance advisors over at RSI Security, but all by itself it’s not enough.
Hosted Payment Pages or Fields?
Some have asked “can’t I just make sure that someone else like PayPal is transmitting the credit card details and take my website completely out of scope?” This is a great question. Services like Braintree’s Hosted Fields or Authorize.net Accept.js make it so that your customers’ credit card details never actually flow through your website and web servers. Surely that would take care of any concerns on the part of your payment processor or assessor right? Well surprise – the answer once again is no. Why not? The reason is that while these services can reduce your scope, and reduce your risk, they absolutely do NOT remove your website from scope. That’s because a bad actor with access to your website could still skim credit cards from iframe hosted pages or fields, or they could change the redirect to a very convincing clone of the original payment page that still submits the payment to your processor while also stealing the card details for themselves. The PCI Council has even offered to let you answer less questions in your self assessment questionnaire if you take the steps to implement some of the features, because it will reduce your overall risk. But by themselves these tactics with payment pages or hosted fields won’t be enough to help you pass a compliance review.
So if there are no magic bullets what should I do?
If you only remember two words from this post, make it these two:
Imagine if the payment card industry decided not to let anyone charge cards that can’t meet every single one of the requirements they lay out. There would be a LOT less people accepting credit cards, which is worse for their business than fraud. So how do they deal with this? They allow for merchants to “make up” for any requirements that they can’t satisfy by finding something equivalent and ideally doing even more. Here’s what the PCI Council has to say about it:
“Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must:
1) Meet the intent and rigor of the original stated PCI DSS requirement;
2) Provide a similar level of defense as the original PCI DSS requirement;
3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and
4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.”
But here’s a very important thing to grasp: once you’re forced to present compensating controls to make up for the fact that you can’t satisfy PCI DSS section 6.2, you’re now at the whim of someone’s opinion to determine if you’re doing enough. If betting your business on someone else’s opinion sounds scary – it should!
And that’s why Webscale’s CTO Jay Smith and I partnered up with RSI Security’s Managing Director John Shin – a very experienced certified PCI assessor – to get some concrete recommendations for what compensating controls he would want to see in place in order to give a Magento 1 merchant a passing grade after June.
Ok, get to the recommendations already!
There are 4 major pieces you can put in place that will make a rock solid case to your payment processor or assessor that you have enough compensating controls in place to make up for running on Magento 1 past June 2020:
1) Added Web Security
2) Added Scanning
3) Added Monitoring
4) Added Planning
1. Added Web Security
For a complete checklist of security features, scanning recommendations, monitoring tactics and planning procedures CLICK HERE.
2. Added Scanning
Your payment processor is likely already working with an Approved Scanning Vendor (ASV) to scan you quarterly. But if you can step up that vulnerability scanning to say, monthly, that will make a really good case for you “doing more” to make up for being stuck on an end-of-life software platform. Some of the hosting packages available are offering this added vulnerability scanning as well.
3. Added Monitoring
This one is very important, and will carry a lot of weight as you plead your case. Where added web security and scanning try to keep the bad actors out, you should get additional monitoring to make sure you can detect it if someone managed to hack their way in.
The main reason hackers attach web stores is to be able to skim credit cards. So when bad actors get access to a store their next move is going to be to install some kind of card skimming code. This can either be done by changing a file on your server, or by adding some code through your Magento admin that will live in your database. If you have a file integrity monitor in place, you can log all changes to files and make sure they match your team’s code deploys. If you have a database activity monitor in place that’s tuned to Magento, you’ll log all content changes made through the Magento admin and saved in the database that could be adding card skimming code to your website without your knowledge.
But once again these features aren’t enough by themselves. That’s because it does you no good to have these logs somewhere if no one is watching the alerts they throw off proactively and if there’s no plan to take action depending on different scenarios. It’s like having a security camera and alarm system installed in a jewelry store but having no security guard ready to take action if there’s an intrusion. Without a plan with responsibilities and response times laid out, the monitoring is almost pointless.
4. Added Planning
The final piece is to translate all of your security, scanning and monitoring into a plan that will satisfy your obligations to demonstrate compensating controls. The plan should detail out WHO will be responsible for maintenance and implementation of the extra security measures, and WHEN the extra scanning will take place, and WHO will be responsible for monitoring and WHEN they’ll take action. The planning phase should also be responsible for documenting all of these pieces so you’re ready to hand it over come July. Just put yourself in the shoes of your payment processor or assessor. If they reach out to you to say “please address this issue” and they get a response in return that says “we’re aware of the issue with Magento 1, and while we have not yet been able to upgrade or replatform due to business reasons, we have planned ahead to take the following precautions that we believe keep us safe and within the spirit of the PCI guidelines…” Having those documents ready doesn’t have to be a huge undertaking, but a little time planning and implementing all this before July will be like an insurance policy against the inevitable conversation about end of life that’s sure to come.
So there you have it. Line up those 4 “extras” and according to our PCI compliance expert you should be able to buy yourself some breathing room past June. I’d recommend a simple document that specifies each of the additional pieces, who is managing them, and what the response times and responsibilities are of those involved. I’ve put together a template and checklist you can use as a starting point:
Support From The Community
One of the greatest parts about Magento is the community. Here are some of the companies stepping up to the plate to help Magento 1 merchants past EOL
Webscale has done a great job of delivering all of the security features listed above to make the work of preparing for compliance past June much easier. Their Magento 1 plan is among the most feature rich that we’ve seen from a security standpoint, checking most of the boxes on our list.
Mage One is an integral part for merchants staying on Magento 1 past EOL. They will offer permanent, competent support for merchants who want to continue using Magento 1. They will do this by “perform(ing) security checks of the existing Magento 1 source code and also offer prize money to security experts and developers who identify security vulnerabilities on their own responsibility and help us fix them.”
The team behind Sansec have been at the forefront of Magento security for many years. Their MageReport tool has been used 18 million times by members of the Magento community to scan for known vulnerabilities and the presence of Magento patches. With over a decade experience as a Magento web hosting company, these guys have seen it all, and have been working behind the scenes for many years to help merchants protect themselves. Their eComscan can really help with compensating controls, since it’s both proactive vulnerability scanning as well as reactive monitoring to make sure merchants are alerted the moment a breach is detected.
OneStepCheckout has been leading the charge in the Magento ecosystem since 2010, especially with best practices on how a streamlined checkout reduces cart abandonment and boosts sales conversion. With their vast amount of active Magento 1 installs, (~20,000), they’ve committed to supporting the old platform for as long as their customers need it, and have taken extra steps by partnering with Mage One so as to ensure that any security patches that impact checkout are supported by their extension. No one will be left behind.
Nexcess is stepping up to the plate by offering an affordable Safe Harbor Hosting hosting offer. They help aid the compensating controls argument by providing malware scans, threat protection, staging environments, and Magento patches.
JetRails has really stepped up for the Magento community with their thought leadership including their JetRails Podcast. JetRails is also stepping up for Magento 1 merchants by providing an end of life hosting option.
Klaviyo will continue to support M1 users for the foreseeable future. We do not expect anything to change. If Magento discontinues their partner marketplace for M1 extensions, Klaviyo will work individually with M1 customers to make sure they get the support they need.
As an integration platform, nChannel will continue to support connecting Magento 1 to other critical systems like your ERP, POS, or 3PL providers to automate business processes like order fulfillment and inventory synchronization. When merchants are ready to upgrade from Magento 1, nChannel can support integrations for Magento 2 or other popular eCommerce platforms like Shopify and BigCommerce.
Karen Baker of ShipperHQ continues to step up and be a voice for ecommerce merchants. Most recently she helped lead the creation of Offline2On which not only helps offline merchants get online quickly, but can also help smaller merchants stuck on Magento 1 get free help improving their store. ShipperHQ will continue to support merchants staying put on M1 and offer our solution as a way for M1 merchants to get accurate shipping rates, customize the checkout experience and control their complex shipping needs.
As one of the first and most stable PWA platforms, Vue Storefront continues to support many Magento 1 merchants. They have pledged to continue supporting M1 merchants who may want to focus on getting a PWA going before they upgrade.
Klevu is commitmented to supporting M1 users who choose to continue to use the platform. In the event that the Magento Marketplace is discontinued and downloading our extension is no longer available, Klevu is here to provide guidance for M1 merchants on alternative ways to integrate our tool.
More Specifics From a Certified PCI Assessor and a Website Security Expert
Together with our partners Webscale, we recently hosted a panel discussion with John Shin, a Qualified Security Assessor (QSA) certified by the PCI council. John is the managing director of RSI Security, and his firm specializes in advising both merchants and the payment providers about matters of compliance and payment security. More importantly, John and the other QSAs in his organization are the very people whose opinions would likely decide the fate of your business if you had a breach or an audit past June 2020.
Jay Smith – founder and CTO of Webscale, also discusses the nature of security on Magento and the arsenal of security features that need to be in place to make sure a website fends off hackers looking to syphon credit cards.
Hear us discuss specific examples of business impacts the panel have witnessed first hand along with the specific recommendations to get a passing grade from a PCI QSA if you’re on Magento 1 past June 2020.
Joe is the CEO of Best Worlds. Joe is an entrepreneur and engineer with 21 years of ecommerce experience. His passion started back in the late nineties when his division of Yahoo was hosting giants like the FIFA World Cup store. As the founder and CEO of Best Worlds, he has spent the last 15 years helping merchants optimize and grow. Best Worlds has been working with Magento since 2009, and has worked with over 100 different merchants, many of whom were acquired after double or triple digit growth. More recently Joe and his team at Best Worlds have been helping merchants migrate to the right platform, many to Magento 2, but others to BigCommerce, Shopify and WooCommerce when Magento wasn’t the right fit.