Per the official Magento End of Life announcement, all versions of Magento 1 will no longer be supported after June 30, 2020. Given this news, Magento 1 eCommerce sites and webstores will no longer be fully PCI Compliant with VISA guidelines starting July 1st.
Visa recently released the “Acquirer Advisory” from Visa - and then shortly thereafter, a follow up statement by PayPal, put many merchants into a state of uncertainty and anxiety for their businesses. After all, when a megalith such as PayPal demands “urgent actions” from any remaining Magento 1 merchants before its planned “End of Life” (EOL) this month, merchants on all versions of Magento take note.
Fortunately for these merchants, payments expert, Jeff Kohl, SVP, Sales at APS Payments and eCommerce expert ,TJ Gamble, CEO at Jamersan, spoke at length on the eCommerceAholic livestream about what this means for Magento 1 (M1) merchants and for the Magento community as a whole. We have provided video clip highlights from the livestream below.
Going forward, Magento will no longer continue to support security patches for Magento 1
Given the risks and possible penalties for non-compliance with VISA guidelines, Magento merchants who are currently integrated on Magento 1 are encouraged to take immediate action to migrate to Magento 2 or another platform before June 30, 2020.
Consequences of not migrating, as stated by PayPal:
- Increased risk of data breaches, with possible damage to your brand and reputation.
- Becoming a security target without consistently updated security patches.
- Falling out of compliance with Payment Card Industry Data Security Standards (PCI DSS) and possibly suffering one of the many costs of PCI non-compliance.
1. What’s the problem with taking payments on a platform that is no longer supported?
6.2 by Visa states: “If you’re using third party software, you need to maintain security patches in updates.”
PCI DSS Requirements 6.1 and 6.2 ensure that payment systems are protected from known vulnerabilities by requiring them to stay up to date with vendor-supplied security patches. Merchants may also fail to become PCI Compliant if they do not have the required patches.
Applied to the current situation with Magento, that means when the third-party provider (Magento) decides that they are no longer going to do security patches for Magento 1, continuing to run on the Magento 1 platform without patches will be a violation of one of the VISA rules.
While your eCommerce or webstore will continue to work and operate past June 2020, Adobe will no longer be providing security patches for M1 (Magento 1). Without these critical updates, merchants who continue to process through M1 are putting themselves at serious risk and may fail to meet PCI compliance requirements. In addition, businesses may fail the Approved Scanning Vendor (ASV) scans if security issues are detected because of lacking the proper patches on their M1 sites.
2. What are security patches and why do I need them?
Visa is trying to reduce the risk of stolen credit card data by requiring patches to consistently update the security system for all merchants who accept cards as payment. This process is ongoing for all software that cardholder data touches.
For every merchant that may have ample resources to adequately ensure data security on their own, there are a great magnitude more online shops that do not have those same resources or are on an unsupported platform. Without regular updates to the security patches, these merchants would be putting their business and their customers at risk of data theft.
Security is always a problem when it comes to payment processing, but now there is a big and specific problem for Magento 1 users being particularly vulnerable. Hackers and cyber-threats may target Magento 1 shops specifically because these patches will no longer be offering updated protections.
Failing to protect cardholder data and maintain PCI Compliance is a costly mistake for any merchant. Breaches can result in being fined significantly. Simply imagine that 100 customers come through your store following July 1st and all that card data is stolen. You are going to get fined for every one of those cardholders, which could be to the tune of millions of dollars in fines and damages.
3. Why do acquirers like PayPal care about merchant PCI Compliance?
Acquirers can also get fined significantly if the merchants that they board are not maintaining data security standards. Most especially, acquirers do not want to lose the ability to acquire. When PayPal sent out that memo, they were both informing their merchants on how to get off of the Magento 1 platform but also protecting themselves.
4. Would a merchant on an early version of M2 be as at risk as an M1 merchant?
No, as long as those security patches are being updated. M2-2 has also reached “end of life” and therefore, merchants using that version will no longer have security patches and will also have to transition to M2-3.
5. When do these patches need to be installed?
6. What options are there for customers who cannot migrate?
Your best bet is to reach out to Magento/Adobe directly and contact your customer success manager immediately to assess your options and next steps.
There are some companies that are taking up maintaining those security patches independently. How long they will be able to continue that service cannot be guaranteed, and it cannot be guaranteed whether or not Visa will accept those patches as compliant with their rule.
We reached out to VISA about this and their representative gave us this response:
“In PCI DSS Req 6.2, the requirement is about applying vendor-supplied patches. Adobe, who has already extended the end-of-support date once and now has discontinued support, owns Magento and should be the vendor in this case.
If a third-party has developed the security patch, Visa is not able to determine whether the patch is acceptable. It would have to be assessed by the entity’s assessor to validate that the intent of Req. 6.1 and 6.2 have been met, including, for example, how reliable the third-party patches are and whether they actually protect the implementation from all the known vulnerabilities.
As such, Visa strongly recommends migrating away from Magento 1 as this version has been known to have many critical vulnerabilities. Due to COVID-19, there’s been an uptake in eCommerce activities, this then makes it more important to patch and update in a timely manner and not wait until the last second. Furthermore, acquirers whose merchant is involved in a data compromise event and is not compliant with PCI DSS security requirements at the time of the breach, will be subject to non-compliance assessments.”
7. Can a merchant install patches as a “do-it-yourself” option?
Yes, but once again, you’re only meeting the requirements and thus compliant with VISA rules insofar as your DIY solution and system has been assessed by the entity’s assessor to validate that the intent of Req. 6.1 and 6.2 have been met.
Are you installing them in one month? Are you using a hosted form? In that case, it seems likely that you're meeting the requirements, but ultimately Visa is the arbiter of those decisions. You will be opening yourself up to liability and risk for all of the time from July 1st until your assessor finalizes their assessment and declares you compliant or not. If a breach occurs during that time, your business will be at risk.
8. What about custom software?
Even if you have custom software, you still have to adhere to VISA requirements for security concerning card data.
9. I heard you can pay to opt out of IP scans… is that true?
No. You should never opt out of security scans.
There may be some payment processing firms who will allow you to skip IP scans. However, scans are important to expose any potential vulnerabilities in your system. This is for your protection as well as the processor's protection and your customers.
You want to protect your business. You want to protect your customers' card data. You should be very hesitant to work with a processor that is trying to skip steps when it comes to the safety of your customers credit card data, your potential liabilities and vulnerability, and your ability to accept credit cards and online payments.
10. I've never seen any merchant fined for non-compliance. How common is it for a merchant to be fined?
Firstly, merchants who suspect or confirm a compromise involving payments data must adhere to the requirements outlined in Visa’s What To Do If Compromised guide.
Unless the breach is widespread, it is not common for merchants to be penalized for very small breaches. Ultimately, there will be an investigation and sometimes the merchant will be required to foot the bill when a significant breach is discovered.
Realistically, VISA cares about its customers and the card data of their clients, so if a merchant is completely negligent and the breach or vulnerability is widespread, they’re going to hold the merchant completely accountable. However, it is unlikely that VISA or anyone else would publicize it. Whether or not you see other merchants being fined for non-compliance, you should be doing your best to reduce the scope of your risk.
Ultimately, it is imperative for merchants currently on Magento 1 to contact their customer success manager immediately to make sure that Magento is engaged, understands merchant's migration timelines, and is able to provide assistance, where possible.
With COVID-19 ongoing, this is a great time and opportunity to rethink your entire business. Not only your website and payment integration but also your warehouse management, Accounts Receivable, supply chains, and all the different software possibilities you could be employing.
If you are migrating anyways, why not also use this time to evaluate the systems you're using (and also not using) and look for areas of improvement. You can greatly improve your business while making sure that any possible solutions integrate into your current systems for data flow, are automated for streamlined workflows, and are easy for customers to ultimately pay and get their products.
APS Payments Can Support Your Migration to Magento 2 for Payments
If you are a M1 merchant and haven’t already started planning a re-platform to Magento 2 or an alternative, you need to start now. APS Payments is a Magento Technology Partner with a flexible and robust Magento eCommerce payment processing integration. We are also an omni-channel, all-in-one processor trusted by thousands of merchants daily to process payments. Leveraging our industry expertise, we help with B2C and B2B payments to allow businesses to reduce risks, improve workflows, and save money. The Magento eCommerce credit card integration is simple and free with the APS Payments Extension for Magento.
The APS Payments integration allows users to work within Magento to avoid manual entry, and provides the following benefits:
- Tokenized credit card data via hosted form embedded in secure iFrame
- Daily, automatic batch reporting
- Level 3 Processing for B2B transactions
- Multi-store and multi-currency capabilities
- Ability to manage customer payment profiles from within Magento
- APS Payments on checkout page
- iFrame CSS support
- No installation, maintenance, or setup fees
- ERP payments integration with eCommerce
- 24/7 live support
Watch our Magento 2 Demo to learn more:
APS Payments is dedicated to sharing our Magento eco-system payments knowledge to help the community grow. Although we are sad to not see many of the familiar faces at Magento Imagine this year, we do look forward to connecting with you online.