Magento 1 End-Of-Life: Are You Still PCI Compliant?

Uncertainty and confusion surround the PCI compliance status of Magento 1 once June 2020’s support deadline passes in just a few days. Are you still PCI compliant if you stay on Magento 1? How can you protect your Magento 1 website in the event of a breach? Take a read to find out more.

What do the payment providers say?

Several major players in the payment gateway sector, including PayPal, Klarna and, possibly most significantly, VISA, have recently released statements on the topic. These appear to state that anyone still on Magento 1 past the EOL date for the 12 year-old platform won’t be PCI compliant, and will therefore leave themselves open for huge fines and potential legal action in the event their site is breached.

Running counter to this is Mage One’s insistence that their solution will continue allowing for PCI compliance, and other parties, such as OpenMage, look to continue building on the open source platform. There are also countless bespoke and open source platforms out there which continue to support PCI guidelines. So surely, Magento 1 should still be able to protect customer’s payment information and provide a secure and safe shopping environment?

Let’s look at the statements

Unfortunately, as with many issues of compliance and regulatory guidelines, the answer isn’t quite that simple. The contention around the PCI question on Magento 1 seems to be focused on a handful of statements which form part of the official PCI DSS documentation, namely:

Requirement 6: Develop and maintain secure systems and applications:

6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.

6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.

If the platform vendor ceases to issue patches for their platform, then, by the letter of the PCI rules, compliance can’t be met. However, some maintainers of Magento 1 branches are claiming they inherit the status of vendor for Magento 1 in the event customers move to their branch of the platform.

How easy this might be, and what implications it has for development and customisation going forward is yet to be determined. But it should be noted that even Mage One have called for more clarity, particularly from VISA and PayPal.

Magento 1 end-of-life is here

In spite of hopes the global pandemic may delay things into 2021, Magento’s end of life is happening. Not only this, but Adobe have already published a timeline for the discontinuation of it’s Magento 1 Extension store, and even while writing this article, new and serious vulnerabilities are being exploited in these extensions.

The bottom line is that VISA, as one of the founding arbiters of the PCI DSS guidelines, will likely have the final say in the event of a breach which impacts their consumers. Having already very publicly stated they do not consider the platform compliant, the onus would lie heavily on retailers to prove they have taken every precaution possible to protect their customers from an attack.

PCI compliance is a complex and nuanced exercise. If you require guidance on your compliance status and how you can protect your Magento 1 website from a breach, contact Team Pinpoint. Alternatively, if you’re considering migrating your store from M1 to M2, we’re here to help you with the next steps.