Visa is urging merchants to upgrade Magento 1 ecommerce websites to 2.x before the end of June 2020, the date when Magento ends support.
Magento originally announced the release of Magento 2 in November 2015. At that time, Magento informed merchants and developers that Magento would become obsolete in November 2018.
However, this date was revised to June 2020 to allow merchants and developers more time to move to Magento 2.
“Given the absence of security patches after the revised cut-off date, any sites that have failed to migrate will be vulnerable to security breaches and pose an increased risk to the security of payment card data,” Visa said in the advisory.
PCI-DSS compliance
Visa warned that failure to migrate Magento 1 ecommerce websites will result in merchants to fall out of the Payment Card Industry Data Security Standard (PCI-DSS).
PCI-DSS is the information security standard for organizations that handle branded credit cards from the major card networks. PCI-DSS further sets the operational and technical requirements for accepting and processing payment transactions.
More specifically, PCI DSS Requirements 6.1 and 6.2 establishes the need to keep systems patched to protect from known vulnerabilities. Therefore, failure to upgrade Magento 1 ecommerce websites will cause merchants to fall out of PCI DSS compliance since no patches will be available after June 2020.
The PCI-DSS 3.2.1 (Requirement 6) states the following requirements for developing and maintaining secure systems and applications:
- 6.1: Establish a process to identify security vulnerabilities, using reputable outside sources for securityvu lnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
- 6.2: Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
Therefore, it is critical that merchants upgrade their Magento 1 websites before end of June.
Consequences of not upgrading
In addition to non-compliance to PCI-DSS, Visa highlights additional consequences if merchants fail to upgrade their Magento 1 ecommerce websites:
- Ecommerce sites may degrade and become unstable without the latest patches.
- Extensions or plug-ins functionality may break or become unavailable.
- Most Magento developers will gradually only become familiar with Magento 2 over time.
- Ecommerce sites will be more exposed to security risks and increased likelihood of an account data compromise due to the lack of security upgrades.
Merchants can reference Magento’s Software Lifecycle Policy to help in the upgrade process to Magento 2.3.