November 11, 2020 by Ben Chafetz

Can My Magento 1 Site Remain PCI Compliant?

If you’re still on Magento 1 (Heaven help you) you’re probably wondering…

“Can I meet PCI security standards and continue operating my store on Magento 1?”

That’s a good question.

Especially given the fact that Magento cut off support for all Magento 1 storefronts earlier this year.

Should you migrate to Magento 2?

Must you migrate to Magento 2?

Can you somehow stay on Magento 1?

Read on to find out the answers to all of these questions – and more. 

Magento 1 Officially Became Deprecated In June 2020 – What Does That Mean? 

After a few delays, Magento 1 was officially “sunsetted” by Magento and its parent company Adobe in June of 2020. But what does that mean?

In a nutshell, Magento 1 is no longer being supported by Magento developers. There are no longer going to be any routine patches, updates, security fixes, or any other updates. Development is over. Period. Unless you hire a third-party company to develop Magento features and make updates for you, your Magento 1 website will never be updated again.

A good analogy would be a house. Houses need regular maintenance and repairs to stay in good shape. A house that’s recently abandoned would be in okay shape for a while – but over time, as it continues to wear down without repairs, it will eventually start to fall apart. 

That’s Magento 1.

Support has stopped. And while your store may be running pretty well, for now, there are serious risks of staying on Magento 1. Things are only going to get worse – unless you invest a lot of time, money, and effort into maintaining your Magento installation yourself. 

Using Magento 1 Puts You At Risk of Breaching PCI Compliance Requirements

So, you’ve decided to continue using Magento 1 for now. Does that mean you’re breaching PCI compliance requirements? The answer is “yes.”

Specifically, you may be breaching PCI DSS Requirements 6.1 and 6.2. These requirements address the need for eCommerce retailers to “keep systems up to date” with “vendor-supplied security patches” to protect their systems from “known vulnerabilities.” 

And that’s the problem. Magento no longer supplies security patches or any kind of vendor-supplied updates at all. That means you could be found to be in breach of PCI Requirements 6.1 and 6.2.

If your website is breached while you’re knowingly running unsupported software, you could end up facing serious consequences – such as security audits, monthly penalties, and fines, or even a major credit card provider like VISA blocking you from accepting their payments online.

A “Security Compensating Controls Plan” Could Extend Your Store’s Lifespan

So, are you totally out of luck if you want to use your Magento 1 website for a few more months? Well, maybe not. You may be able to implement what’s called a “Compensating Control” plan. 

Basically, this is a plan that you put together to show that you have sufficiently mitigated the risk associated with a particular PCI DSS requirement – such as Requirement 6.1 or 6.2. In other words, you must develop and implement security measures that are “as good or even better” than the original defense requirement outlined in PCI DSS standards.

For example, if you hire a full-time cybersecurity staff member to secure your Magento 1 website and ensure that it’s as protected as possible from unauthorized data access, you could present this as part of your Compensating Controls plan if you’re asked to prove your compliance to a payment processor.

The problem is this – it’s up to the payment processor to decide if you’ve done enough to meet PCI requirements. Their opinion will determine whether or not you’re in breach of PCI DSS compliance. Not only that, but figuring out a Compensating Controls plan can be expensive and complex – it may not be worth the investment. 

Switching to Magento 2 Can Save You Time, Money & Frustration

So, what’s your best option? Upgrade to Magento 2!

Magento 1 has become deprecated for a good reason. Magento 2 does everything it can do – but better, faster, and in a more secure environment.

Yes, the up-front costs associated with migrating from Magento 1 to Magento 2 can be high – which may lead some eCommerce entrepreneurs to try to squeeze out some extra life from their Magento 1 installations, even though they are no longer supported.

But if your store gets hacked and you are found in breach of PCI compliance due to running Magento 1, you may suffer irreversible damage to your brand’s reputation – and be slapped with major fines and penalties, too. 

So if you really want to secure the future of your store, it’s time to switch. As a discontinued software platform, Magento 1 is inherently vulnerable – and if you use it, you could be exposing yourself to serious PCI non-compliance penalties. 

Need Help Migrating to Magento 2? Contact 121eCommerce – That’s What We Do! 

Moving from Magento 1 to Magento 2 is a big step, but at 121eCommerce, we have the expertise, tools, and skills you need for a successful transition. Migrating to Magento 2 is one of our specialties – and with our team of experts on your side, it’s easy to make the switch.

If you’re interested in learning more, contact us today for a free initial consultation – and see how we can help you meet PCI security standards, improve your store’s performance, and build a better, more future-proof website with Magento 2. 

Get the latest eCommerce updates and resources.

Let's get started

Call 216.586.6656