Magento, owned by Adobe is one of the world’s most popular open-source e-commerce platforms. More than 110,000 stores have been created on this platform with the code having been downloaded more than 2.5 million times. It is reported that Magento accounts for 30% of the total market share.
Magento Version 1 is now officially classed as End-of-Life (EoL) as of 30th June 2020.
‘What does this mean for me? You may ask……
This is a significant occurrence and means that Magento will no longer support their Version 1 software. This includes Magento Commerce and Open Source. In summary:
- Magento will no longer provide support for this version
- Magento will no longer provide security patches
- Magento will no longer provide quality updates
There are a number of consequences arising from this situation including the following:
- With no upgrades or security patches, any merchants using Magento are at an increased risk of suffering a cyber attack
- Web stores using legacy e-commerce software will become quickly outdated with a reduction in functionality
- As developers concentrate on Magento 2 projects, there will be a lack of expertise available to support Magento 1
- Use of Magento 1 post 30 June 2020 will cause the merchant to fall out of PCI DSS compliance resulting in acquirer non-compliance fees
It is undoubtedly naïve to hope that cyber attackers will not be waiting for the inevitable vulnerabilities to be exposed in the old platform against which they can launch attacks. Many member of the cyber security community believe that hackers are simply biding their time for the EoL to pass and then ‘watch this space’………
Visa have notified their merchants still using Magento 1 that, in the event of suffering a breach, they will no longer meet the qualifying criteria for a PFI Lite investigation and will be mandated to have a full PFI investigation which, in comparison, is far more costly and time consuming.
Mastercard have also issued security alerts to its customers warning them of the imminently impending issue.
What should you do?
This can be answered in one word – UPDATE
It is of course appreciated that this is not a 5-minute task and as there are substantial changes between the two versions, the process will require downtime to complete.
The question merchants must ask themselves is ‘Is it worth the risk’? As a leading PCI SSC accredited Payment Card Forensic Investigation (PFI) and Qualified Security Assessor (QSA) company with substantial experience of dealing with payment card data breaches, we would definitely say ‘NO’. The reputational and financial consequences of remaining on an unsupported platform are both real and considerable.