Given timescales and budget, migrating to Magento 2 (or any other platform) is not possible for us. We'd like to stick with Magento 1 atleast for the next 3 months. We have used Payeezy (FirstData) as Payment Gateway wherein the card/payment details are captured in the iframe, complying with the PCI standards. So, what further steps that I need to take in order to make my store SAQ-A PCI compliant post 30th June ? If SAQ-A type is not applicable can we use SAQ A-EP compliance ? Also, what can we expect for these SAQ types after 30th June if we continue with Magento 1.9 ?
You may find following articles helpful.
Magento 1 End of Life Announcement
https://community.magento.com/t5/Magento-2-x-Programming/PCI-DSS-compliance-possible-with-Magento-1-...
Hi Shreyas,
Technically speaking, using a hosted checked solution like Bolt, or a system that will accept payment into an iFrame as you've described having from Payeezy is a great choice in regards to security.
However, it's not the only security concern. What happens if your website is compromised and shoppers are redirected to a checkout page created by hackers? I'm not suggesting whether that's likely or not, just illustrating that your payment gateway is not the only concern that goes into staying PCI compliant.
My understanding is that without vendor-supplied patches, your site will not be PCI compliant. At JetRails, we're working with Mage-One and OpenMage, two companies that are providing ongoing patching solutions that Magento 1 users can benefit from after Magento 1 reaches end of life. I'd suggest checking out these vendors.
Mage-One is a vendor that will charge an annual fee for access to M1 patches. They'll be keeping an eye out for new security threats through a bug bounty program and other activities.
OpenMage is a free open-source fork of M1.
At JetRails, we're adding additional compensating controls for our clients, including many solutions that we recommend for Magento 1 and 2 sites already. These include well-configured Web Application Firewalls (WAFs), intrusion detection, malware scanning, and 24/7 monitoring. These sorts of security layers help minimize your risk, and allow any PCI assessor to take into account the fact that you're going above and beyond to protect credit cardholders that use your site.
In this particular case, I would recommend reaching out to your payment processor to discuss this in more depth. I don't know of any additional steps that you can or should take beyond what I've listed here, but they may have additional advice that's specific to your account - like switching to a newer or different payment gateway that they support.
If you're looking for any additional resources, check out this helpful list from the Magento Association: https://www.magentoassociation.org/commerce-co-op/full-article/magento-1-post-eol-resources-1
Best of luck!