Hello wondering of someone from Magento can help - given the current worldwide situation, delays that have already hit busienss and the state of current business is there any plans to now extend the support for Magento 1 beyond the June 2020 deadline.
I'm sure we are not the only sites that are running this that have no chance of hitting this deadline, yet are receiving threats on none compliance from beyond this date?
Solved! Go to Solution.
Unfortunately, some of this has been coming down to individual opinions, which is unfortunate.
The main reason that a site won't be PCI Compliant if it's running Magento 1 is that it will no longer have vendor-supplied patches.
You can pay Mage-One to be your patch vendor, however, there are differing opinions regarding whether they will meet the definition of vendor-supplied patches. They would be your vendor, but they aren't the vendor of Magento as a software platform. To some, it seems obvious that the goal is that you have supported and patched software, but some in the industry are not in agreement.
There's also OpenMage, which is a fork of M1. In the software world, when you're using a maintained fork of a platform, it's generally understood that you're not using the original software, you're using the fork which is distinct and supported by your new vendor. However, just as with Mage-One, there has not been universal agreement about whether OpenMage users will be considered PCI Compliant.
Then it comes down to compensating controls. If you have stellar security beyond getting patches from a source like Mage-One, you should still be able to be considered PCI compliant. At JetRails, we go beyond just patching the hosting layer. We deploy a wide range of security for clients (which we believe all M1 and M2 users should have anyway). This includes web application firewalling, intrusion detection, malware scanning, and a range of other solutions, protocols, and best practices. We monitor configure, optimize, and provide 24/7 monitoring and alerting based on these tools - so our users have much more comprehensive and active security.
However, compensating controls are something that a PCI assessor takes into account. While enterprises often have an assessor on call to help through this process, a small business can't necessarily afford to pay an assessor.
So far, the best way around this that I've come across has been working with a payment processor / PCI SAQ vendor that has a more established process for how to handle M1 end of life, so that they can identify that you're compliant without you needing an individual assessor involved. This may take some shopping around, but seems like the best option, because while you could potentially run credit cards while not being PCI Compliant, there are inherent risks - these include (but are not limited to) potential fines and loss of the ability to accept credit cards. I don't have a one-size-fits-all vendor to recommend for this, but if you have a good web host, they've likely been working on lining up vendors to pair you with.
Adobe, the owners of Magento, have been adamant about not extending the end of life of Magento 1 again, even in the current market conditions.
However, there are resources that can help you maintain your site. Check out this article from the Magento Association: https://www.magentoassociation.org/commerce-co-op/full-article/magento-1-post-eol-resources-1
Once Magento stops deploying patches, you'll want to have another vendor like Mage-One or OpenMage that will be issuing security patches for your site.
You'll also want to make sure that you have strong security protocols in general - as you should always have for any open-source eCommerce site. This includes a Web Application Firewall (WAF), Malware Scanning, and Intrusion Detection.
I'd also recommend checking out this more detailed article: https://www.nchannel.com/blog/best-practices-for-remaining-on-magento-1-after-june-2020/
Best of luck!
Robert - thanks for the response on this. The fear we have is that companies such as Paypal etc who are indicating that we will not be PCI compliant due to the risk of hacking our site and providing alternative links to payments etc.
Is there anyway that short term you can remain on Magento 1 and not risk your compliance?
Thanks again
Hi @tarethcase6852
Please read following Announcement by Paypal .
You may also read Does unpatched software comply with PCI DSS 3.1?
Unfortunately, some of this has been coming down to individual opinions, which is unfortunate.
The main reason that a site won't be PCI Compliant if it's running Magento 1 is that it will no longer have vendor-supplied patches.
You can pay Mage-One to be your patch vendor, however, there are differing opinions regarding whether they will meet the definition of vendor-supplied patches. They would be your vendor, but they aren't the vendor of Magento as a software platform. To some, it seems obvious that the goal is that you have supported and patched software, but some in the industry are not in agreement.
There's also OpenMage, which is a fork of M1. In the software world, when you're using a maintained fork of a platform, it's generally understood that you're not using the original software, you're using the fork which is distinct and supported by your new vendor. However, just as with Mage-One, there has not been universal agreement about whether OpenMage users will be considered PCI Compliant.
Then it comes down to compensating controls. If you have stellar security beyond getting patches from a source like Mage-One, you should still be able to be considered PCI compliant. At JetRails, we go beyond just patching the hosting layer. We deploy a wide range of security for clients (which we believe all M1 and M2 users should have anyway). This includes web application firewalling, intrusion detection, malware scanning, and a range of other solutions, protocols, and best practices. We monitor configure, optimize, and provide 24/7 monitoring and alerting based on these tools - so our users have much more comprehensive and active security.
However, compensating controls are something that a PCI assessor takes into account. While enterprises often have an assessor on call to help through this process, a small business can't necessarily afford to pay an assessor.
So far, the best way around this that I've come across has been working with a payment processor / PCI SAQ vendor that has a more established process for how to handle M1 end of life, so that they can identify that you're compliant without you needing an individual assessor involved. This may take some shopping around, but seems like the best option, because while you could potentially run credit cards while not being PCI Compliant, there are inherent risks - these include (but are not limited to) potential fines and loss of the ability to accept credit cards. I don't have a one-size-fits-all vendor to recommend for this, but if you have a good web host, they've likely been working on lining up vendors to pair you with.
You can visit shop aalogics as they are expert in magento support extension. They can help you in solving the issue.