Magento 1 EOL PCI Compliance: What Merchants Need To Know

Magento 1 is on its way out. No surprise there, right?

Merchants who willingly ignored the M1 end-of-life (EOL), or missed it for some reason, have known about it too, yet, fingers crossed, blazed past the mark – July 1, 2020. 

But the end of official Adobe Magento support is a big deal, and it is sure to result in M1 stores confronting issues of varying severity. Ready or not. 

To exemplify, we’d like to outline a recent case of a payment gateway provider denying service to one of our M1 clients. In the second part of the article, we will try to reflect on the wider context and discuss some of the measures to help merchants mitigate the risks.

Pt.1: The story in a nutshell

In mid-August 2020, our client – a UK-based tailored menswear brand – approached us claiming that their payment gateway provider was about to cut them off from the service, and asking for assistance. In the notification, the service provider stated that, since the merchant was still running a Magento 1 site past M1 EOL, their store was no longer PCI compliant.

At first, the Client was instructed to address the situation in a month’s time but managed to negotiate an extension to two months. The prospect was that within a month of the notice, all CC payments would be frozen, blocking the merchant from accessing the funds; after two months the service provider would stop processing the payments altogether.

The two possible solutions proposed by the service provider were to either A. migrate to Magento 2 or another PCI compliant eCom platform, or B. enable a Pay-by-Link service to redirect customers to an external secure page for payment processing.

Another option brought up in our communication with the Client, was to change the payment gateway provider, switching to one that still offered support for M1 stores.

However, each of the proposed solutions came with some drawbacks.

First, the Client was, at the time, already in the process of migrating their store to M2. The migration was weighed down by multiple delays and complex internal processes, and thus, was falling behind the estimated schedule by a wide margin. This rendered an immediate migration unrealistic.

Second, while Pay-by-Link is standard in many regions, it did not align very well with the workflow the Client was accustomed to.

Lastly, the Client had worked extensively with this particular service provider and wasn’t willing to make the transition because they were happy with their current setup – optimized and offering a well-sorted fraud protection mechanism. 

Given the pros and cons of each option, a decision was made to implement Pay-by-Link as a quick fix. Least of all evils, it wouldn’t require drastic changes in the Client’s workflow and contract terms. At the same time, it would make sure the payment flow remained intact until the migration to M2 was completed.

As of the moment of writing this, the migration is still in progress, and the implemented fix is in place, providing uninterrupted service for both the Client and their customer base.

Pt.2: Insights

The situation across the board

An important conclusion to be made is that the described case is not unique. With tens of thousands of M1 stores still live as of mid 2020, we can expect similar cases to keep occurring well into the foreseeable future. 

Paypal, Visa and OneStepCheckout, among others, have issued notes of warning regarding the issue. Below are some of the more important takeaways.

  • Increasingly more M1 stores should be expected to lose PCI DSS compliance due to the  unavailability of relevant security patches after July 1, 2020.
  • In order to assure PCI compliance, it is imperative that M1 stores are migrated to M2 or another eCom solution that matches the required levels of security.
  • However, M1 sites can retain PCI compliance as long as merchants are able to demonstrate to the PCI Council that they have taken every measure necessary to secure their storefront.
  • The latter can be achieved if the store is managed by a competent tech team.

Solutions and pitfalls

Migration to M2. As mentioned in the example above, the Client’s store migration from M1 to M2 was delayed due to a number of internal factors. This led to missing the estimated deadline and forced the merchant to operate an outdated store past M1 EOL. Still, even under the normal circumstances, an average M1-M2 migration usually takes around 2-5 months. M1 merchants preparing to migrate, need to keep this number in mind and make sure they plan the process accordingly.

Temporary solutions: adopting alternative payment gateways, boosting security, employing services that promise to recover M1 store’s PCI compliance, etc. Consider these steps temporary because they aim to fix the symptoms, not the root of the problem.

Conversely, what’s causing the issues is the outdated technology behind the now discontinued M1 platform. Integration by means of porting it to the modern tech stack and infrastructure may extend the shelf life, but there is a risk that even a minor update or protocol change will backfire with returning issues.

Payment gateways are one among a number of services that M1 stores may experience problems with over time. At stake is merchants’ very ability to conduct business, thus, it is wise to opt for a more dependable long-term solution. As such, migrating to a platform (M2 or similar) that ensures all relevant aspects of eCom operation proves more sensible.

How is this even a thing?

Platform updates are nothing new. The problem is that in July 2020 many Magento merchants arrived at M1 EOL unprepared. Let’s be rational: Magento announced M1 end-of-life back in September 2018, and it has been repeatedly reminded of since then. Thousands have successfully migrated, others, however, keep postponing to this day, putting their ability to conduct business at risk.

OK, enough moralizing. What shall we do?

Get up to date. It is important that merchants are aware of the current status of their payment gateway. Service providers normally make this information available via their websites and/or client newsletters, so those would be the first instances to check before investigating any further.

As a rule, though, following updates and keeping merchants up to speed is the responsibility of dedicated tech teams. Those businesses that don’t employ one, will have to roll up their sleeves and dig up this information by themselves.

Explore backup solutions. Different stores are built differently and pursue different business goals. At the same time, not all payment gateway providers will impose the same set of rules. All of the above suggests that there is no single blanket solution, and the problem should be treated on a case-by-case basis. The best advice for merchants is to consult with a competent tech team to identify the measures suitable for their specific business.

Plan migration in advance. As mentioned above, an average M1-M2 migration can take between two and five months. With this time span in mind, merchants are advised to plan the necessary procedures in advance, as well as consider some of the temporary solutions in case their current M1 store should require emergency fixes. Again, a dedicated tech team is your best friend that will help you navigate these waters.

Found this information useful? Looking to implement a Magento solution for your business? Let the world’s most certified Magento team help you!

Any questions? Feel free to drop us a line at info@scandiweb.com, or schedule a call with one of our staff to see how we can help you!

If you enjoyed this post, you may also like