Completion of Magento 1.x support in June 2020 and its implications for PCI DSS compliance

Magento, one of the world's most popular open source e-commerce solutions with over 187,500 active websites today¹, will stop issuing operational and security updates and end technical support (End of Life - EOL) for all versions of the 1.x² branch, including Magento Commerce 1 (formerly known as Enterprise Edition) and Magento Open Source 1 (formerly known as Community Edition) from June 30, 2020, as announced years ago by Adobe, the company that acquired this solution in 2018.

This news is not new, since initially the end date of support for the 1.x platform was November 2018, but it was decided to extend it to allow affected organizations to implement migration strategies.

The goal behind this deadline is to drive the mass migration to Magento version 2, (released in 2015) and allow both Magento developers and extension providers to focus on this version, with many more improvements from an operational and security point of view.

What are the risks of continuing to use Magento 1?

Due to the absence of technical support directly from the manufacturer and the availability of both functionality and security updates, the continued use of Magento 1 from June 2020 will entail:

Obsolescence of extensions and official themes for Magento 1 which, as of July 7, will be removed from the official Marketplace. Likewise, all documentation and source code of those components will be removed from the official repositories.³
Due to the massive attacks against e-commerce infrastructures (including "magecart-type" attacks that have been affecting Magento platforms since 2016⁴), Websites using Magento 1 will be even more exposed, as cyber criminals will exploit outdated vulnerabilities to insert malicious code and exfiltrate payment card data and other sensitive information.
The use of unsupported software with potential unfixed vulnerabilities that can affect sensitive data affects not only PCI DSS compliance but also compliance with other regulations such as RGPD, exposing the organization to fines and penalties, in addition to bad publicity and loss of customers as a result of a data breach.
Lack of manufacturer support in the case of problems related to platform functionality and security.
Developers currently working with Magento 1 will begin to abandon development with this platform, making it increasingly difficult to make changes to the source code and keep a platform functional with this obsolete version.
Inability to use and adapt new functionality, technologies and features of the latest versions of Magento due to component incompatibility.⁵

What are the implications of this news from a PCI DSS compliance perspective?

For all those e-commerce websites using any version of Magento's 1.x branch and that capture, transmit, store and/or process payment card data, the news of the termination of the Magento 1 support implies that their platforms will become obsolete and exposed to risks linked to the exploitation of vulnerabilities that will be detected from June 30 onwards and that will remain uncorrected by the manufacturer. This is a direct violation of requirement 6.2 of PCI DSS:

6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.

On the other hand, reports from quarterly external vulnerability scans (Approved Scanning Vendor - ASV) and annual penetration testing will also identify Magento v1.x as an obsolete platform susceptible to vulnerabilities.

The payment brands had already been announcing the security implications and impact on PCI DSS compliance with the use of Magento 1 after June 2020:

VISA Acquirer Advisory - Urgent Action Required - Magento 1 support to end after June 2020⁶
MasterCard - Urgent reminder to acquirers that Magento 1 will no longer be supported by Adobe after June 2020⁷

Similarly, different payment providers such as Adyen⁸ have already notified their users about the problems associated with the use of Magento 1 and the risk this may entail for their payments.

What alternatives are there to mitigate the risk of continuing to use Magento 1?

As with any software obsolescence, there are two main alternatives for continuing operation:

Migrate to a more recent version: In this case, it is recommended to migrate to the most recent official version of Magento Commerce9, Magento Commerce Cloud10 or Magento Open Source11.
Migrate to another platform: There are multiple platform options for digital commerce at both the software and cloud service level (Software as a Service - SaaS) including Shopify, Prestashop, WooCommerce, BigCommerce, etc.

Additional recommendations

Finally, in addition, Advantio recommends:

Using the free Magento Security Scan Tool12 which allows Magento sites to be monitored for security risks and remediation actions.
Visit the Magento Security Center13 regularly, where updates, best practices and platform security news are listed.
Subscribing to the Magento14 security list to receive regular security notifications for this platform.
Follow Adobe's recommended security best practices, including the use of secure protocols (including HTTPS), use of strong passwords, securing the management console, use of multi-factor authentication (MFA) for administrative login, use of CAPTCHA solutions to minimize brute-force attack attempts, and monitoring the integrity of critical files.
Use free, online tools such as MageReport15 that perform a security scan reporting known vulnerabilities and their remedial actions.
Use Web Application Firewall (WAF) solutions for detailed analysis of platform traffic.