PCI DSSHow will the Magento 1.x EOL affect PCI-DSS compliance?
In 2007, Magento was first released as a powerful and easy to use e-commerce platform that rapidly gained traction amongst online merchants. Magento won awards and was eventually sold by eBay to Adobe for $1.68B USD in 2018. Today, Magento powers 12% of all ecommerce sites worldwide, with about 239,000 active sites using Magento 1.x. This makes Magento a powerhouse in e-commerce and the most popular PHP based platform used worldwide. Most Magento users install Magneto themselves on their own servers, which means those users are also responsible for PCI-DSS compliance, upgrades, and server maintenance.
Magento announced a new major release in 2015 to replace the Magento 1.x series.
At the time, support for the Magento 1.x series was to end in 2018. This expiration was extended through the end of June 2020 to allow merchants more time to migrate away from Magento 1.x onto Magento 2. As the end of support date comes closer, SecureTrust has been receiving questions from our partners regarding how this affects PCI-DSS compliance.
Magento has published a Software Lifecycle policy document that outlines the supported dates for the Enterprise versions of Magento. To summarize, all versions prior to Magento 1.13 are no longer supported. Magento Enterprise 1.13 and 1.14 will continue to be supported through the end of June 2020, after which, no support will be offered. Magento Enterprise 2.0 and 2.1 are no longer supported. Magento Commerce 2.2 is currently being supported and will receive security updates as Magento Commerce 2.3 is updated. Magento Commerce 2.3 is the current release, and is also the version that merchants should use for new deployments, or as a target for any migration or upgrade projects.
SecureTrust expects to see a quiet period from malware authors before July, and the single security bulletin published this year for Magento shows this.
In past scenarios such as this, soon after support ends, we expect to see compromises of live sites using automated compromise tools and bots. Magento sites with unpatched vulnerabilities are a soft target for criminals looking for places to host malware, install web skimmers, and steal sensitive e-commerce data.
What this means from a compliance perspective is that without an approved compensating control, merchants that are using a release of Magento that is no longer supported are not PCI-DSS compliant. SecureTrust is recommending that our sponsors monitor their merchant portfolios for merchants that are using any version of Magento 1.x and encourage them to migrate to Magento 2.3 or another PCI-DSS compliant e-commerce platform. Visa has also sent a bulletin to all Visa partners warning of this vulnerability to the payments ecosystem, and the impact of the end of support to PCI-DSS compliance for affected merchants.
SecureTrust has partnered with Trustwave to enhance their vulnerability scanning engine to support detection of Magento 1.x during vulnerability scans. This will be reported as an “informational” level finding, but after the June support date has passed, will result in a “critical” level finding that results in a failure for PCI-DSS. SecureTrust has also added Magento 1.x detection to our Web Risk Monitoring (WRM) Merchant Intelligence 3rd party detection module. SecureTrust partners can use the SecureTrust portal to monitor their merchant portfolios and look for merchants still using Magento 1.x.
_______________
SecureTrust, a Sysnet company, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
_______________
Jon Marler is a Product Manager at SecureTrust with a true passion for information security and more than a decade of experience in information security, payment processing, risk management, software development, and telephony. Jon spent eight years working with some of the largest acquirers in the world, helping them build online payment gateways and risk management platforms before joining SecureTrust. Aside from his primary role with SecureTrust, Jon also sits on the EC-Council ANSI Scheme committee as a trusted advisor, has participated in the PCI SSC SIG focused on addressing cloud computing, and is a member of the ETA committee for mobile payments. As a result of his long-standing commitment to open source software, Jon has offered his expertise as a package manager for the Debian GNU/Linux OS distribution since 1998.