Thousands of online businesses could be at risk of cyberattack due to running an insecure version of a popular e-commerce software.
Magento 1 reached its end of life (EOL) on June 30, experts have warned, meaning online merchants are no longer being supplied with security patches to protect their sales systems.
The flaw could leave large numbers of online retailers at risk while rendering them non-PCI compliant, said e-commerce consultants Sonassi, which has called on payment processors to provide more clarity on what levels of support remain following Magento 1 reaching its EOL.
- Have a look at the best accounting software
- The best tax software around today
- Check out the best money transfer apps and services
“In the run up to EOL for Magento 1, many sought clarity from payment processors such as Visa, on how they would support merchants past the end date, and ultimately when they would stop taking payments from those on Magento 1," stated James Allen-Lewis, Development Director at Sonassi.
"Visa were very bullish in their initial statement, stating customers on Magento 1 needed to migrate across to Magento 2 immediately, in order to remain PCI compliant.”
PCI compliance
However, with the EOL date having come and gone, merchants are being left increasingly at risk due to the ongoing lack of support. Adding to the seriousness of the situation is the lack of PCI, or Payment Card Industry Data Security Standard compliance, which online traders need to be in line with.
“Understandably, the fallout from the pandemic has meant many merchants are yet to migrate,” adds Allen-Lewis. "Any major platform migration is hard for any business – this is made all the more challenging against a backdrop of tightened budgets and reduced resources.
We have seen examples of companies such as Mage One offering to provide security patches for merchants during any interim period. But as Visa are yet to respond to this offer of support, the concern for merchants is whether these patches will be recognised. Arguably, this just muddies the water further.”
Allen-Lewis continues, “In the event a merchant is hacked, and they are deemed non-compliant with PCI, potential fines can range from tens to hundreds of thousands of pounds. If they are unable to take the costs of the fines, it’s their bank, which will be forced to pick up the bill. Because of this, it’s in everyone’s interest that clarity is brought to the situation.
Some payment providers have said they will no longer support merchants still on Magento 1, past EOL. Others have stated customers need to switch to Magento 2, but have not offered any reassurances that those taking steps to migrate would still be covered. While it’s of critical importance companies are taking steps to migrate, we do recognise that now, more than ever, retailers need support.”
“Any additional costs to retailers are unwelcome in the current climate and for many the costs associated with remaining on a Magento 1 platform could represent the difference between success and failure."
- We've also highlighted the best budgeting software
