A great deal has been written about the Magento 1 End Of Life in June 2020 (less than 45 days time), this article will present a different perspective into the challenge.
What happens with the End Of Life next month?
Adobe/Magento will no longer support Magento 1 with security patches.
What does this mean for Magento 1 websites?
It will mean that when vulnerabilities are discovered in the Magento 1 code, Magento will not be working hard to provide a fix for the issue. That’s not to say that someone else in the Magento Community won’t step in to help. But what it does mean is that the Magento 1 websites will no longer be provided with a vendor-supplied patch for the issue.
Visa has announced that such sites will no longer be deemed PCI Compliant and will therefore be held fully liable in the case of a breach of payment card data.
Is this a significant problem?
Well, it depends on which angle you are viewing it from.
The first perspective we have, as one of the leading PCI Forensic Investigator firms globally, is that we have never encountered a business who has experienced a breach while being PCI DSS Compliant. It doesn’t happen. So if a Magento 1 site gets breached, it is almost always due to them having a basic security issue on their website. So the announcement from Visa does not really make much difference to these organisations anyway - they are already insecure, likely to get breached and will incur the liabilities in any case.
The second perspective to consider is that these businesses are currently secure and PCI DSS Compliant. When the End Of Life takes place, these businesses will no longer be PCI DSS Compliant and they could have the book thrown at them if they get breached. The important thing is to not get breached.
How do you weigh up the risk of a portfolio of Magento 1 merchants, if you’re an acquiring bank or processor?
We know that roughly 60% of all small to medium businesses who experience a breach fail within 6 months and close up. One of the major potential issues for their acquirer/processor is that these merchants do not manage to pay the liabilities and their bank/processor has to pick up the bill.
How do you ascertain the risk within your Magento 1 clients?
Well, we have been putting out a report on our Global WebScan Results each month (you can download the latest report here) and the latest report may help you to understand the risk levels within your portfolio.
Our statistics show a very interesting perspective on the market - a perspective we believe all acquirers and processors should be made aware of as quickly as possible.
We monitor the security status of 221,298 Magento 1 merchants globally. We believe that we monitor nearly all Magento 1 websites globally, give or take a few thousand.
We do this using our WebScan solution, which is a non-intrusive scanner that looks for very specific data points that are visible to all website visitors. These data points tell us if the site is:
- Correctly set up - from a security perspective.
- Missing patches - more importantly, security patches.
- And a few small checks for other "indicators of compromise”
Our results from the end of April 2020 show that of the 221,298 Magento 1 sites that we monitor, 92% are considered HIGH RISK. 92%!
HIGH RISK means that they could be missing CRITICAL security patches, have an insecure website set up, or may already have malware on their site, just not card harvesting malware - for example crypto miners and so on.
Nearly all Magento 1 websites are at HIGH RISK of being hacked at the moment. So while the argument about being PCI DSS Compliant is a good point for debate, in reality it is irrelevant as these businesses are highly likely to get breached if a semi-skilled criminal turns their focus onto them. They are already insecure and the likelihood of them being PCI DSS Compliant is low to zero.
What does this mean for acquirers and processors?
These websites - in their current security posture - are a potentially significant liability sitting in your portfolio and you need to take action.
What kind of action?
- Migration is the obvious action. BUT migration is a major process and it is very important to do it well to avoid losing the investment in SEO etc that the website has made in recent years. Migration is hard to do well when it is done in a rush. So it is likely that most of these merchants will be planning a migration, but cannot do it within the timeframes.
What other actions can you take?
- Education - Most of these organisations have zero proactive security in place to protect their online businesses. Understanding the threat they are up against starts with education. As an industry leader, the acquirer/processor has the ability to influence, guide and educate at scale - and we would urge you to do so.
- Security - Once your merchants understand the problem and risk, then they need to get “proper” proactive security in place - a comprehensive, actively managed security system, which should certainly include a WAF, but should go a lot further than that. We’re able to assist with this with our FGX-Web solution - designed for Magento sites. Incidentally we also provide a warranty for all websites using our solution.
- Insurance - Security may not totally eliminate the risk, so taking out an appropriate insurance policy should be mandatory for these merchants. We’re happy to link merchants with insurance brokers who understand the problem.
Time is of the essence here - these Magento 1 websites are currently a considerable risk to the industry and collective action is needed to avoid a significant problem.
Please share this blog post with your contacts so we all can tackle this issue. Also, feel free to get in touch at firstname.lastname@example.org if you need any help