Migrating to Magento 2 - What You Need to Know From a PCI DSS Perspective

What many of you don’t know is that the consequences of not migrating could have significant consequences to an online business. Let me explain...

When Magento 1 is no longer supported by Magento, unless the community is working hard to provide patches to issues, as an industry, we’re going to see criminals targeting Magento 1 sites even more than they have done - using vulnerabilities that are not getting patched.

Some may see this as an inconvenience, but the issue runs a lot deeper. Let’s start with PCI DSS Compliance.

PCI DSS Requirements

Merchants who are opting to stay on Magento 1 are actually taking themselves out of PCI DSS alignment and will be considered as non-compliant. This is due to failing to meet the Maintaining a Vulnerability Management Program which is a requirement of the standard.

Requirement 6: Develop and maintain secure systems and applications

Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?

• Review policies and procedures
• Are critical security patches installed within one month of release?
• Review policies and procedures
• Examine system components
• Compare the list of security patches installed to recent vendor patch lists
  

Your bank will need you to maintain your PCI DSS compliance, otherwise there are implications on them that will affect you. Specifically:

• Non-compliance penalties charged by the banks
• In the case of a data breach, you will have “the book” thrown at you by the card brands and your bank

Let’s take a look into the costs of a data breach to illustrate what you are potentially signing up to by not migrating and keeping current.

The Cost of a Data Breach

The cost of a data breach is significant - let's assume you’re an eCommerce business and your website gets hacked. If you're doing less than 10,000 card transactions a year, then you will likely be requested to do a PFI Lite and your total costs would be €3,000 Visa fee plus ~£3,000 for the forensic investigation.

If you're doing more than 10,000 transactions per year, then the costs are significantly higher - €3,000 Visa fee, forensic investigation £5,000+ and then you will have a liability of €18/card that is considered "At Risk".

Remember, the average time between the criminals breaking in and the website owner realising is 5.5 months, so nearly half a year of transaction data would be stolen - costing you €18/card in Visa liabilities. If you’re doing 10,000 transactions per year, then the liability on cards alone is 4,600 transactions at risk (5.5 months of transactions) at €18/card means you’ll be paying out €82,800 in penalties on top of the forensic costs.  

Scary thought, we know.  

You may be thinking, what’s the risk? Why would criminals target my business?  

The terrible truth is, criminals are looking for easy-to-hack websites. They can automate that search - if you’ve used our free WebScan solution, it will tell you if your website is hacked, missing patches, its risk level etc. Well, criminals build their own scanners and know exactly who to target - it's not personal. If you have not kept your website up to date, you will automatically fall into their “attack list”. Simple as that.

Still Thinking of Sticking to Magento 1?

Websites that remain on Magento 1, no matter how small in terms of size will not be eligible for the PFI lite process as the qualifying criteria is fairly strict and non-negotiable.  

• Containment – will not be met as the update patches will not be available and migration will be the only option
• Remediation – will not be achievable until the merchant migrates as they will not meet the requirement for PCI DSS Self-Assessment Questionnaire A (SAQ A) 
• 40-day deadline – will not be met as migration to a new website will take considerably longer

As an agency/developer, the biggest challenge about this is that your customers can start to point the finger and blame you even though you cannot do anything about Magento not supporting the older platform. It will undoubtedly cause issues if a breach occurs and who knows what the wider implications could be for your business as a result? Do you limit liability in your contracts, for example? 

What should you do?

Our recommendations to agencies are simple:

1. Explain to your customers why they need to migrate to Magento 2 - focus on how Magento 2 is faster, more SEO friendly, delivers better performance and stability and will keep on getting updates and support
2. Create a migration plan
3. Start migrating as soon as possible

If you haven’t looked at Responsible Commerce yet, it’s well worth your time and consideration to help fund the migration.

Our recommendations to eCommerce owners are:

1. Discuss a migration with your agency or in-house team TODAY
2. Start migrating as soon as possible
3. If you think the migration will be finalised after June 2020 - implement website security best practices, make sure you have an appropriate security solution monitoring and protecting your website and take out a cyber insurance policy today

Our pitch - it’s quick!

We’ve partnered with some great companies to offer Responsible eCommerce. Here’s how you can benefit from this solution.

Agencies - you can partner with us and offer the migration service to your customers in an affordable way. In addition to the financial support, you’ll get cybersecurity, a breach security warranty, and support from our partners and us.

eCommerce/Merchant - you’ll get security, scalability, speed, a breach security warranty and the most affordable migration service out there.

To know more click here or in the button below.