Visa urges merchants to migrate e-commerce sites to Magento 2.x

Payments processor Visa is urging merchants to migrate their online stores to Magento 2.x before the Magento 1.x e-commerce platform reaches end-of-life (EoL) in June 2020 to avoid exposing their stores to Magecart attacks and to remain PCI compliant.

Web stats site BuiltWith currently shows more than 179,000 live Magento installs out of which around 53,000 are Magento 2.x online shops, with the platform powering 12% of all online shopping sites per HostingTribunal's stats.

In September 2018 when it announced Magento 1's June 2020 EoL, Adobe said that roughly 8,000 sites were migrating to Magento 2 every quarter, adding to the already existing 30,000 Magento 2 sites.

Magento 2.0 was announced in November 2015 with improved security, performances, and scalability, easier maintenance and upgrades, out-of-the-box PayPal, Braintree, and Authorize.net payment gateway integration, as well as support for WorldPay and CyberSource for the Enterprise edition.

Magento 1.x stores exposed to Magecart attacks

Because no security fixes will be provided by Adobe for Magento 1 after it reaches its EoL, "any sites that have failed to migrate will be vulnerable to security breaches and pose an increased risk to the security of payment card data," explains Visa's advisory.

"Acquirers should use this information to take risk-based decisions and encourage their merchants to migrate to a supported version or alternate platform to remain PCI compliant."

Failing to migrate e-commerce sites to Magento 2.x until Magento 1 official support ends exposes the stores and merchants with multiple risks, including but not limited to account data compromise events, sites getting hacked, and malicious code used to steal credit card data being injected as part of Magecart (aka e-skimming or web skimming) attacks.

Merchants considering the transition to Magento 2.3 should view this as more than just a simple “version upgrade” or “migration.” Effectively, Magento 2.3is an entirely new platform with substantial framework differences from Magento 1. To ensure success, the transition effort should be considered as a new build or full rebuild project. Merchants will need to find the Magento 2.3-compatible version of their extensions and custom code will need to be reviewed, rewritten, and made compatible with Magento 2.3. These efforts are often large and involved, thus, merchants should begin the process and start upgrading immediately, referencing Magento’s Software Lifecycle Policy. - Visa

The U.S. Federal Bureau of Investigation (FBI) issued a warning in October 2019 to increase awareness on ongoing e-skimming threats targeting both government agencies and SMBs (small and medium-sized businesses) that process online payments.

The FBI recommended site owners to keep their software updated as one of the main mitigation measures against falling victim to Magecart attacks.

Visa highlights the following reasons for speeding up migrating to Magento 2.x as soon as possible:

• Without any upgrade or security patches, merchants’ e-commerce sites may degrade and become unstable;
• Extensions or plug-ins functionality may break or become unavailable;
• Over time, Magento developers will only be familiar with Magento 2;
• Merchants will fall out of compliance with PCI DSS; and
• Ecommerce sites will be more exposed to security risks and increased likelihood of an account data compromise due to the lack of security upgrades.

Migrate to remain PCI compliant

"PCI DSS Requirements 6.1 and 6.2 address the need to keep systems up to date with vendor-supplied security patches to protect systems from known vulnerabilities," Visa adds.

"Hence, failing to migrate a Magento 1 e-commerce website will cause merchants to fall out of PCI DSS compliance because no security patch will be available for new vulnerabilities after June 2020.

Failing to upgrade sites to Magento 2.x also means that some of the merchants may also fail to get passing approved Scanning Vendor (ASV) scans because they weren't able to address security issues detected in their Magento 1.x sites.

"Therefore, it is imperative that impacted merchants migrate before the end of June 2020to maintain PCI DSS compliance and to ensure that their Acquirer’s portfolios are protected," the advisory reads.

Comments are closed.