Magento 1 End of Life - Security and Performance

The 30th June ‘20 was Magento 1 ‘End of Life’ but what does this mean for retailers who choose to stay on M1? Will your site still operate and will you still be able to take orders and supply your customers? The answer is ‘yes’, so what are the risks and what can a merchant do to minimise their exposure?

As a Magento Business Solution Partner, we thought you’d appreciate our views on these questions and some advice for M1 merchants post June ‘20.

Which versions of Magento 1 are impacted?

All versions of Magento 1 are impacted, including Magento Commerce 1 (Enterprise Edition) and Magento Open Source 1 (Community Edition).

What are the risks of not migrating?

• Non-compliance with Payment Card Industry Data Security Standards (PCI DSS). These global standards are set by credit card companies and apply to all merchants that process payments. Visa has stressed urgent action is required for merchants to migrate from Magento 1 and advised merchants to be aware of their responsibilities in securing their environment to help prevent the loss of payment card data. This could result in fines of 10% of turnover for PCI non-compliance or breaches of GDPR.
• Increased risk of data breaches, with possible damage to your brand and reputation.
• Becoming a target for hacking, without any upgrade or security patches.
• Increased maintenance costs as third party modules fail over time.

If I use a third party such as PayPal, SagePay or Adyen to process my card data, do I still need to comply?

Yes, even if you outsource part of your PCI DSS compliance to a third Party you are still required to install security patches within one month of release. With no more M1 security patches being released by Magento, it’s not possible to use this resource to remain PCI compliant. In addition, merchants are responsible for meeting all requirements of their PCI DSS compliance.

What about third party security patches? Will they make me compliant?

From July ‘20 Magento will not issue security patches for Magento 1, so a merchants only option would be to use third party providers. Whilst there are third parties selling ongoing security support for Magento 1, these unofficial solutions are unproven and not necessarily PCI compliant. Given the solution can’t be shown to work other than when a breach actually happens, we think most sensible merchants shouldn’t risk a potential fine.

Can my current agency develop security patches?

From the 6 Aug ‘20 all M1 extensions will be removed from Magento’s marketplace and repositories. Your agency will no longer have access to M1 downloads, extensions and documentation meaning the cost of development of security patches will be prohibitive.

Will my M1 site continue to function?

All M1 modules that provide functionality for your site will become increasingly difficult to maintain as agencies will no longer have access to M1 downloads, extensions and documentation. If the modules that enable your site to function fail, costly bespoke development will be required. We’ve already seen some module vendors have stopped supporting their M1 products.

Can I protect my M1 site while my new site is being built?

You can take some preventative measures such as:

• 1) Whitelisting IP addresses for admin access
• 2) Installing an application firewall on your server
• 3) Subscribing to third party security patches (e.g. Mageone)
• 4) Signing up for https://sansec.io/pricing which scans for known Magento vulnerabilities.

However, these measures will not necessarily remove your liability in the case of a PCI breach and are expensive to maintain in the long term without proven value.

What should an M1 merchant do next?

PayPal, Ayden and Visa have all stated merchants must migrate from M1 or else face the risk of PCI non-compliance fines, plus the loss of business reputation. To make an informed decision merchants must evaluate their options and ask themselves these 4 questions;

1. 1) If I were to migrate, which platform should I choose? Given current site turnover and future growth plans, would a Shopify, Magento 2, or alternative ecommerce platform provide a higher ROI and be able to expand with your business?
2. 2) What would a new site cost? This will depend on the size and turnover of your site and  the  complexity of the build. In order to make an informed decision, merchants must obtain an accurate estimate on the cost to migrate, whilst considering the lifetime value of the site. You never know, migration might not be as expensive as you think!
3. 3) Would there be any business disruption during my migration and how long would it take? This is dependent on the requirements of your site and the ecommerce platform you’re choosing and can take a matter of weeks up to several months. In the meantime there are steps you can take to mitigate the risk of continuing to run your Magento 1 site, which we outlined above.
4. 4) Is there any opportunity for ROI or is this simply a cost? A new site will improve business performance by being faster, providing additional features, and opportunities to expand into different markets, resulting in increased sales. These factors need to be accounted for as well as the cost of migration. It is also good practice to refresh your website every 3 or 4 years with technology advancing so fast. Why fall behind your competitors?

Can I spread the Cost?

PayPal Working Capital are offering interest free loans ranging £1k to £125k for development of new Magento 2 sites. Find out more here.

How can Absolute Help?

• 1) Established for over 25 years, Absolute are award-winning Ecommerce experts, Digital Marketing & Brand Consultants
• 2) Magento Business Solution Partner
• 3) £85 per hour agency flat rate
• 4) Magento Certified, in-house development team - we never outsource development.
• 5) No obligation, highly accurate estimate.

Ready to take the next step and upgrade from Magento 1? We can help - get in touch.