In just 12 months, Magento 1 support will officially end. According to BuiltWith data, there are close to 225,000 Magento websites online (March 2019). While it’s not clear if that figure includes Magento 1 and 2, the usage statistics for Magento 2 states that there are only 45,000 live websites using Magento 2. This means that in a best-case scenario, there are 180,000 websites still operating on a soon-to-be unsupported version of Magento. This may be a result of merchants being unaware of the Magento 1 end of support date of June 2020. It also could be because they do not understand the risks they are assuming by not upgrading, and the impact it could have on their business. By staying on an unsupported version of the platform, merchants run the risk of violating PCI compliance, which has a number of adverse effects on a business.
Compliance Requirement
The PCI DSS (Payment Card Industry Data Security Standard) Requirement §A3.3.2 outlines a merchant’s obligation to “review hardware and software technologies at least annually to confirm whether they continue to meet the organization’s PCI DSS requirements. (For example, “a review of technologies that are no longer supported by the vendor and/or no longer meet the security needs of the organization.”) This process must “include a plan for remediating technologies that no longer meet the organization’s PCI DSS requirements, up to and including replacement of the technology, as appropriate.” In this way, merchants who continue operating on unsupported versions of Magento risk violating the PCI DSS.
Consequences & Penalties
Below are some ways in which a business may experience the negative results of failing to meet PCI requirements:
Monthly Penalties
When a merchant experiences a data breach, the payment brand/credit provider (the main five being MasterCard, VISA, Discover, AmEx, and JCB) will contact the merchant acquiring bank—the one that processes the credit card transactions—and assess how well the bank has tracked the merchant’s PCI compliance. If the credit provider determines that the merchant was noncompliant at the time of the breach, they may fine the bank in addition to any penalties related to the breach. These fines and penalties are typically passed onto the merchant.
Depending upon the size of the business (volume of clients and transactions), duration and severity of noncompliance, and other factors, fines can range from $5,000 to $100,000 per month. These fines may be assessed monthly, and they may rise over time until compliance is achieved. If compliance is not achieved, the credit provider may eventually revoke the merchant’s ability to accept their credit cards.
The following table outlines a noncompliance fines structure which may apply to most payment processors and banks:
| One to Three Months in Noncompliance | Four to Six Months in Noncompliance | Seven Months and Upward in Noncompliance |
| $10,000 a month for high-volume clients/$5,000 a month for low-volume clients | $50,000 a month for high-volume clients/$25,000 a month for low-volume clients | $100,000 a month for high-volume clients/$50,000 a month for low-volume clients |
Potential Liabilities for Infringement
There is a common misconception that PCI compliance guarantees security—it does not. Successfully meeting the requirements of a single PCI assessment only validates that an organization meets the requirements at that time. Even companies which are PCI-DSS compliant can suffer a data breach. If a breach occurs in which cardholder data is compromised, merchants may expect the following penalties:
- Fines between $50 and $90 per compromised card holder
- Termination of the relationship by the bank/payment processor
- Negative impact on the company’s reputation
- Loss of customer trust due to the lack of security
Legal Action
Class-action lawsuits and other litigation are not uncommon when cardholder information has been compromised. Often there are high costs associated with legal counsel, settlements and judgments.
Credit Monitoring Costs
Companies that suffer a breach involving cardholder data typically compensate their customers with credit monitoring or identity theft insurance.
Lost Customers, Diminished Sales & Revenue
Notifying customers of a breach can cause irreversible damage to a company’s reputation. Affected customers are more likely to avoid merchants who they deem untrustworthy, and are more likely to seek alternative buying options with competitors. If the breach is widely publicized, merchants may also struggle with converting new customers.
Future Costs of Compliance
Each PCI card brand maintains its own program for compliance, validation levels, and enforcement. The highest level of compliance responsibility—Level 1—has the most stringent requirements and therefore cost. Level 1 responsibility is usually determined by the number of credit card transactions taken by the merchant. However, Level 1 responsibility may also be assigned to a merchant at the discretion of the credit provider if it is determined necessary to minimize the credit provider’s risk. As with MasterCard’s validation levels, Level 1 compliance validation requirements are assigned to merchants which have “suffered a hack or an attack that resulted in an Account Data Compromise (ADC) Event.”
Looking to Migrate?
Our team has over 10 years of experience doing platform migrations. We have it down to a science. Let us be your guide for your next replatforming project.
Do Not Wait!
The costs of violating PCI compliance can be catastrophic for a business, particularly small businesses that don’t have the resources to remediate a breach. For this reason, it is incredibly important for all merchants to keep their systems up-to-date in order to maintain PCI compliance.
Realistically, there are not enough qualified agencies to upgrade the 180,000 Magento 1 websites globally within the next 12 months. If you’re a merchant on Magento 1, don’t wait. Contact us today to ensure that your business remains PCI compliant.
