Ecommerce Retailers: It’s Time to Update to Magento v2.3
July 7, 2020
Contributed by David Mundhenk, Principal Security Consultant at Herjavec Group
As of June 30, 2020, Magento, an eCommerce software vendor, is ending support for its flagship product Magento v1.0 which includes both Magento Commerce 1 (formerly known as Enterprise Edition) and Magento Open Source 1 (formerly known as Community Edition). With this change, eCommerce retailers around the world may begin to fall out of compliance with PCI DSS and become vulnerable to a security incident.
Approximately 230,000 eCommerce websites are currently built on the Magento platform. As a result of the shift to Magento v2.3, eCommerce vendors have been forced to re-architect their websites, which can come at a great cost and have a negative impact on business operations. However, many retailers have yet to upgrade to the new platform.
In fact, VISA released an Acquirer Advisory in April 2020 in which they detailed the consequences of not migrating, in addition to falling out of compliance, such as:
- Without any upgrade or security patches, merchants’ eCommerce sites may degrade and become unstable
- Extensions or plug-ins functionality may break or become unavailable
- Lack of support over time from Magento developers for Magento v1.0
- Ecommerce sites will be more exposed to security risks and increased likelihood of an account data compromise due to the lack of security upgrades.
A majority of eCommerce retailers accept some sort of payment card for processing payment transactions (credit, debit, etc.), and per major payment card brand and PCI DSS requirements, they must only implement components that are supported by their respective vendors. Vendors who fully support their products regularly issue critical security patches and bug fixes as security vulnerabilities are discovered.
The PCI DSS clearly states:
“6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.”
In the absence of such critical vendor support, many retailers are attempting to find a compliance ‘loophole’ to arbitrate their way around their PCI compliance when employing unsupported technologies including software. Magento v1.0 is a prime example of this.
Not surprisingly, many 3rd party vendors are claiming that they can provide the necessary patch support for Magento v1.0, often in the form of various ‘compensating controls’. Compensating controls come in the form of either a “legitimate workaround for a security challenge [or] an attempted shortcut to compliance”.
However, the bar for the use of compensating controls in lieu of meeting PCI DSS requirements is very high. In fact, according to CSO Online, “every compensating control must meet four criteria before it can be considered for validity.”
The four items that every compensating control must do are:
- Meet the intent and rigor of the original PCI DSS requirement,
- Provide a similar level of defense as the original PCI DSS requirement,
- Be "above and beyond" other PCI DSS requirements, and
- Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.
Therefore, while compensating controls may seem like an attractive option for retailers who don’t want to upgrade to Magento v2.3, it must be noted that attempting to implement compensating controls, in this case, may not be sufficiently effective or even PCI DSS compliant. They also may end up being more expensive than addressing the original compliance requirements, and PCI Qualified Security Assessors (QSAs) are going to evaluate such claims with a great deal of scrutiny.
Given the potential security risks associated with not migrating to Magento v2.3, Herjavec Group strongly recommends that all eCommerce vendors prepare for a successful transition to Magento v2.3 from v1.0.
As a QSA firm, Herjavec Group supports the requirements outlined in the aforementioned VISA Advisory.
On July 28th, David Mundhenk and the rest of the PCI Dream Team will be delivering a webinar on PCI DSS requirements 6.1 and 6.2 and answering the toughest questions on dealing with in-scope applications that may no longer be supported by the vendor. Register for the webinar here.
To learn more about how Herjavec Group can support your organization’s PCI Compliance requirements, please connect with a security specialist here.