Magento 1 e-commerce websites are easy malware targets and among the biggest potential liabilities in any payment provider’s portfolio—and the threat is about to get worse.
What is happening?
Effective June 30, 2020, Adobe Magento will end support for the Magento Commerce 1 platform. Magento 1 websites will no longer receive vendor-supplied security patches. Visa will no longer consider websites on Magento 1 as PCI DSS compliant, holding merchants (and payment providers) fully liable in case of a payment-card data breach.
The Magento 1 Threat
A single card-harvesting malware breach can put merchants and their payment providers at risk for huge fines and assessments. Merchants that remain on the Magento 1 platform dramatically increase this risk.
The Magento 1 platform is already a hot target for criminals:
- 65% of hacked sites found around the world in April were on Magento 1
- 92% of all Magento 1 sites monitored are in the “High Risk” category
“High Risk” means that they could be missing critical security patches, have an insecure website set up, or may already have malware on their site (not only card-harvesting malware, e.g. crypto miners). Generally, a reasonably skilled attacker can break into a high-risk site in only a half hour!
When Magento 1 support ends, many (if not most) merchants will remain on the platform until they can properly migrate. Every day that merchants remain on the unsupported platform, the very real risk of a data breach increases.
For the 8% of Magento 1 e-commerce sites that are currently secure, after June 30, they will no longer be PCI DSS compliant, opening themselves and their payment providers to costly breaches.
Who is liable?
Ultimately, the payment provider.
Roughly 60% of all small to medium businesses that experience a breach close within six months. When failed merchants don’t pay their liabilities—including card brand fines—acquirers and processors are left to foot the bill.
What can payment providers do?
First, as part of actively managing your merchant portfolio, find out which of your customers are on the Magento 1 platform. Since nearly all Magento 1 websites are at high risk of being hacked, this could be the single most important thing you can do to understand threats in your e-commerce portfolio.
Next, take a proactive role in educating your Magento 1 merchants about how to reduce their risk (and yours).
- Migrate — Migration to Magento Commerce 2 or another e-commerce platform is an obvious solution, but it’s also a major process. Merchants looking to protect their hard-earned SEO are unlikely to rush migration. By educating merchants about the risks associated with card-harvesting malware and other threats, you encourage your merchants to make migration an urgent priority.
- Secure — Most Magento 1 merchants have zero proactive security in place to protect their online businesses. Help them understand the need for basic and advanced security measures—ideally, a comprehensive, actively managed security system, including (at minimum) a web application firewall (WAF).
- Insure — Security does not completely eliminate risk, so make it mandatory for these merchants to buy an appropriate insurance policy from an insurance broker who understands the problem.
Time is of the essence! The Magento 1 EOL deadline is closing fast. In the meantime, most of these websites are already out of PCI DSS compliance. If a semi-skilled criminal turns their focus to a Magento 1 site in your portfolio, the card-harvesting-related fines could be crippling. Act now!
Join us for Magento 1 EOL: A Ticking Time Bomb for Payment Providers. This highly targeted, 20-minute micro-webinar will cover:
- The latest intelligence on Magento 1-related e-commerce threats
- How to detect hacked and at-risk Magento 1 websites in your merchant portfolio
- A concrete action plan for mitigating risk related to the Magento 1 EOL