Visa Warns E-Commerce Merchants Using Older Versions of Magento To Upgrade Quickly
Visa Inc. is urging e-commerce merchants still using Adobe Inc.’s Magento 1 platform to upgrade to the newer Magento Commerce 2.3 because Magento will stop supporting Magento 1 at the end of June. Merchants continuing to use the older platform will fall out of compliance with the Payment Card Industry data-security standard, Visa said.
Magento, which provides content management and other services in addition to payments, is one of the most popular platforms for e-commerce sites, though the exact number still using the soon-to-be-sunsetted versions was not immediately available. A spokesperson for San Jose, Calif.-based Adobe could not be reached Monday morning. Citing the BuiltWith online usage statistics service, the BleepingComputer tech news service claims there are about 179,000 live Magento installations, but only 53,000 use editions of Version 2.
Magento introduced Magento 2 in November 2015 and originally set November 2018 as the sunset date for Magento 1. Under the Magento 1 umbrella are Magento Commerce 1, formerly known as Enterprise Edition, and Magento Open Source, formerly known as Community Edition.
Adobe acquired Magento in 2018 for $1.64 billion. In September of that year Magento postponed the sunset date to June 2020 because of concerns that merchants didn’t have enough time to upgrade by the original date.
The coming sunset means security flaws and other bugs discovered in Magento 1 no longer will be patched. “Given the absence of security patches after the revised cut-off date, any sites that have failed to migrate will be vulnerable to security breaches and pose an increased risk to the security of payment card data,” says a notice Visa issued this month for merchant acquirers.
Requirement 6 of the PCI DSS says all card-accepting merchants must keep their systems up to date with vendor-supplied security patches for known vulnerabilities. Failure to do so exposes the acquirer, and ultimately the merchant, to financial liability in the event of a data breach.
Besides the increased security risks, Visa also said that merchants continuing to use Magento 1 might see their e-commerce sites degrade and become unstable, the functionality of software extensions or plug-ins could break or become unavailable, and that over time Magento developers will only be familiar with Magento 2.
But many merchants might find transitioning to Version 2.3 to be a complicated task. “Merchants considering the transition to Magento 2.3 should view this as more than just a simple ‘version upgrade’ or ‘migration,’” the Visa notice says. “Effectively, Magento 2.3 is an entirely new platform with substantial framework differences from Magento 1.”