What is happening
As part of Adobe’s announced end of life software support plan for Magento 1, effective June 30, 2020 Adobe no longer provides security patches for Magento 1.
Stripe remains committed to enabling you to securely use Stripe’s products within Magento 1. To that end, we encourage you to install our official Magento 1 module, which uses Stripe.js and Elements to simplify PCI compliance for your site. Stripe continues to release bug fixes and security updates for the Stripe Magento 1 module to ensure this solution follows Payment Card Industry Data Security Standards (PCI DSS).
PCI DSS standards require that you maintain the security of all your e-commerce systems and applications. Following its end of life, Adobe no longer issues security patches for Magento 1. Therefore, to remain on Magento 1, you must implement “compensating controls” by obtaining security patches from another provider to remain in compliance. Failure to implement compensating controls after the Magento 1 end of life can cause your business to be out of PCI DSS compliance. This raises the potential for non-compliance fines by the card networks, and can make you vulnerable to attackers, putting your customer data at risk.
How to remain compliant with PCI DSS on Magento 1
If you’re currently using Magento 1, you must take one of the following actions to maintain your business’s PCI DSS compliance after June 30, 2020. During your annual PCI verification, your PCI Qualified Security Assessor (QSA) must validate your Magento 1 compensating control and document the results in your Attestation of Compliance (AOC). You must provide this AOC to Stripe on an annual basis to demonstrate your compliance with PCI. If you don’t host your site with one of the secure providers below, you must provide additional certification of your compensating controls by a PCI Qualified Security Assessor (QSA).
Use a Magento 1 managed hosting provider
The managed hosting providers listed below offer solutions that allow you to meet your PCI obligations after the Magento 1 end of life. These PCI DSS Level 1 Certified providers can help you implement compensating controls to mitigate the risks associated with the Magento 1 end of life.
The options below are a selection of the Magento 1 alternatives that may work for you.
- Nexcess Magento 1 Safe Harbor is a paid service provided by hosting company Nexcess. They provide security and technology upgrades as part of their hosting subscription for an additional fee.
- WebScale works closely with the Magento Association to have partners deliver patches and security fixes. Their support comes with a WAF installed as a C-Name change which supports most known CDNs and Varnish solutions. Their solution allows merchants and developers to manage IP pings and traffic requests to create heuristic blocks and see real-time traffic analytics.
Migrate to Magento 2
If you decide migrating to Magento 2 is the best option and need development support for your migration, Stripe has verified Magento Experts who can help you. These verified partners are experts in both Stripe and Magento and you can engage their services to help migrate your system to Magento 2.
Migrate to another e-commerce provider
Stripe is available on all major e-commerce platforms. If you’re evaluating other e-commerce platforms outside of Magento, consult Stripe’s e-commerce partner directory to find verified, prebuilt e-commerce solutions. We partner with many e-commerce platforms to help you create the ideal shopping experience, from website to checkout optimization, with no coding required.