What is happening
As part of Adobe’s announced end of life software support plan for Magento 1, effective June 30, 2020 Adobe will no longer provide security patches for Magento 1.
Stripe remains committed to enabling users to securely use Stripe’s products within Magento 1. To that end, we encourage you to install our official Magento 1 module, which uses Stripe.js and Elements to simplify your site’s PCI compliance. Stripe will continue to release bug fixes and security updates for the Stripe Magento 1 module to ensure this solution follows Payment Card Industry Data Security Standards (PCI DSS).
PCI-DSS standards require that you maintain the security of all your e-commerce systems and applications. After the end of life, Adobe will no longer issue security patches for Magento 1. Therefore, to remain on Magento 1, you must obtain security patches from another provider to remain in compliance. This is referred to as a “compensating control”. Compensating controls can be considered in cases when a user can’t meet an individual PCI DSS requirement as explicitly stated. In this case, failure to implement compensating controls after the Magento 1 end of life will cause your business to be out of PCI DSS compliance. This raises the potential for non-compliance fines by the credit card networks, and any vulnerabilities that exist on your website could be targeted by an attacker, putting your customer data at risk.
How to remain compliant with PCI DSS on Magento 1
If you’re currently using Magento 1, you must take one of the following actions to maintain your business’s PCI DSS compliance after June 30, 2020. If you fail to take the appropriate action you can face fines from the card networks for non-compliance with PCI, and potentially significant fines if you suffer a data breach as a result of non-compliance. During your annual PCI verification, your PCI Qualified Security Assessor (QSA) must validate your Magento 1 compensating control and document the results in your Attestation of Compliance (AOC). This AOC is required to be provided to Stripe on an annual basis to demonstrate your compliance with PCI. If you don’t host your Magento 1 site with one of the secure providers listed below, you’ll be required to provide additional certification of your Magento 1 compensating controls by a PCI Qualified Security Assessor (QSA).
Use a Magento 1 managed hosting provider
The managed hosting providers listed below offer solutions that will allow you to meet your PCI obligations after the Magento 1 end of life. These providers are PCI DSS Level 1 Certified and will help you implement compensating controls that can mitigate the risks associated with the Magento 1 end of life.
The options below are a selection of the Magento 1 alternatives that may work for you.
Nexcess Magento 1 Safe Harbor is a paid service provided by hosting company Nexcess. They provide security and technology upgrades as part of their hosting subscription for an additional fee.
WebScale is associated with the Magento Association to have partners deliver patches and security fixes. Their support comes with a WAF installed as a C-Name change which supports most known CDNs and Varnish solutions. Their solution allows merchants and developers to manage IP pings and traffic requests to create heuristic blocks and see real-time traffic analytics.
Migrate to Magento 2
If you decide migrating to Magento 2 is the best option and need development support for your migration, Stripe has verified Magento Experts who can help you. These verified partners are experienced with both Stripe and Magento and you can engage their services to help replatform your system to Magento 2.
Replatform to another ecommerce provider
Stripe is supported by all major e-commerce platforms. If you’re evaluating other e-commerce platforms outside of Magento, please consult Stripe’s ecommerce partner directory to find verified, pre-built e-commerce solutions to help you accept payments in your store. We partner with many e-commerce platforms to help you create the ideal shopping experience, from website to checkout optimization, with no coding required.