Thousands of online shops are running this popular, but obsolete, e-commerce software

(Image credit: Shutterstock)

Thousands of online businesses could be at risk of cyberattack due to running an insecure version of a popular e-commerce software.

Magento 1 reached its end of life (EOL) on June 30, experts have warned, meaning online merchants are no longer being supplied with security patches to protect their sales systems.

The flaw could leave large numbers of online retailers at risk while rendering them non-PCI compliant, said e-commerce consultants Sonassi, which has called on payment processors to provide more clarity on what levels of support remain following Magento 1 reaching its EOL.

“In the run up to EOL for Magento 1, many sought clarity from payment processors such as Visa, on how they would support merchants past the end date, and ultimately when they would stop taking payments from those on Magento 1," stated James Allen-Lewis, Development Director at Sonassi.

"Visa were very bullish in their initial statement, stating customers on Magento 1 needed to migrate across to Magento 2 immediately, in order to remain PCI compliant.”

PCI compliance

However, with the EOL date having come and gone, merchants are being left increasingly at risk due to the ongoing lack of support. Adding to the seriousness of the situation is the lack of PCI, or Payment Card Industry Data Security Standard compliance, which online traders need to be in line with.

“Understandably, the fallout from the pandemic has meant many merchants are yet to migrate,” adds Allen-Lewis. "Any major platform migration is hard for any business – this is made all the more challenging against a backdrop of tightened budgets and reduced resources.

We have seen examples of companies such as Mage One offering to provide security patches for merchants during any interim period. But as Visa are yet to respond to this offer of support, the concern for merchants is whether these patches will be recognised. Arguably, this just muddies the water further.”

Allen-Lewis continues, “In the event a merchant is hacked, and they are deemed non-compliant with PCI, potential fines can range from tens to hundreds of thousands of pounds. If they are unable to take the costs of the fines, it’s their bank, which will be forced to pick up the bill. Because of this, it’s in everyone’s interest that clarity is brought to the situation.

Some payment providers have said they will no longer support merchants still on Magento 1, past EOL. Others have stated customers need to switch to Magento 2, but have not offered any reassurances that those taking steps to migrate would still be covered. While it’s of critical importance companies are taking steps to migrate, we do recognise that now, more than ever, retailers need support.”

“Any additional costs to retailers are unwelcome in the current climate and for many the costs associated with remaining on a Magento 1 platform could represent the difference between success and failure."

Rob Clymo

Rob Clymo has been a tech journalist for more years than he can actually remember, having started out in the wacky world of print magazines before discovering the power of the internet. Since he's been all-digital he has run the Innovation channel during a few years at Microsoft as well as turning out regular news, reviews, features and other content for the likes of TechRadar, TechRadar Pro, Tom's Guide, Fit&Well, Gizmodo, Shortlist, Automotive Interiors World, Automotive Testing Technology International, Future of Transportation and Electric & Hybrid Vehicle Technology International. In the rare moments he's not working he's usually out and about on one of numerous e-bikes in his collection.