PCI compliant or not – about Magento 1 and the payment question after June 2020

PCI compliance has always been an abstract topic – until now. One that you felt you had nothing to do with as a merchant. This is what the credit card provider takes care of. You only have a shop. And all the credit card stuff runs in an iFrame. 

Yeah. It seems, like this is not the case?

Visa issued a statement this week that Magento 1 shops will no longer be PCI compliant after July 2020. Because…

PCI DSS Requirements 6.1 and 6.2 address the need to keep systems up to date with vendor-supplied security patches to protect systems from known vulnerabilities.

The question directly related to that: 

What exactly is a “vendor” of open source? 

There are basically two possibilities.

a) Vendor is the original manufacturer of the software, i.e. Magento Inc. – now probably Adobe. 

b) Vendor is a commercial and professional provider of patches. Then Mage One would clearly be a suitable vendor. 

If b) maybe Visa didn’t know about Mage One when they issued the statement

If a) but what if the vendor is no longer a vendor? Is “kill the shops” really the only possibility in this scenario?

So: what exactly is the point?

Is it about connecting secure shops to a payment system and having criteria that guarantees this security? Then any number of hosters with their security measures in combination with Mage One would be quite sufficient. It is called compensating control. This means, that even if you can’t comply with a rule of the PCI rule book, you can replace them with other counter measures to tackle the underlying problem (check with your QSA about this).

Definitely more sufficient, than the many unpatched shops out there that are considered PCI compliant because they would receive – theoretical – patches from the original vendor (even if they never install them). 

Or is it about pointing out two months before supporting shop owners that they are not allowed to offer credit card payment in two months and that the only option should be a relaunch, which is both expensive and not possible in this short amount of time?

So in our opinion we sufficiently support PCI compliance. Therefore we would like to know whether and to what extent this opinion is shared, and would be happy about a statement on this. 

Our attempts to contact VISA on this issue have failed. Neither direct contact nor contact via large agencies and well-known payment service providers were successful. However, we are always available to VISA for a constructive discussion if you would like to stand up for more security in payment transactions with merchants.