Up, Up & Away

A common question I see related to Magento 1 reaching End of Life is whether a store that stays on M1 will automatically fail PCI compliance. I’m not a PCI expert, and don't take any of this as official guidance, but generally the answer is, it depends. Security issues within the Magento world are unacceptably high. The credit agencies that officially look at PCI compliance are undoubtedly aware of that problem. At the end of the day, though, with hundreds of thousands of stores on M1, if it’s passed EOL but the rate of hacks is acceptable, I believe they will continue to accept that business. One of the simplest ways to approach this is to keep the software out of scope for PCI compliance by handling payment processing through a third party. (Honestly you should probably be doing that anyway in most cases, even if you are on an officially supported version of Magento.) Even in-scope software that’s past EOL can be supported. Other parties such as Nexcess can provide official support for M1. To st