To recap some of the risks of not completing the Magento 1 -> Magento 2 upgrade:
Magento 1 End of Life (EOL)
Magento 1 was EOL (end-of-life) in June 2020. This means that Magento no longer officially supports the platform, and they issued the very last security patch on June 22, 2020. Since then, there have been multiple Magento websites hacked, ransom-wared, and otherwise exploited by criminals who are all too aware of the vulnerability of Magento 1 sites that remain in the wild. Please read Online store hacked in largest campaign to date for evidence of this occurring already.
Magento 1 is no longer PCI-Compliant
Magento 1 is no longer PCI compliant. This means that if the site is breached / exploited, significant fines can result. Global PCI DSS standards require each entity to “develop and maintain secure systems and applications by installing applicable vendor-supplied security patches.” Currently, your Magento instance is out of compliance with Payment Card Industry Data Security Standards (PCI DSS). Your payment processors and merchant banks may view your Magento instance as no longer being secure and consequently non-compliant.
Here are a few announcements from major payment processors related to Magento 1 end-of-life and PCI compliance:
PayPal Magento 1 End of Life Announcement
Visa – Acquirer Advisory – Urgent Action Required – Magento 1 support to end after June 2020
Magento 1 Ransomware
Ransomware is a form of malware that can keep you from accessing your own data. Malicious users hold your data “hostage” and charge a ransom. They claim if you pay it, they’ll give you your data back. Sometimes they do — and sometimes not. Either way, it’s an expensive problem to mitigate. If new vulnerabilities are discovered in M1 that make ransomware attacks possible, this site is definitely at risk.
Magento 1 Extensions also at risk
Not only Magento 1 core, but Magento 1 extensions are at risk. With the EOL, Magento 1 extensions are being updated rarely, if at all. This provides another vector for criminals to exploit the website.
This is not a complete list, but some of the more prominent risks of continuing with a Magento 1 site. Completing the Magento 2 upgrade is of urgent and high importance.
Thank you – please do ask any clarifying questions.