I would assume its because they (Miva) can't tell if the dev site has sensitive data (from being a copy of the live site) or is a brand new clean site with no sensitive data.

Yep. It is a copy of a live site. Do you suppose that's the reason for the charge?

Several reasons.

First and foremost, security of both data and the production site. Development sites are often clones of live sites and then flip back and forth, so, as Bruce suggested, they do often contain data that is as sensitive, or even identical, to the primary site, including orders and payment data. With them often being clones, this also means any users in the live site would have the same password in the dev site, and if one has security measures to better protect those accounts, like two factor, but the other doesn't, then the one which doesn't gives an attacker something to work on with lower likelihood of detection.

A second aspect is that the way dev sites are normally set up, they exist on their respective servers under the same user accounts. If an attacker were to access a dev site successfully, they could potentially install malicious software that gives them access to the primary site. This concept is also why we strongly recommend keeping other web apps on separate independent hosting plans (whether subdomain or different domain); wordpress, for example, really shouldn't be on the same site with a payment application.

Next, support. It is very costly to have staff trained on versions of Miva Merchant that can span 15 years or more; as hard as it is to believe, we actually do have some customers running versions 2, 3 and 4 released in the early to mid 2000's.

Makes sense David. Thanks.

I agree with everything David said, but its also a fee generator for miva. You would think, instead of sending you bill after the fact. (I have paid several of these fees, with 4 miva sites with 2 devs each, its very easy to forget one) Think about it, security updates you have 30 days, regular updates I think you have 90 days to remain PCI compliant. They could develop and email warning system to remind the admin that one of the devs are soon to be out of date, for example, "you have 10 days to update or face a $50 penalty fee. If one fails to update then. Then invoice the $50 penalty. We all know, that sometimes on a dev you want to hold off on any changes during a development item, even if you update the live site. Let face it with all our busy schedules, its easy to forget. A reminder before the actual penalty would be nice. Think about it, security updates you have 30 days to update, regular updates you have 90 days, to remain PCI compliant.

Here is another way, In the miva admin for the live domain, why not add information about the devs. One admin, to at least monitor versions numbers.

It's definitely not a fee generator if you factor in all the operational expense associated with NCF's. In fact, once auto updating is available, it should go away completely for anyone who is not intentionally running an ancient version of Merchant. Development time isn't being put into improving the current system because we hope to eliminate it entirely with auto updating.

Kevin,

I certainly understand your perspective on this. I can tell you when we initially did it, the systems to be able to email people (having the right email on file, etc...) were so nascent and of poor data quality that we decided to just be liberal with refunds as long as people upgrade quickly since we felt the emails at that time would've been ineffective.

As David pointed out, it's not a net positive fee generator for us, this is not our version of a bank overdraft fee. Our revenue from NCF/EOL's is not a material amount and would be nothing more than a blip if they went away entirely and it doesn't fully offset the support costs by having people running out of date software.

While it's had the desired effect of keeping people up to date and that's a good thing (compared to say Magento, which has roughly 8%+ of its stores currently infected with card stealing malware and I can only imagine what the rate would be on Woo Commerce, we've seen only a handful of cases of similar attacks in our world and no systemic attack vector other than weak passwords and people not using 2FA), I also know it's been a sub-par customer experience.

Since I don't like having sub-par customer experiences and since people generally stay in compliance (we see a compliance rate now of near 90% of our stores versus sub 20% when we began this program), and as part of the data cleanup we had to do to make the browser authentication emails in 9.10/11 work properly, we believe we've come to a place where we can start doing emails to tell people to upgrade before being billed. If all goes to plan, starting in November, 7 days before we bill for NCF/EOL we'll send emails to suggest people upgrade.

And as David said in V10 we expect to roll out an auto-update system to more fully mitigate this issue.

Wow, both David and Rick! I guess I walked into this one. My apologies, It was not my intention to stir things up. I was being sarcastic, the $50 fee is a drop in the bucket compared to the cost of an enterprise SaaS. However some people respond to the big stick idea, while other respond better to a simple nudge. $50 is a big stick to many, and a simple communication is preferred by others that a mistake has been made and should be correct. You can guess which one I am. I have been with MIVA since 2002, and I continue to look forward to some of the new and exciting functionalities yet to come, including he ones you mentioned above. Again, my apologies. Kevin

Kevin,

No apologies needed, I think you voiced something that people think. I was just using it as a chance to provide some context. Hope all is well!