On June 28th, 2019, Authorize.net will discontinue sending MD5 Hash data elements in their API response.
This will have a direct impact on Magento sites currently using the Direct Post Method (DPM) as orders using this payment method after June 28th won’t work. Merchants will need to switch over to the SHA-512 based hash which uses a Signature Key.
Get Help Updating Authorize.net on Magento
What Do I Need To Update On My Magento Site?
If you are currently using Authorize.net’s Direct Post as a payment method or plan to in the future, there are two options you can consider to ensure it will process payments properly on your Magento instance:
- Apply the patch from Magento.
Magento has recently released a patch for Commerce and Open Source editions on March 5th. Merchants will need to apply the patch and apply for a new signature key with Authorize.net for implementation.
- Use an extension such as Authorize.net CIM
Third party extensions such as Authorize.net CIM from ParadoxLabs can also be a solution to this update.
If you need help with installation and configuration for either of these options Forix can help.
What Are Hashing Algorithms Used for in eCommerce?
Websites use hashing algorithms to encrypt their personal data to protect themselves from attacks and breaches by hackers. These algorithms transform the data into a scrambled representation of the original information, also known as a string. This method has several useful online purposes. In eCommerce, for example, merchants and buyers alike use hashing algorithms to hide passwords and other personal information. This practice successfully protects a user’s data from intrusion. In addition, it protects the businesses at risk, particularly smaller stores that have more vulnerabilities in comparison to corporations.
What Is MD5 Hash?
The MD5 Hash is a one-way cryptographic function that eCommerce merchants and buyers use for authentication of transactions, particularly from sites such as Authorize.net. MD5 encryption makes a transaction message of any length unreadable, but also unique to the specific transaction. The receiving script, also using MD5, accepts the transaction message as input. Then, the script uses the encryption information to create another fixed-length MD5 Hash as output. If the encryption of the received message matches the encryption of script output, then it verifies the transaction message as coming from Authorize.net, confirming it as authentic.
Online users originally used the MD5 Hash algorithm for authenticating digital signatures. However, researchers later declared it was no longer reliable, since they were able to replicate the hash though other, unsafe commercial computers. This discovery would compromise the algorithm’s ability to create hashes that most considered impossible to replicate by hackers. These days, the algorithm has found other functions, such as non-cryptographic checksum that verifies the integrity of data, as well as a detector of data corruption.
Today, MD5 Hash is considered sub-par to required encryption and security standards with SHA-512 being considered a superior option.
Authorize.net MD5 Hash End of Life
Payment service provider Authorize.net plans on phasing out the MD5 as a transaction verification function, in favor of the SHA-512 based hash, which uses a Signature Key, a feature that allows users to upgrade the security of integrations such as Server Integration Method (SIM) and Direct Post Method (DPM). The internet company is handling the end of life for the MD5 in two major phases.
In the first phase, Authorize.net removed users’ ability to modify the legacy algorithm’s settings in the Merchant Interface on February 11, 2019. This means that merchants can no longer configure or update the function. The website has already contacted and emailed the affected merchants who had this specific setting configured. In the second phase, the company will stop sending the old hash data element in the API response. If the users want to continue verifying their transactions via hash, they will now need to use specialized applications that support the SHA-512 hash. In the final steps of the phase out, the company will update the sandbox on March 7, 2019. This update will cause the previous hash’s value to stop populating, although the field will remain present on the website, though empty. Finally, on June 28th, Authorize.net will update the production to stop populating the MD5 Hash value. The field will stay present, but empty.
When users now receive a transaction response from Authorize.net, it will include an SHA-2 hash element. The name and position of this addition will depend on the API integration used. The company will generate an HMAC-SHA-512 hash for the transaction that will stay contained in the SHA-2 hash’s field. The user can use the SHA-512 hash to verify that the transaction response came from Authorize.net. However, unlike the previous MD5 encryption method, this step is not necessary, since the Signature Key will fulfill a similar verification function. The merchants will be able to generate and configure their own Signature Key in the Merchant Interface to enhance the security of SIM and DPM integrations, receive Webhooks notifications, and other features.
This update has affected many Magento websites and their transactions activities. If you require any help in the transition process from the MD5 to the Signature Key replacement SHA-512, or if you have any other questions about this change for your Magento website, contact Forix so we can help.