Got this today from Authorize.Net, how does this affect ECT?

Authorize.Net is phasing out the MD5 based transHash element in favor of the SHA-256 based transHashSHA2. The setting in the Merchant Interface which controls the MD5 Hash option will be removed by the end of January 2019, and the transHash element will stop returning values at a later date to be determined.

We have identified that you have this feature configured and may be relying on MD5 based transHash in transaction responses for verifying the sender is Authorize.Net.

Please contact and work with your web developer or solutions provider to verify if you are still utilizing MD5 based hash and if still needed to move to SHA-256 hash via Signature Key

David Hagood

Hi David

Let me check that with Vince for you and we'll post back if you'd like to subscribe to this thread.

Andy

Please feel free to review / rate our software

Hi David
I'll start looking into this first thing next week and will post back here when we have the changes finished.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Good Question! ... we look forward to your post, guys!

Tim Gorski

Do you have any rough estimate as to when there will be an update? Less than 2 weeks until Authorize stops working. Thanks.

Hi Bob

We use authorize.net too so I'm sure it will be ready in plenty of time.

Andy

Please feel free to review / rate our software

This is now available in 6.9.6 and 7.0.3 https://www.ecommercetemplates.com/support/topic.asp?TOPIC_ID=111230

Andy

Please feel free to review / rate our software

Quick question I hope you can answer on this issue:

If we are using AIM, is this a problem for us? Do I need to do the update before the end of the month? Or is it only required if using SIM?

We didn't get an email from Authorize.NET for this one. At first, I thought that might be an error on their part, but perhaps we're not using this MD5 element in our AIM setup.

Does this seem correct? What should I check?

Are you folks that received the mail all using SIM?

That's right, you wouldn't be using the MD5 Hash for your AIM set up so you're fine there. I would still update if you can to get any new features / fixes though.

Andy

Please feel free to review / rate our software

Further notes:
I checked my settings in the Authorize.NET account page, and I do not have a hash value set under MD5 hash. I guess this means we're not currently using it. True?

Another question, which doesn't appear to be quite so time sensitive:
This page:
https://developer.authorize.net/api/upgrade_guide/
indicates that both AIM and SIM are deprecated, suggesting that people should move to a newer Authorize.NET API. There aren't any deadlines or end of life dates mentioned. I bring it up here to make sure it's on your radar for the future.

No, you won't be using it.

Yes that is something on our radar but there's certainly no urgency here.

Andy

Please feel free to review / rate our software

New email from Authorize net. Seems the are going to phase now.

"Phase 1 - Starting later this month to early February 2019, we will remove ability to configure or update MD5 Hash setting in the Merchant Interface. There are no changes to the existing API response.
Phase 2 - Stop sending the MD5 Hash data element in the API response. This change will require that applications support the SHA-512 hash via signature key. Dates for phase 2 will be announced later but is expected in the next 2-3 months."

The email..

Authorize.Net is phasing out the MD5 hash, an older method used by shopping carts, payment modules and plugins to verify that transaction responses are genuine and from Authorize.Net. We have identified that you have this feature configured and may be relying on this older method.

Please contact your web developer or solutions provider and confirm if you are using an MD5-based hash. If so, you should begin plans for moving to SHA-512 hash via Signature Key.

The MD5 Hash will phase out in two phases:

Phase 1 - Starting later this month to early February 2019, we will remove ability to configure or update MD5 Hash setting in the Merchant Interface. There are no changes to the existing API response.
Phase 2 - Stop sending the MD5 Hash data element in the API response. This change will require that applications support the SHA-512 hash via signature key. Dates for phase 2 will be announced later but is expected in the next 2-3 months.

Please refer to our support article: MD5 Hash End of Life & Signature Key Replacement for more details and information on this change.

Thank you for your attention to this matter and for being an Authorize.Net merchant.

Sincerely,
Authorize.Net


David Hagood

I do NOT want to screw this up so I wanted to clarify my understanding on the MD5 update with Authorize.net.

My client is using the "Payment Provider" as Auth.net AIM. The Auth.net SIM setting option is not being used on this cart.

I updated the PHP cart to v7.0.3. Do I need to do anything with the coming Authorize.net update since they are not using the Auth.net SIM as their payment provider?

My client wants to do this update thing Thursday (it's Tuesday) so I need a prompt reply. (I ALWAYS get prompt replies here but just had to throw that comment in).

Ray Cramblit

Hi Ray

You don't need to do anything - you can updated on Thursday and you don't need to make any authorize.net related changes if you are using AIM.

Andy

Please feel free to review / rate our software