Authorize.Net is shifting from MD5 to SHA-512. Patch your Magento webshop
Authorize.Net (a subsidiary of Visa Inc) is an established payment gateway service provider which you can use on your webshop to accept payments via Credit card, Electronic check payments, PayPal,
Apple Pay, and Visa Checkout.
Authorize.Net allows your customers to enter their credit card and shipping information directly and securely onto a web page and requires no subscription or registratiion from your customers. It also offers other services like fraud protection, recurring billing subscriptions and simple checkout options.
Due to Authorize.Net 's popularity, all Magento versions come pre-installed with their official extension. You just have to get a merchant account from here > configure Authorize.Net extension in Magento backend and start using their payment methods on your webshop.
One of those payment methods is Authorize.Net Direct Post. You can find this payment method at:
In Magento 1.X: Backend > System > Configuration > Sales > Payment methods > Authorize.net Direct Post
In Magento 2.X: Backend > Stores > Sales > Payment methods > Authorize.net Direct Post
Standard implementation of this Direct Post payment method in Magento uses MD5 based hash. Authorize.Net had decided to phase out the MD5 based hash use for transaction response verification and now they will use SHA-512 based hash utilizing a Signature Key.
Timeline for this change:
- On February 11, 2019, Authorize.Net removed configurations for MD5 Hash settings in their Merchant Interface. They also informed all merchants who had this setting configured.
- On March 7, 2019 their Sandbox environment stopped populating the MD5 Hash value. The field will still be there but it will be empty.
- On March 28, 2019, their production environment will stop populating the MD5 Hash value. As in sandbox, the field will still be present but it will not be populated.
For more technical details about this change, you can refer to their official post about it.
This change on Authorize.Net platform will mean that Magento merchants will not be able to process payments using Authorize.Net Direct Post payment method on their webshop anymore.
Therefore, it is very important to apply the official patch provided by Magento before March 28, 2019 and replace the existing MD5 hash with a Signature Key (SHA-512) in the Magento configuration. You can read more about it here.
As usual, this patch should be implemented by trained Magento experts and all standard care should be taken before doing the changes on your live webshop.
Feel free to contact Hungersoft if you want to us to apply this patch on your Magento 1.X or 2.X webshop.