Authorize.net Phasing Out MD5 transHash

-- url of the page with the problem -- : n/a
-- HikaShop version -- : 4.0.1
-- Joomla version -- : n/a
-- PHP version -- : n/a
-- Browser(s) name and version -- : n/a
-- Error-message(debug-mod must be tuned on) -- : n/a

Please advise when an update is available for this issue from Authorize.net. It is not urgent for existing HikaShop accounts as they have not given a phase out date. However, new accounts will not be able to use the MD5 next month. Thx

—
EMAIL RECEIVED 1/11/19:
Authorize.Net is phasing out the MD5 based transHash element in favor of the SHA-256 based transHashSHA2. The setting in the Merchant Interface which controls the MD5 Hash option will be removed by the end of January 2019, and the transHash element will stop returning values at a later date to be determined.

We have identified that you have this feature configured and may be relying on MD5 based transHash in transaction responses for verifying the sender is Authorize.Net.

Please contact and work with your web developer or solutions provider to verify if you are still utilizing MD5 based hash and if still needed to move to SHA-256 hash via Signature Key.

Please refer your developer or solution provider to our Transaction Hash Upgrade Guide for more details and information on this change.

Additionally, please take a moment to complete this one question survey and provide details on the application used to connect to Authorize.Net.

Thank you for your attention to this matter and for being an Authorize.Net merchant.

Sincerely,
Authorize.Net

Jerome,

I assume your response was meant for other HikaShop developers. As a HikaShop user, I don’t know how to use those instructions.
Thx.

I am also in this boat and not clear on what to do to ensure compatibility.

I just talked to Authorize.net customer support. He said the MD5 hash is an optional field on their end and if we don’t use the MD5 field then we won’t have any problems. He said that if HikaShop developers want to contact tech support regarding this issue, there is contact details in the developer section of their website. It is only email though — no phone support.

He said that some very old APIs required the MD5 hash tag and if their system doesn’t work without it, then this change will be a problem for them. I’m pretty sure the MD5 hash was optional when I set up my client. I will check later as I have an appointment in a few minutes. But Authorize.net support said that if I removed the MD5 hash from my API (i.e., my HikaShop payment plugin), that I would still be able to process a transaction as far as Authorize.net was concerned. If it doesn’t work, it would be because HikaShop required it (which I doubt).

So the gist is that if HikaShop doesn’t require the MD5 has be present for a successful transaction, then it is not an issue.

So in theory we could remove the requirement of the Hikashop Authorize.net plugin for the MD5 field and be good to go?

I, too, am a bit confused on this email as I have a client who has received it. I looked on their Authorize payment plugin and there is a hash in the "Your MD5 Hash (response key) on Authorize.net" field.

In a previous post, the user indicated:
But Authorize.net support said that if I removed the MD5 hash from my API (i.e., my HikaShop payment plugin), that I would still be able to process a transaction as far as Authorize.net was concerned. If it doesn’t work, it would be because HikaShop required it (which I doubt).

So should I remove the hash total from the "Your MD5 Hash (response key) on Authorize.net" field and, if so, will this impact the ability to process transactions?

nicolas,

Thanks for the update. If you find out anything different, I'm sure everyone would appreciate a response in this thread as we are receiving notices.

Luke

Got another email today in case it helps:
—
Subject: Reminder: Important MD5 Hash Removal/Disablement

Authorize.Net is phasing out the MD5 hash, an older method used by shopping carts, payment modules and plugins to verify that transaction responses are genuine and from Authorize.Net. We have identified that you have this feature configured and may be relying on this older method.

Please contact your web developer or solutions provider and confirm if you are using an MD5-based hash. If so, you should begin plans for moving to SHA-512 hash via Signature Key.

The MD5 Hash will phase out in two phases:

Phase 1 - Starting later this month to early February 2019, we will remove ability to configure or update MD5 Hash setting in the Merchant Interface. There are no changes to the existing API response.
Phase 2 - Stop sending the MD5 Hash data element in the API response. This change will require that applications support the SHA-512 hash via signature key. Dates for phase 2 will be announced later but is expected in the next 2-3 months.

Please refer to our support article: MD5 Hash End of Life & Signature Key Replacement for more details and information on this change.

Thank you for your attention to this matter and for being an Authorize.Net merchant.

Sincerely,
Authorize.Net

Same boat here. Waiting on a resolution if something needs to be changed with the plugin.

Us too. It certainly sounds like the plugin will need to change as the MD5 hash is being deprecated in the next few months entirely.

We have quite a few client sites we manage each month who are using Authorize.net, so curious to see what they reply back.

Nicolas,

Thanks for all the work on this. Just wanted to let you know though, I didn't receive an email notification of your post. Hopefully everyone else in this thread did, but I wanted to reply in case they didn't. I would think after a reply like yours there would be a few posts with questions or thanks as well.

Oh yes, thanks simplecms. I too did not receive the email notification of the reply, so I'm grateful that you posted. (I was just waiting patiently...sort of .
Thanks Nicolas for your work on this. I'm eager to hear how people's tests go!

Nicolas, Thank you so much for all your work on this! You are definitely appreciated.

FYI, I did not get of the posts from 4 days ago either. Must have been a glitch in the system. I got all the ones from today though.