Authorize.net Phasing Out MD5 transHash

  • Posts: 37
  • Thank you received: 3
  • Hikashop Business
7 months 2 weeks ago #302499

-- url of the page with the problem -- : n/a
-- HikaShop version -- : 4.0.1
-- Joomla version -- : n/a
-- PHP version -- : n/a
-- Browser(s) name and version -- : n/a
-- Error-message(debug-mod must be tuned on) -- : n/a

Please advise when an update is available for this issue from Authorize.net. It is not urgent for existing HikaShop accounts as they have not given a phase out date. However, new accounts will not be able to use the MD5 next month. Thx


EMAIL RECEIVED 1/11/19:
Authorize.Net is phasing out the MD5 based transHash element in favor of the SHA-256 based transHashSHA2. The setting in the Merchant Interface which controls the MD5 Hash option will be removed by the end of January 2019, and the transHash element will stop returning values at a later date to be determined.

We have identified that you have this feature configured and may be relying on MD5 based transHash in transaction responses for verifying the sender is Authorize.Net.

Please contact and work with your web developer or solutions provider to verify if you are still utilizing MD5 based hash and if still needed to move to SHA-256 hash via Signature Key.

Please refer your developer or solution provider to our Transaction Hash Upgrade Guide for more details and information on this change.

Additionally, please take a moment to complete this one question survey and provide details on the application used to connect to Authorize.Net.

Thank you for your attention to this matter and for being an Authorize.Net merchant.

Sincerely,
Authorize.Net

Please Log in or Create an account to join the conversation.

  • Posts: 23617
  • Thank you received: 3666
  • MODERATOR
7 months 1 week ago #302518

Hello,

There was a link in the email for the "transaction hash upgrade guide".
That guide explain what should be done : developer.authorize.net/support/hash_upgrade/

Regards,


Jerome - Obsidev.com
HikaMarket & HikaSerial developer / HikaShop core dev team.

Also helping the HikaShop support team when having some time or couldn't sleep.
By the way, do not send me private message, use the "contact us" form instead.

Please Log in or Create an account to join the conversation.

  • Posts: 37
  • Thank you received: 3
  • Hikashop Business
7 months 1 week ago #302533

Jerome,

I assume your response was meant for other HikaShop developers. As a HikaShop user, I don’t know how to use those instructions.
Thx.

Please Log in or Create an account to join the conversation.

  • Posts: 66630
  • Thank you received: 9808
  • MODERATOR
7 months 1 week ago #302566

Hi,

I would recommend to contact the Authorize.net support.
Because this text and the upgrade guide talk about variables which aren't in the SIM or AIM APIs implemented in the Authorize.net payment plugin.
So either they sent you an email which actually isn't relevant to you, or it is relevant but they didn't provide any useful information concerning the API you're using.
We can't do anything to help you with the information so far and looking online for more information about that md5 hash upgrade didn't yield any useful information either.
So besides asking for more precision to Authorize.net support, I don't see anything else you can do.

Please Log in or Create an account to join the conversation.

  • Posts: 84
  • Thank you received: 11
  • Hikashop Business
7 months 1 week ago #302592

I am also in this boat and not clear on what to do to ensure compatibility.

Please Log in or Create an account to join the conversation.

  • Posts: 37
  • Thank you received: 3
  • Hikashop Business
7 months 1 week ago #302602

I just talked to Authorize.net customer support. He said the MD5 hash is an optional field on their end and if we don’t use the MD5 field then we won’t have any problems. He said that if HikaShop developers want to contact tech support regarding this issue, there is contact details in the developer section of their website. It is only email though — no phone support.

He said that some very old APIs required the MD5 hash tag and if their system doesn’t work without it, then this change will be a problem for them. I’m pretty sure the MD5 hash was optional when I set up my client. I will check later as I have an appointment in a few minutes. But Authorize.net support said that if I removed the MD5 hash from my API (i.e., my HikaShop payment plugin), that I would still be able to process a transaction as far as Authorize.net was concerned. If it doesn’t work, it would be because HikaShop required it (which I doubt).

So the gist is that if HikaShop doesn’t require the MD5 has be present for a successful transaction, then it is not an issue.

Please Log in or Create an account to join the conversation.

  • Posts: 66630
  • Thank you received: 9808
  • MODERATOR
7 months 1 week ago #302613

Hi,

Please note however that the MD5 Hash in the settings of the Authorize.net payment plugin is for the SIM and AIM APIs in order to set the x_fp_hash parameter and check the x_MD5_Hash parameter.
There is no transHash parameter in these APIs.
The MD5 hash in the settings of the payment plugin is required, but reading there message and guide, it looks like they are talking about something else since the parameter names don't match.

Please Log in or Create an account to join the conversation.

  • Posts: 66630
  • Thank you received: 9808
  • MODERATOR
7 months 1 week ago #302614

PS: I've sent a question to the developer support of Authorize.net to make sure that this change is not related to SIM/AIM and if it is, that they provide the necessary information. We'll see what they have to say.

Please Log in or Create an account to join the conversation.

  • Posts: 84
  • Thank you received: 11
  • Hikashop Business
7 months 1 week ago #302633

So in theory we could remove the requirement of the Hikashop Authorize.net plugin for the MD5 field and be good to go?

Please Log in or Create an account to join the conversation.

  • Posts: 315
  • Thank you received: 6
  • Hikaserial Standard Hikaserial Subscription Hikashop Business
7 months 1 week ago #302649

I, too, am a bit confused on this email as I have a client who has received it. I looked on their Authorize payment plugin and there is a hash in the "Your MD5 Hash (response key) on Authorize.net" field.

In a previous post, the user indicated:
But Authorize.net support said that if I removed the MD5 hash from my API (i.e., my HikaShop payment plugin), that I would still be able to process a transaction as far as Authorize.net was concerned. If it doesn’t work, it would be because HikaShop required it (which I doubt).

So should I remove the hash total from the "Your MD5 Hash (response key) on Authorize.net" field and, if so, will this impact the ability to process transactions?

Please Log in or Create an account to join the conversation.

  • Posts: 66630
  • Thank you received: 9808
  • MODERATOR
7 months 1 week ago #302635

No, the MD5 Hash setting in the plugin is necessary.
What I said is that I don't see any link between the message you received and the APIs implemented in these plugins.
So in theory, you could just ignore that message and continue with what you have.
That's what we need to check with Authorize.net's support.

Please Log in or Create an account to join the conversation.

  • Posts: 315
  • Thank you received: 6
  • Hikaserial Standard Hikaserial Subscription Hikashop Business
7 months 1 week ago #302684

nicolas,

Thanks for the update. If you find out anything different, I'm sure everyone would appreciate a response in this thread as we are receiving notices. :)

Luke

Please Log in or Create an account to join the conversation.

  • Posts: 66630
  • Thank you received: 9808
  • MODERATOR
7 months 1 week ago #302694

Hi,

I got a first answer from Authorize.net level 1 support which completely missed the subject. With my following reply they redirected the support request to the engineers on their end. I'm waiting for an anwser from them.

Please Log in or Create an account to join the conversation.

  • Posts: 37
  • Thank you received: 3
  • Hikashop Business
7 months 1 day ago #302978

Got another email today in case it helps:

Subject: Reminder: Important MD5 Hash Removal/Disablement

Authorize.Net is phasing out the MD5 hash, an older method used by shopping carts, payment modules and plugins to verify that transaction responses are genuine and from Authorize.Net. We have identified that you have this feature configured and may be relying on this older method.

Please contact your web developer or solutions provider and confirm if you are using an MD5-based hash. If so, you should begin plans for moving to SHA-512 hash via Signature Key.

The MD5 Hash will phase out in two phases:

Phase 1 - Starting later this month to early February 2019, we will remove ability to configure or update MD5 Hash setting in the Merchant Interface. There are no changes to the existing API response.
Phase 2 - Stop sending the MD5 Hash data element in the API response. This change will require that applications support the SHA-512 hash via signature key. Dates for phase 2 will be announced later but is expected in the next 2-3 months.

Please refer to our support article: MD5 Hash End of Life & Signature Key Replacement for more details and information on this change.

Thank you for your attention to this matter and for being an Authorize.Net merchant.

Sincerely,
Authorize.Net

The following user(s) said Thank You: gpraceman

Please Log in or Create an account to join the conversation.

  • Posts: 85
  • Thank you received: 3
  • Hikashop Business
7 months 1 day ago #302989

Same boat here. Waiting on a resolution if something needs to be changed with the plugin.

Please Log in or Create an account to join the conversation.

  • Posts: 327
  • Thank you received: 94
  • Hikashop Business
7 months 1 day ago #302990

Us too. It certainly sounds like the plugin will need to change as the MD5 hash is being deprecated in the next few months entirely.

We have quite a few client sites we manage each month who are using Authorize.net, so curious to see what they reply back.


~ Deb Cinkus, CEO

Polished Geek LLC
eCommerce Digital Marketing & Web Development
Certified eCommerce Marketing Specialist
Certified Drip Marketing Automation Consultant
Infusionsoft Certified Partner

---- Official HikaShop Integration and Customization Partner ----

Please Log in or Create an account to join the conversation.

  • Posts: 66630
  • Thank you received: 9808
  • MODERATOR
7 months 21 hours ago #303016

Hi,

Thank you for relaying the message.
This new message provides much more relevant information even though that's still not precise enough.
Unfortunately, they didn't update yet the integration guides regarding SIM and AIM.
This thread from their community forum is quite better:
community.developer.authorize.net/t5/Int...not-match/td-p/65807
As you will read there, it seems that they are not organised well enough and rushed the change without updating the old documentations that are still used by a lot of people.
Of course, we didn't heard from the developers of Authorize.net that were supposed to contact us back. I suppose they must be overwhelmed with all the developers trying to reach them to get more information.

I went ahead and modified the authorize.net plugin based on the information I got from the message link and the community forum.
You can download the new version there:

File Attachment:

File Name: authorize.zip
File Size:8 KB

You'll have to generate a signature key on your merchant account and paste it in the new "AUTHORIZE_SIGNATURE_KEY" field of the payment method. It should then hopefully still work like before.
Please first test with the sandbox/test accounts you have and let us know how it goes.
If it goes well, we'll be able to push these changes on our end.
I would recommend to not yet try on a live server as it seems others had a hard time generating the correct signature key based on the examples given by Authorize.net
Note that the plugin still has the MD5 hash field and if you fill it and don't fill the signature field, it should still work with the MD5 hash like before.
Let us know how your tests go.

Finally, our partner Obsidev has developed an Authorize.net plugin which uses the latest API of Authorize.net and will work right off the bat. It integrates in the checkout in a new way allowing for a credit card form built-in your checkout while still allowing for the credit card information to not go through your server for PCI-DSS compliance. We were waiting for HikaShop 4.0.2 to be released to be able to push it out. It should be available on our marketplace in a few days and it will be a good alternative to the plugin we have in HikaShop which uses old APIs of Authorize.net.

Attachments:
Last edit: 7 months 21 hours ago by nicolas.

Please Log in or Create an account to join the conversation.

  • Posts: 84
  • Thank you received: 11
  • Hikashop Business
6 months 3 weeks ago #303183

Nicolas,

Thanks for all the work on this. Just wanted to let you know though, I didn't receive an email notification of your post. Hopefully everyone else in this thread did, but I wanted to reply in case they didn't. I would think after a reply like yours there would be a few posts with questions or thanks as well.

Please Log in or Create an account to join the conversation.

  • Posts: 89
  • Thank you received: 3
  • Hikashop Business
6 months 3 weeks ago #303191

Oh yes, thanks simplecms. I too did not receive the email notification of the reply, so I'm grateful that you posted. (I was just waiting patiently...sort of ;-).
Thanks Nicolas for your work on this. I'm eager to hear how people's tests go!

Please Log in or Create an account to join the conversation.

  • Posts: 37
  • Thank you received: 3
  • Hikashop Business
6 months 3 weeks ago #303195

Nicolas, Thank you so much for all your work on this! You are definitely appreciated.

FYI, I did not get of the posts from 4 days ago either. Must have been a glitch in the system. I got all the ones from today though.

Please Log in or Create an account to join the conversation.

Time to create page: 0.343 seconds
Powered by Kunena Forum