MD5 Hash End of Life & Signature Key Replacement

Article detailing the end of life/support for MD5 Hash and it's replacement option.

Jun 27, 2019•Answer

Answer

Authorize.Net is phasing out the MD5 based hash use for transaction response verification in favor of the SHA-512 based hash utilizing a Signature Key.

The end of life for MD5 Hash will be done in two phases:

Phase 1 - As of February 11, 2019 we have removed ability to configure or update MD5 Hash setting in the Merchant Interface. Merchants who had this setting configured have already been emailed/contacted.

Phase 2 - Stop sending the MD5 Hash data element in the API response. To continue verifying via hash, this will require applications to support the SHA-512 hash via signature key.

Sandbox has been updated as of March 7, 2019 to stop populating the MD5 Hash value, but the field will still be present but empty.
Production has been updated as of June 27, 2019 (10:30am PT) to stop populating the MD5 Hash value, but the field will still be present but empty.

When you receive a transaction response from Authorize.Net, it includes the a SHA2 hash element the name and position depend on the API integration method used. The SHA2 has field contains HMAC-SHA512 hash that Authorize.Net generated for the transaction and can be used to validate the response came from Authorize.Net but is not required to do so.

For information on how to obtain/generate a signature key please see: What is a Signature Key?

Sample Code & SDK updates are posted on GitHub and links below:

Helpful Solution Links:

Magento - https://support.magento.com/hc/en-us/articles/360024368392

For Authorize.Net API (XML, JSON, SOAP) the SHA2 element is transHashSHA2 in the API response. For details please see the Authorize.Net API Hash Upgrade Guide.

Note: For CIM createTransaction the SHA2 field and value will not be provided in the response (including Silent Post for this specific call).
Note: All Authorize.Net values, including the Signature Key and the transHashSHA2 element, use ISO 8859-1 characters. Using Unicode instead of ISO 8859-1 may cause hash mismatches.

For Advance Integration Method (AIM) the SHA2 element is at the end of the API response. For details please see the Advance Integration Method (AIM) guide page 57-59.

Please note this is a deprecated integration method, please check our Upgrade Guide for API statuses.
For Authorize.Net API and AIM only 3 fields are involved in the SHA2 Hash.
- API Login ID
- Transaction ID
- Amount

For Server Integration Method (SIM) or Direct Post Method (DPM) and utilizing Replay Response the SHA2 element is x_SHA2_Hash. For details please see the Server Integration Method (SIM) guidepages 73-75.

Please note this is a deprecated integration method, please check our Upgrade Guide for API statuses.
For Silent Post the SHA2 element is x_SHA2_Hash, please see Silent Post Url article an example may also be seen in the Authorize.Net API Hash Upgrade Guide.
- Please note it is recommended to consider moving to Webhooks as a replacement for this feature.
For SIM/DPM + Relay Response and Silent Post there are 30 fields involved in the SHA2 Hash:
- x_trans_id
- x_test_request
- x_response_code
- x_auth_code
- x_cvv2_resp_code
- x_cavv_response
- x_avs_code
- x_method
- x_account_number
- x_amount
- x_company
- x_first_name
- x_last_name
- x_address
- x_city
- x_state
- x_zip
- x_country
- x_phone
- x_fax
- x_email
- x_ship_to_company
- x_ship_to_first_name
- x_ship_to_last_name
- x_ship_to_address
- x_ship_to_city
- x_ship_to_state
- x_ship_to_zip
- x_ship_to_country
- x_invoice_num

Article Number

000002815

Article Total View Count

39,921

First Published Date

1/18/2019 5:59 PM

www.inCOREporation.com

inCOREporation

Wednesday, July 10, 2019

Authorize.net MD5 Hash End of Life & Signature Key Replacement

MD5 Hash End of Life & Signature Key Replacement

No comments:

Post a Comment

Featured Posts

Exchange Online Limits - Office 365 Distribution group limits