Some of you know, some of you don’t, but Authorize.net team has been hard at work overhauling their payment API system in order to move to better and more consistent tech.
When previously Magento developers had to deal with completely divided, all-over-the-place APIs for each integration method, soon Authorize will offer everyone a brand new, consistent API set.
The new Authorize.net API will serve as an all-purpose API that can integrate all Authorize.net tools regardless of their type. And Authorize team views dumping MD5 hash for SHA-512 as another step towards this unification.
The Move Towards SHA-512
So the goal of the dev team is to move Authorize.net from MD5-based hash to an improved SHA-512 standard. Just so that you understand, MD5 is nowhere enough to offer a good level of security.
MD5 hash has been obsolete for an achingly long time for cryptographic use. It’s a good thing Authorize team decided to replace MD5 with something else. The message that Authorize.net users get is the same:
Action required: update authorize.net direct post from md5 to sha-512
In 2019 Authorize has already made significant changes to their payment mechanisms. The upgrade towards SHA-512 will be done in two stages:
- February 11 Authorize turned off the ability to change MD5-Hash settings in the Merchant Interface menu. Those Merchants who have this setting configured have already been emailed of the upcoming changes.
- March 7 was when Authorize stopped populating MD5 field. There are no new values right now, the field is always empty.
- The end-of-service for MD5 was first announced for March 14, but in order to let everyone adapt to the upcoming changes, the team pushed this date to
UPD: Good news, Internet! Authorize.net decided to extend the deadline for MD5 hash disablement again. The final date is set to be June 28. Apparently, the payment processor team would like to give store owners even more time to prepare.
Bear in mind that there are a couple of Authorize.net payment methods Magento has. The one that’s about to change is the Authorize.net Direct Post. For Magento store owners on the following platforms this means that the method will stop working on June 28 if they use the native Authorize extension:
- Magento Commerce up to 1.9.4
- Magento Open Source up to 1.9.4
- Magento Commerce 2.0.X, ≤2.1.16, ≤2.2.7, ≤2.3.0
- Magento Open Source 2.0.X, ≤2.1.16, ≤2.2.7, ≤2.3.0
- Magento Commerce (Cloud) 2.0.X, ≤2.1.16, ≤2.2.7, ≤2.3.0
- Authorize.Net Direct Post
So if a Merchant doesn’t apply the patch in Magento Admin Config settings, Authorize.net Direct Post will stop accepting payments and remain broken. This is what happens if you only use the official Authorize.net Direct Post extension.
Depending on the implementation method, some third-party payment extensions that include Authorize.net payments will update automatically and continue to work as expected. And some won’t. You’ll have to ask their respective tech support specialists whether you have to update manually or not.
How to Patch Your Magento 1 or Magento 2 Installation
NOTE: When you update to Magento 2.3.1 or Magento 2.2.8, it will automatically fix your Authorize.net issues.
Here’s what you need to do to update Authorize.net Direct Post on M1 before it stops working (works for all Magento 1+2 editions).
Magento 1 Installation Guide
- Go to //magento.com/tech-resources/download#download2280
- Select, download, and install Authorize.net Direct Post Signature Key patch.
Magento 2.x Installation Instructions
- Go to //magento.com/tech-resources/download#download2279
- Select, download, and install Authorize.net Direct Post Signature Key for your Magento 2 version (there are two patches there, you need the one that’s most suitable for your M2 version).
Guide For Magento Cloud
Use Composer Based Installation for Magento Commerce Cloud to install this patch.
- Patch only during the build phase of the redeployment. Create a new branch inside the integration branch:
magento-cloud environment:branch <branch-name>
- Copy the patch file to the /m2-hotfixes directory.
- Push your changes:
git add -A && git commit -m "Apply patch" && git push origin <branch-name>
- Once you make sure everything is okay, merge the new branch with the main installation.
After You Install the Fix
- Go to //account.authorize.net/ to get a new signature key
Navigate to Account > Settings > API Credentials & Keys > New Signature Key. Select the key that you need and hit Submit.
- Enter your PIN to confirm the changes.
- Now go to your Magento Admin page. Find Stores > Configuration > Sales > Payment Methods > Authorize.net Direct Post. Enter the new SHA-512 key. Hit Save.
For Magento 1:
That’s it. You are ready for June 28. Congratulations!
Don’t have time to install Magento patches? Need a reliable team to help you out with technical issues? Give us a call to discuss your Magento challenges together.