Why every Magento site using Authroize.Net has to upgrade from MD5 to SHA-512?

What is Authorize.Net?

Authorize.Net Direct Post payment is a widely used payment method by businesses all over the world. Since it is a default payment gateway in Magento, numerous customers who shop on Magento sites use Authorize.Net.

The payment gateway company is a subsidiary of Visa. It became popular for enabling customers to directly make the payment transaction with their credit card, therefore eliminating the need to sign up.

Why Magento sites can’t process payments via Authorize.Net using MD5, after June 28, 2019?

Magento currently employs Authorize.Net Direct Post payment that uses HMAC-MD5 (from now on mentioned as MD5) authenticated hash.

But, Authorize.Net has officially announced that it is stopping support for MD5 based hash on June 28, 2019.

This means that Magento merchants who are using Authorize.Net Direct Post cannot process payment without applying the official patch released by Magento.

Also, Magento has announced that it will be releasing a new Authorize.net extension that can replace Direct Post in future releases. The patch from Magento will replace the current HMAC-MD5 hash with HMAC-SHA512 (from now on mentioned as SHA512), i.e. a Signature Key.

What are the Magento versions that will be affected?

Note: Starting with Magento Open Source and Commerce version 2.3.1, Magento will be releasing a new Authorize.Net extension to replace Direct Post in the upcoming 2019 releases.

Why is Authorize.Net stopping the support for MD5 and introducing SHA-512?

Authorize.Net has been using of Advanced Integration Method (AIM) and Direct Post Method (DPM) which uses MD5 authenticated hash.

However, SHA-512 hash provides more security for Server Integration Method (SIM) and Direct Post Method (DPM), when compared to MD5 Hash. Hence, Authorize.Net is cutting off the MD5 Hash and focusing on the Signature key (SHA512).

How to enable Authorize.Net Direct Post payment method in my Magento site?

As mentioned before, the solution to this problem is applying the patch released by Magento. Based on your Magento edition and version, the patch can be applied.

However, you might need technical assistance to apply the patch. You can ask your tech team or get in touch with our expert developers to perform the process.

Follow the procedures given below to continue using Authorize.Net in future.

Step 1: Download the patch

1. To download the patch for Magento Open Source 2.x versions, visit here.

2. To download the patch for Magento Open Source 1.x versions visit here (Go to Release Archive tab).

For Magento Cloud sites, the patch has to be applied and the site has to be deployed. To know more check Apply custom patches

Step 2: Deploy the patch

Note: The following steps are for deploying the patch using SSH(Secure Shell) method.

1. Move the downloaded patch to the root of the Magento installation folder.

2. In case if the store is compiled, then the compiler should be disabled.

3. Now run the command: patch --p0<patch_file_name.patch

Step 3: Generate SHA-512 key

1. Go to Merchant Interface at Authorize.Net and log in with your credentials.

2. Click Account and select Settings from the menu at the left-hand side.

3. Select API Credentials & Keys at the bottom of the page.

4. You leave the Disable Old Signature Key Immediately box unchecked if you are generating the key for the first time. If you are generating the key after the first time, you can check the box to ensure security.

5. Once you click on Submit, a popup will appear. Click Request PIN to receive a PIN to your registered email address.

Update_Authorize.Net_Direct_Post_MD5_SHA-512

6. Enter the PIN and click Verify PIN.

Update_Authorize.Net_Direct_Post_MD5_SHA_512

7. A popup will appear with the message: Identity Verified. Click Continue.

Update_Authorize_Net_Direct_Post_MD5_SHA-512

8. Now, you will be taken to a new page where the key will be displayed. It will be almost two lines long. Click Copy to Clipboard.

Update-Authorize.Net_Direct_Post_MD5_SHA-512

Step 4: Update Magento Admin Configuration

1. Log into Magento Admin.

2. Select Stores which is present in the Admin sidebar. Then, go to Settings and select Configuration.

3. Now, select Payment Methods under Sales.

4. Expand the Authorize.Net Direct Post section.

5. In the Signature Key area enter the newly generated to SHA-512 Signature Key.

6. Finally click Save Config.

Note: The official date for stopping support for Authorize.Net MD5 based hash was first changed from March 14, 2019 to March 28, 2019. Now, it has been extended to June 28, 2019 (Source).

If your Magento store is using Authorize.Net MD5 based hash, it is highly recommended to apply the patch at the earliest, to make the payment system more secure and avoid last-minute hassles while applying the patch.