Update Authorize.Net Direct Post from MD5 to SHA-512

UPDATED on April 12th, 2019

Magento's implementation of the Authorize.Net Direct Post payment method uses MD5 based hash. Authorize.net will stop supporting MD5 based hash usage on June 28, 2019. This will result in Magento merchants not being able to process payments using Authorize.Net Direct Post. To avoid this, merchants need to apply the patch provided by Magento and replace the existing MD5 hash with a Signature Key (SHA-512) in the Magento Admin configuration settings.

Magento is releasing a new Authorize.Net extension to replace Direct Post in upcoming 2019 releases, starting with v2.3.1 for Commerce and Open Source. Watch for updates in the release notes.

Affected versions

• Magento Commerce 1.X.X
• Magento Open Source 1.X.X
• Magento Commerce 2.X.X
• Magento Open Source 2.X.X
• Magento Commerce (Cloud) 2.X.X
• Authorize.Net Direct Post

Issue

Magento implements the Authorize.Net Direct Post payment method, using Authorize.Net's AIM (Advanced Integration Method) and DPM (Direct Post method) APIs, which use MD5 based hash.

Authorize.net will stop supporting MD5 based hash usage on March 14, 2019. Starting from this date, Magento Open Source, Magento Commerce and Magento Cloud merchants will not be able to process payments using Authorize.Net Direct Post payment method. To be able to continue successfully process payments using these methods, merchants need to apply the patch provided by Magento and replace the existing MD5 hash with a Signature Key in the Magento Admin configuration settings.

Solution

Further are described the three general steps you need to take be able to continue using Authorize.Net Direct Post payment method.

Alternatively, you can upgrade to version 2.2.8 or 2.3.1 and get all updates and a new Authorize.net payment method option.

1. Download the patch

Magento Cloud and Magento Commerce

Patches are attached to this article. To download a patch, scroll down to the end of the article and click the file name, or click one the following links:

• For versions 2.2.X and 2.3.0 - Download Auth.net.md5-2019-02-28-05-04-05.composer-2019-03-04-07-33-26.patch
• For versions 2.0.X and 2.1.X - Download MDVA-17212_EE_2.1.0_v1.composer-2019-03-05-12-05-22.patch
• For versions 1.X.X - Download PATCH_SUPEE-11085_EE_1.14.4.0_v1-2019-02-28-04-59-38.sh

Magento Open Source

1. Click a link to download: M1 patch or M2 patch.
2. For Select your format, select a format best matching your needs. For M1, there is just one option. For M2, choose between Git-based or Composer-based.

2. Apply the patch

You may require developer assistance to apply the update. To update, you can download and install packages for your Magento edition and version. Download patches also available for those who installed with Composer.

Magento Cloud

For Magento Commerce Cloud, apply the M2 patch and deploy. For details, see Apply custom patches.

Magento 2.X Commerce and Open Source

For Magento Commerce 2.X and Open Source 2.X, follow these steps to install the Composer-based patch:

1. Upload the patch to your Magento root directory.
2. Run the following SSH command:

   patch -p1 < %patch_name%

   (If the above command does not work, try using -p2 instead of -p1)
3. For the changes to be reflected, refresh the cache in the Admin under System > Cache Management.

Magento 1.X Commerce and Open Source

For Magento Commerce 1.X and Open Source 1.X, follow these steps to install the patch:

1. Upload the patch to your Magento root directory.
2. Run the following SSH command:

   sh %patch_name%.sh

3. For the changes to be reflected, refresh the cache in the Admin under System > Cache Management.

3. Get a new Signature Key

You need to get a new Signature Key and add it to your Magento Admin configuration. For more information, see What is a Signature Key?

1. Log into the Merchant Interface at https://account.authorize.net.
2. Click Account from the main toolbar.
3. Click Settings in the main left-side menu.
4. Click API Credentials & Keys.
5. Select New Signature Key. Review the options available.
6. Click Submit to continue.
7. Request and enter PIN for verification.
8. Your new Signature Key is displayed. Copy this key to add to your Magento Admin configuration.

3. Update Magento Admin configuration

Take the following steps to update the Magento Admin configuration:

1. Log into the Magento Admin.
2. On the Admin sidebar, click Stores. Then under Settings, click Configuration.
3. In the panel, click Sales then Payment Methods.
4. Expand the Authorize.net Direct Post section.
5. In the Signature Key enter the SHA-512 Signature Key.
6. Click Save Config.

Magento 2 Authorize.Net Direct Post configuration screen

Magento 1 Authorize.Net Direct Post configuration screen

The process is successful if the Signature Key updates and payment processing continues. If you have issues, verify the Signature Key with Authorize.Net.

More information 

• Tech Resources for Magento Open Source and Commerce documentation
  • Open Source 2.3, 2.2, 2.1
  • Commerce and Commerce Cloud 2.3, 2.2, 2.1
  • Magento 1 Open Source and Commerce
• Authorize.Net announcement: MD5 Hash End of Life & Signature Key Replacement