Hello,
I am using the SIM and have been able to successfully generate and MD5 hash to match the one sent back from Authorize.net to verify that the payment is in fact processed by Authorize.net. In order to do this, I have followed the instructions here: http://www.authorize.net/support/SIM_guide.pdf on page 64. The only problem I am having is with this line right here:
Referring to the MD5 Hash, "It should be stored securely separately from the merchant’s Web server."
Currently I have an administrative area where the client can input their Authorize.net credentials such as Login ID, Transaction Key, and MD5 Hash Value that correspond to the one's in their Authorize.net administrative area. I am trying to figure out how I can obtain this information from the Authorize.net webserver during a transaction in order to verify it against the supplied $_POST MD5 Hash value.
According to the docs: "To authenticate the MD5 Hash returned by the payment gateway in the transaction response, you need to create a script that can receive and parse the transaction response, call the merchant’s MD5 Hash value, and run the MD5 algorithm on the same fields listed above. "
The part I do not understand is how to "call the merchant's MD5 Hash value".
Is there an API endpoint I can supply my credentials to in order to receive my current MD5 Hash value? Is this is misunderstanding on my part?
Even in the SIM PHP SDK on Github currently:
public function __construct($api_login_id = false, $md5_setting = false) {
$this->api_login_id = ($api_login_id ? $api_login_id : (defined('AUTHORIZENET_API_LOGIN_ID') ? AUTHORIZENET_API_LOGIN_ID : ""));
$this->md5_setting = ($md5_setting ? $md5_setting : (defined('AUTHORIZENET_MD5_SETTING') ? AUTHORIZENET_MD5_SETTING : ""))
It looks like the MD5 Setting is being provided from the web server that is running the script.
Can someone please point me in the right direction as to how I should call the MD5 Hash value from the Authorize.net server? Thanks!
-Nick
10-12-2014 11:54 AM
Hi grazian0,
Thanks for pointing this out, the line that you referenced in the documentation is really misleading, as it's not possible to pull the MD5 secret key from anywhere except for your own server. We will send this to our documentation team for review.
It is recommended that the MD5 secret key should be stored securely, similar to the transaction key.
Thanksm
Joy
10-15-2014 01:30 PM