Good afternoon!
We have an OpenCart 2.2.0.0 site and also received the lovely and ominous MD5 email notification from Authorize.net.
We've done a lot of digging, both in this forum and on the developer/API links provided by Authorize.net and unfortunately we are still completely stumped as to what we must do to make the necessary changes to our site.
One Authorize.net live chat person told us there are Evangelist Developers here on this forum who may be able to help us.
I sincerely hope this is true =)
Thanks for your help!
Jacob
Solved! Go to Solution.
01-23-2019 02:25 PM
The MD5 is the old hash. The setting has been taken out of the merchant inferface as it was schedule to is most likely what's happening. That or you never used it. The new hash is the sha512. You probably never used the MD5 hash. It's not required to do business, and neither is the sha512.
For AIM, this is something that you work on a few hours, and then if it doesn't work don't worry about it is how I see it. Your transaction responses already come over SSL encryption. The DPM/SIM users have to do the hash just to submit a transaction, so they're in the frying pan for however long it takes to figure this out and have no choice.
If you go to the authorize.net support page and do a search for sha512 hash you'll get some info. Also google "authorize.net AIM developer guide". And that guide you will get info. It is described in terms of "there isn't as much benefit" and "is a redundant security check" in reference to your integration.
01-29-2019 02:09 PM
Your first step would be to determine which integration method your OpenCart 2.2.0.0 site uses. There are the deprecated methods SIM/DPM which use one hashing process, and then there is the deprecated AIM method, and also the modern integation methods which use a different hashing process.
I have no clue at all about open cart. Questions to ask would be - does your customer type full payment card numbers on a webpage hosted on YOUR server? If yes, are those card numbers transmitted by your server, or are they tokenized in the browser? If they are transmitted by your server then you are AIM or the modern API.
If they are tokenized you are using Accept js or possibly DPM. If you answer no to that first question you are most likely using SIM.
And here's another shortcut, do you have to send an md5 fingerprint in order to make a successful transaction? That narrows things down a lot. Yes means use the DPM/SIM hashing method, no means use the modern API hashing method.
The hashing techniques have been beaten to a bloody pulp all over this forum, and once you narrow down how you are integrating you'll be on your way.
01-23-2019 06:25 PM
Renaissance, thank you so much for your kind answer.
Our IT person who built this site has informed me that our site is using the AIM method. He also said the crux of his knowing how to move forward is: Which file needs to be changed/recoded to transmit the md5 hash information?
Thanks again, Renaissance!
01-24-2019 10:06 AM
01-24-2019 03:02 PM
Thank you once again, Renaissance!
I went to your user profile to see your (many) posts - do you remember any key words pertaining to the 100% tested and working php post which would help me narrow down my search? :)
(Is this the one? https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/m... -- if so I'll pass this on to IT)
01-24-2019 03:15 PM
01-24-2019 04:49 PM
Thank you, Renaissance
This still falls way outside our expertise. We've reached out to some local developers for help. But in the meantime, I noticed two things:
1. Our Authorize.net's MD5 settings are completely blank
2. The MD5 setting in the Payments settings in our OpenCart back-end is also completely blank.
This leads me to believe we have never used MD5 - and perhaps it is not even needed for what we're doing?
Any thoughts about that? =)
01-29-2019 06:40 AM
The MD5 is the old hash. The setting has been taken out of the merchant inferface as it was schedule to is most likely what's happening. That or you never used it. The new hash is the sha512. You probably never used the MD5 hash. It's not required to do business, and neither is the sha512.
For AIM, this is something that you work on a few hours, and then if it doesn't work don't worry about it is how I see it. Your transaction responses already come over SSL encryption. The DPM/SIM users have to do the hash just to submit a transaction, so they're in the frying pan for however long it takes to figure this out and have no choice.
If you go to the authorize.net support page and do a search for sha512 hash you'll get some info. Also google "authorize.net AIM developer guide". And that guide you will get info. It is described in terms of "there isn't as much benefit" and "is a redundant security check" in reference to your integration.
01-29-2019 02:09 PM
01-29-2019 02:12 PM
Many thanks again, Renaissance! I believe this clarifies that, for us, we need not concern ourselves further - since we never have used the MD5 hash. Thanks again and wishing you all the best!
01-29-2019 02:27 PM