Update 2 - 1/18/2019 Changes are now live in sandbox and will go live in production on Tuesday, January 22, 2019.
Update - 1/11/2019 This change postponed. New date TBD.
Dear Authorize.Net Merchant:
As part of ongoing security improvements, we're making changes on January 10, 2019 that may affect your gateway account. After January 10, certain characters will be replaced with spaces if sent to the gateway.
Authorize.Net is changing how it handles some character data included in transactions submitted to our systems. Starting January 10, 2019, transactions that contain any of the characters listed in the table below will be replaced with a space (‘ ‘) before saving the transactions in our systems and/or passing the transaction data to the back-end payment processor. If you later query our systems for data on these impacted transactions, we will send back the edited content. This includes URL and HTML encoding of the ‘<’ and ‘>’ characters, and non-printable Unicode characters.
Invalid Character Inputs
0 – 31
For example, if you submit a transaction to Authorize.Net with the Description field populated with “Chocolate Chip Cookie [<medium>]”, the Description data we will send to the back-end processor and save in our databases will be “Chocolate Chip Cookie [ medium ]”. Note the removed ‘<’ and ‘>’ characters.
What Steps Should You Take?
No change is required if your systems do not send any of the above characters in transaction data and rely on them in the response from Authorize.Net. If your systems rely on these characters being sent back, then you must remove this dependency before January 10, 2019.