Authorize.Net Direct Post Security Upgrade: Updating MD5 to SHA-512
Authorize.Net – the most popular payment gateway service provider in the world – is in the process of making a big change to how it verifies transactions, and that change impacts the business of every single one of their Direct Post users.
The company is phasing out MD5-based hashing and switching to SHA-512 signature key hashing. The last stage of the switch goes into effect on June 27th, 2019, and every business using Authorize.Net Direct Post, including BAMS users, will have to switch over before that date to avoid interruptions to their payment processing services.
To a lot of merchants, this might be a confusing topic or seem like an unnecessary hassle, but this change is an important step in keeping Authorize.Net’s transaction security on the cutting edge – something that benefits every single merchant on the platform.
What are MD5 and SHA-512?
MD5 and SHA-512 are cryptographic hash functions – algorithms that take data of any size and transmit them into an essentially irreversible fixed-length string. In simpler terms, hash functions take any type of data – like your name or your credit card number – and turn it into a new set of letters and numbers with a fixed number of characters.
Once that new set of letters and numbers has been created, it’s mathematically so difficult to translate it back into the original data that it simply isn’t feasible. That means that users who know the translation between the original data and the hash can easily verify it, but outside parties – like hackers or other bad actors – can’t decrypt the hash to get at the sensitive information it protects.
That level of security is why credit card companies and payment processors use cryptographic hashing to protect transaction data. A buyer’s complete information can be hashed and transmitted without having to worry about it being intercepted and seen by anyone that isn’t supposed to.
Why is switching from MD5 to SHA-512 worth the trouble?
Internet security is a never-ending game of cat and mouse. Hackers and bad guys are constantly figuring out new ways to break existing security protocols, and security teams are constantly figuring out new safeguards to replace the old ones.
MD5 is old technology. It was designed in 1991, and while it’s been a security workhorse for decades, it’s so old and so common that it no longer meets the level of security required to protect transaction data. MD5 has a number of weak points, not the least of which are that hackers have developed brute force attacks that can decrypt its hashes, and that it’s possible to duplicate the same hashes with different data.
SHA-512 is one of the newest hash functions in the SHA-2 family, and it has some major security benefits over MD5. The first is that, while MD5 is a 128-bit hash function, SHA-512 creates 512-bit hashes. In practical terms, what that means is that the strings of letters and numbers created by SHA-512 are 2.75x larger than the ones created by MD5 (trust us on the math.) The second major benefit is that SHA-512 is collision-resistant, meaning it’s much, much harder to create the same hash from two different sets of data.
The result is that SHA-512 encryption is much harder to crack than MD5, and when it comes to the sensitive payment data of your customers, that advantage is priceless.
What do I have to do to make sure my Authorize.Net integration is up to date?
Your two basic options are to upgrade Authorize.Net to version 2.3.1 or to apply a patch to your implementation of version 2.2.8. In either case, you’ll also need to obtain a signature key for your newly updated security.
Patching an existing Authorize.Net integration isn’t overly complex, but it might be beneficial to obtain some developer help to get the job done.
Completing the necessary steps before June 27th, 2019 will ensure your uninterrupted ability to continue processing payments through Authorize.Net and will ensure your customers will be able to continue doing business with you with full confidence in the security of their sensitive data.
Check out our Authorize.net Certified Integrations and learn more about BAMS. Our low-price guarantee and unique five-point price comparison process ensure that partnering with BAMS will not only make your payment processing easier, it’ll also help boost your company’s profitability as well.