01-22-2019 09:45 AM
Magento 1.9.x uses a multi-character x_delim_char value, (~), when it submits AIM requests. It appears that this is a violation of the spec—the documentation clearly states that it should be a single character—but it's always worked. Until very recently, that is. Using the testing API this morning (https://test.authorize.net/gateway/transact.dll) I see that responses are coming back using only the first character of the given x_delim_char value (a left paranthesis in this case). The production API seems to be unchanged.
I suppose this is a question for the Magento community as much as the AuthNet community, but a change like this could affect many thousands of sites.
Anyone else seeing this?
01-22-2019 04:44 PM - edited 01-22-2019 04:52 PM
We started seeing this same problem on our site running Magento 126.96.36.199 this afternoon. But, this is our production site and it's using the non-testing API (https://secure2.authorize.net/gateway/transact.dll).
01-22-2019 04:55 PM
I'm seeing this too in Magento 1.9.
Replacing: const RESPONSE_DELIM_CHAR = '(~)';
With: const RESPONSE_DELIM_CHAR = '*';
Or any other single supported character seems to resolve this issue. Is it safe to assume production authorize.net will start responding similarly and break all Magento 1.9 installs soon?
01-22-2019 04:59 PM
We just hotfixed this. This change to the delimiter will affect many Magento 1 and Magento 2 sites, as neither has gotten away from SIM/DirectPost. The documentation clearly states that:
The SIM API is deprecated. It will only receive critical security
updates. We recommend Accept Hosted instead of SIM for new
So where's the bulletin from authorize.net on this critical security update, because merchants will certainly want an explanation.
01-22-2019 06:42 PM
This change impacted our site, fortunately it was rolled back a few minutes ago and is now working again. As for the character change, just wanted to confirm that line 69 in authorizenet.php is where the change should be made?
Thanks for any help.
01-23-2019 06:21 AM
Yes, the quick and dirty fix is to change line 59 of app/code/core/Mage/Paygate/Model/Authorizenet.php.
For those who don't realize it, please note that editing the core like this is bad practice. The next time you upgrade Magento, you'll need to reapply the fix. The safer solution would be to create a module that overrides the Mage_Paygate_Model_Authorizenet class and replaces the RESPONSE_DELIM_CHAR constant there.