Reply
Member
Posts: 1
Registered: ‎04-29-2019

Confused: Will sample API code continue to work without Signature Keys?

We are confused about the "MD5 Hash End of Life & Signature Key Replacement" notification.

We currently use the modern API (not legacy) with PHP code based on what is on GitHub:


https://github.com/AuthorizeNet/sample-code-php/blob/9ce85f72801b96adcf882a63ed3bfcdb1d14c5f0/Paymen...

Just as on the sample code here, we are not currently using Signature Keys of either MD5 or SHA-512. We are doing just basic, one-time charges based on the GitHub sample code.

Can we continue using this code even after the MD5 hash reaches end of life in June?

In other words: Will the sample code included in GitHub, linked above, continue to work for charging cards without the use of SHA-512 Signature Keys?

All Star
Posts: 685
Registered: ‎11-05-2018

Re: Confused: Will sample API code continue to work without Signature Keys?

@binyamin

If you’re using the PHP sdk you have nothing to worry about. The big to do over the MD5 primarily affects legacy (SIM/DPM) users. The MD5 hash is used to validate authorize responses. For those folks, their web app will break if they don’t upgrade to sha512.

So if you do not currently use MD5 hash for anything then nothing will change for you at all. Let me
Look at that sample code and I’ll give you another reply but you should be good.
All Star
Posts: 685
Registered: ‎11-05-2018

Re: Confused: Will sample API code continue to work without Signature Keys?

Ok just looked and yes you are good for sure. That is a PHP sdk driven script and you don’t need anything else.

When this whole MD5 frenzy got underway I didn’t understand why and looked into this. You have option to do a sha512 validation and it’s not hard. Took me a good part of one evening to figure it out. Not worth that many fried brain cells but I will post the thread I started.

One thing I will run by you, you say you are doing simple one time charges? You sound like a smaller merchant and the script you are running puts you under a very substantial PCI compliance burden. You may want to use an accept hosted form to avoid those costs. With the AH you don’t have to do pen testing or vulnerability scans at all. Your hosting company doesn’t have to be compliant, etc. You end up with a handful of requirements that are easy to meet.
Highlighted
All Star
Posts: 685
Registered: ‎11-05-2018

Re: Confused: Will sample API code continue to work without Signature Keys?