For our DPM website, we used @stw's solution, instead of @Renaissance's, because Renaissance's requires the latest AuthorizeNet PHP library, which requires PHP version 5.6, which would require re-writing our entire website.

In step 1, stw's solution calls the PHP function base_convert, which did not work for us. Both hex2bin and pack worked. We used pack because hex2bin isn't available in our version of PHP.

Note that @stw's solution will fail in "2-3 months" because AuthorizeNet plans to stop sending the MD5 Hash in the API response:

https://support.authorize.net/s/article/MD5-Hash-End-of-Life-Signature-Key-Replacement

So we don't do this part of @stw's solution:

$response = new AuthorizeNetSIM($apiLoginID, $md5Setting);

Instead, we simply check if the transaction was approved, x_response_code === '1'.

Unfortunately, this exposes us to the risk of an imposter posing as AuthorizeNet.

So, to make the site a little harder to hack, we added a our own hash to an HTML hidden field, and check the value when it comes back in the AuthorizeNet API response. So while we can't be sure the response came from AuthorizeNet, we'll know if the custom hash came from our server.

Thanks @Renaissance, but it took @cwdsl so long to figure out that solution, and it's so complicated,  it scared me off. It took me a few days just to get @stw's far simpler solution to work :-(

@capturewiz, my implementation only took a little while because I was incorrectly reading in the 30 values that need to be compared for the x_SHA2_hash.  Overall the VB.NET sample for the SIM integration I did was relatively simple to do once I gathered information together.  Hopefully the sample I posted will help others, although I have no knowledge of PHP so can't help any further in that regard.

Thank you very much!  I attempted to upgrade SIM for SHA512 by simple modifications to my old, working MD5 code, but got code 99 errors.  The fact that SIM documentation and upgrade documentation are inconsistent added to my consternation.  I adopted your code and now things are working as expected, at least in the sandbox.

I would add kudos if I could find a way to do that in this message window.

holy sh*tballs! thank you @stw ... your code got me going again!

I had to use pack() instead.. but I only needed this to work for like 1 more month! lol

Wish Authorize had waited till May to switch :)

Has anyone actually tested calculating the response hash where some of the fileds contain none ASCII characters?

For example in one the address fields I have 

Sãu Paulo

When calculating the hash it never matches.

However my hash matches when the fields contain ASCII characters only.

How do I get round this issue? Our intergation is written in PHP.

@staopix, the same happens for me with my VB.NET solution.

When I look at the value for x_city by returning Request.Params("x_city") it outputs...

S�u Paulo

So the fact it is returning the ? character I don't actually know how we'd know what character was there.