You may have heard some scuttlebutt online about some changes being made to online payment gateways. It’s true. Authorize.net has announced it’s about to make a series of security updates that may (or may not) impact the completion of your site’s credit card transactions.
Fear not! The Development Team at Page One has put together this post as a guide to what’s going on and what to expect. Should your site be affected in any way, we’re ready to deal with any errors that may occur. We’ve got the tools and know-how to get your site up and running again as soon as possible.
A LITTLE HISTORY:
Authorize.net is a payment gateway service provider which allows online merchants to accept credit card payments safely and securely through their website.
At present, Authorize.net utilizes certificates that use the SHA-1 hash. SHA-1 has been known to be vulnerable to cryptographic weaknesses… to the extent that many experts feel that soon it will not offer much in the way of protection at all. Let’s back up a second. SHA-1 and the upcoming SHA-2 are “hashes”. Hashes are used to digitally sign content for integrity validation. Without hashing algorithms, it would be nearly impossible to ensure the digital authentication and integrity of online transactions. This is fancy speak for “Your name, credit card number, billing address (and possibly more) would be free for the taking to anyone with basic hacking skills.”
Soon (in the coming years), many devices and applications will begin to display warnings, error messages or fail altogether if a digital certificate containing the SHA-1 (or earlier) hash is detected.
SO WHAT’S CHANGING?
On September 21, 2015 Authorize.net will implement upgrades to new security certificates signed using Security Hash Algorithm 2 (SHA-2) and 2048-bit signatures. The benefit will be enhanced security and performance.
The upgrade to SHA-2 conforms to a change among servers and browsers to deprecate use of SHA-1:
Microsoft announced in late 2013 that they would no longer accept SHA-1 signed certificates that expire after January 1, 2017.
In September 2014 Google announced that the Chrome browser would gradually depreciate SHA-1 support, and would also reject SHA-1 signed certificates which expire after January 1, 2017. In addition, SHA-1 signed certificates which expire in 2016 would be flagged as secure but with errors.
Also in September 2014, Mozilla announced that they would also reject SHA-1 signed certificates that expire after January 1, 2017. Mozilla is the basis of a family of browsers, the most well known being Mozilla Firefox.
Due to new PCI DSS (payment card industry data security standard) requirements, Authorize.net (and all other online payment systems) must disable TLS 1.0 by June 30, 2016. TLS stands for Transport Layer Security and it’s the protocol that makes sure your confidential information remains confidential when you initiate a credit card transaction online. Authorize.net plans to make this change before that date to stay ahead of the curve.
WHAT TO EXPECT:
After the update is complete, any website or payment solution that connects via api.authorize.net that cannot validate SHA-2 signed certificates will fail to connect to Authorize.Net's servers. This will cause the transaction to fail.
WHAT YOU SHOULD DO:
All sites that Page One creates on the WordPress CMS (content management system) are using the official Authorize.net plugin to connect to authorize.net, so you will just need to make sure that this plugin is up-to-date on your site. API keys, etc. should not need to be updated.
If you require any assistance with any step in the process, just reach out to your Page One project manager and they’ll be happy to assist.
The web is constantly evolving and improving. Unfortunately, this progress often presents its own set of challenges and obstacles. As always, we here at Page One are happy to help you navigate these ups and downs. We hope this post has helped to clarify the upcoming Authorize.net changes and addressed any concerns you may have had as a result.