Find Answers

Find Answers

Specified Languages
British English
English

Contact Us

Merchant Support

Toll-Free Phone:
(877) 447-3938

Support Hours:
24x7
(Closed major holidays)


Reseller Support

Toll-Free Phone:
(888) 437-0481

Support Hours:
M–F: 6 AM – 5 PM PDT
(Closed major holidays)


Affilate Support

Toll-Free Phone:
(866) 682-4131

Support Hours:
M–F: 6 AM – 5 PM PDT
(Closed major holidays)


Corporate Offices

Authorize.Net (Utah)
P.O. Box 947
American Fork, UT 84003-0947
Tel: 801.492.6450
Fax: 801.492.6489

What is the MD5 Hash Security feature, and how does it work?


Doc ID:    A588
Version:    2.0
Status:    Published
Published date:    06/09/2011
Updated:    06/09/2011
 

Answer

The MD5 Hash option allows your script to verify that the results of a transaction are actually from Authorize.Net. It is specifically useful for merchants using the Server Integration Method (SIM) or Silent Post. MD5 is a specific way of encrypting information to make it unreadable but unique to a given transaction. Since your script can also create MD5 Hashes, it can use the same information that we used for the encryption, and create its own MD5 Hash. If the MD5 Hash your script creates matches the MD5 Hash that you received, then you know that only Authorize.Net could have sent the transaction response.

Note that the MD5 Hash option exists for transaction responses sent by means of the Advanced Integration Method (AIM) or the Card Present (CP) implementation methods. However, these methods use Secure Sockets Layer (SSL) to ensure that the transaction response is legitimate, and so it is not as useful for AIM or CP merchants.

The MD5 Hash is created by combining several values.

For SIM, these values are used for creating the MD5 Hash, in this exact order:

  • The MD5 Hash Value, which is assigned by the merchant in the account's Settings.
  • The API Login ID (x_login).
  • The transaction ID number we assigned to the transaction (x_trans_id).
  • The amount of the charge (x_amount).

For Silent Post, these values are used for creating the MD5 Hash, in this exact order:

  • The MD5 Hash Value, which is assigned by the merchant in the account's Settings.
  • The transaction ID number we assigned to the transaction (x_trans_id).
  • The amount of the charge (x_amount).

The resulting string is then used to generate the MD5 hash.

Note that the MD5 Hash Value can be up to 20 characters long, including upper- and lower-case letters, numbers, spaces, and punctuation. More complex values will be more secure.

For example, if you are using SIM, you might set your MD5 Hash Value to "My nifty new secret!" Suppose that x_login is "mylogin1", and that you received a transaction response where x_trans_id is "987654321", and x_amount is "1.00". The transaction response also included the value x_md5_hash, set to “A9A46CFC5928E91079615AB117E36EB3”.

First, your script would create a string from the MD5 Hash Value, x_login, x_trans_id, and x_amount:

My nifty new secret!mylogin19876543211.00

Your script would then use the MD5 function in its scripting language to create the MD5 Hash:

A9A46CFC5928E91079615AB117E36EB3

Since this result matches x_md5_hash, you know that the transaction response is legitimate.

To set your MD5 Hash Value:

  1. Log into the Merchant Interface at https://account.authorize.net/.
  2. Click Account from the main toolbar.
  3. Select MD5-Hash under the Security Settings section.
  4. Enter the MD5 Hash Value that you would like to use.
  5. Confirm the MD5 Hash Value.
  6. Click Submit to save the changes.

For more information about the MD5 Hash feature, please review the SIM Implementation Guide or contact your Web developer.

Please note that not all shopping carts support the MD5 Hash feature. Please consult your shopping cart provider to make sure this feature is compatible.


Rate This Item