Authorize.net Technical Updates Email

[marleyman]

Hi all,

I'm trying to be sure about this so if anyone knows, please let me know. Your help is very much appreciated!

We received this email and we're not sure if we need to update anything on our osCommerce Shopping Cart System? We do use the Authorize.net payment module on our online store:

 

Dear Authorize.Net Merchant:

 

Over the next few months, we are making several updates to our systems that you need to be aware of. They are all technical in nature and may require the assistance of your web developer or shopping cart/payment solution provider.

 

Please read this email carefully, and if you need to find a web developer to help you, please check out our Certified Developer Directory at http://www.authorize.net/cdd.

 

 

Akamai SureRoute Reminder

--------------------------

Authorize.Net is now using Akamai to optimize our Internet traffic routing, which includes your transaction requests. Akamai helps safeguard against interruptions caused by issues beyond Authorize.Net's direct control, such as Internet congestion, fiber cable cuts and other similar issues. Using Akamai is currently optional, but will be mandatory starting June 30th.

 

Upgrade your website or payment solution today to take immediate advantage of Akamai's benefits. If your solution uses a firewall, please read the Akamai FAQs at http://www.authorize.net/support/akamaifaqs/ to determine what steps to take before June 30th to avoid disruptions to transaction processing.

 

 

RC4 Cipher Disablement

----------------------

In an effort to ensure that all server-to-server communications with the Authorize.Net platform (both transactional and otherwise) maintain the highest levels of security, we will be disabling the RC4 cipher suite in the sandbox on April 29, 2016, and in the production environment on May 31, 2016.

 

If you have a solution that relies on RC4 to communicate with our servers, please update it to a current, high-security cipher as soon as possible. Please review our API best practices blog post at

https://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Request-for-Comments-API-Best-Practices/ba-p/53668 for more information.

 

 

Transaction and Batch ID Reminder

---------------------------------

In the coming weeks, due to system updates, it will be possible to receive Authorize.Net IDs (Transaction ID, Batch ID, etc.) that are not in sequential order.

 

For example, currently, if you receive a Transaction ID of "1000," you could expect that the next Transaction ID would not be less than 1000. 

However, after the updates, it will be possible to receive a Transaction ID less than the one previously received.

 

If your system has any functionality that expects Authorize.Net-generated IDs to be sequential, please update it immediately so that you will not see any disruptions.

 

Additionally, please make sure that your solution does not restrict any Authorize.Net ID field to 10 characters. If you are required to define a character limit when storing any of our IDs, the limit should be no less than 20 characters.

 

Sincerely,

Authorize.Net

[Jack_mcs]

You need to check your authorize.net file to make sure the url being used is secure2 instead of just secure. Then check your site through this page and make sure RC4 is off. 

[marleyman]

You need to check your authorize.net file to make sure the url being used is secure2 instead of just secure. Then check your site through this page and make sure RC4 is off. 

 

I changed all the URL's I found in my Authorize.net files to secure2 and then did that test as you suggested and this is what it came back as: RC4 Yes   INSECURE (more info)

Can you explain to me what I need to do now? Thank you so much.

[Jack_mcs]

You need to contact your host and ask that they remove it.

[kru]

Is there any caveat there Jack?  Because the RC4 results for our site say: "This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B."  Or does RC4 need removed altogether?

 

If the host will not remove RC4, is there anything that can be done on our end?

 

Thanks.

[Jack_mcs]

If you think of RC4 as a program that resides on the server, like any program, it doesn't do anything by itself. When a connection is made to the server, if the calling program tells it to use RC4 then there may be a problem. For the most part, as I understand it, RC4 is mostly just used by older programs and devices. But there are some exceptions. You can check the connection using How's My SSL. When I run it in FF and Chrome, I get a "Probably Okay", which is considered a good result. But when I try it in IE, it fails. Since you can't control what a customer uses to connect to your site, having RC4 on the server could cause a failure since Authorize.net won't allow its use once they switch. There's no way to know beforehand, as far as I know, if that is going to be an issue or not.