Authorize.Net: Important MD5 Hash Removal/Disablement

I received the following email from Authorize.Net on January 11, 2019:

Authorize.Net is phasing out the MD5 based transHash element in favor of the SHA-256 based transHashSHA2. The setting in the Merchant Interface which controls the MD5 Hash option will be removed by the end of January 2019, and the transHash element will stop returning values at a later date to be determined.

We have identified that you have this feature configured and may be relying on MD5 based transHash in transaction responses for verifying the sender is Authorize.Net.

Please contact and work with your web developer or solutions provider to verify if you are still utilizing MD5 based hash and if still needed to move to SHA-256 hash via Signature Key.

Please refer your developer or solution provider to our Transaction Hash Upgrade Guide for more details and information on this change.

Here’s a link to the “Transaction Hash Upgrade Guide”:


1 Like

I just got this as well - need an update ASAP or this kills s2Member for our site.

Hi, is there anything we need to do on the Plugin side before or after we update our account with the new SHA-256 code?

This change on will be an issue for our site as well.

Information from Authorize.Net explaining the purpose of MD5:

It says the following:

Note that the MD5 Hash option exists for transaction responses sent by means of the Advanced Integration Method (AIM) or the Card Present (CP) implementation methods. However, these methods use Secure Sockets Layer (SSL) to ensure that the transaction response is legitimate, and so it is not as useful for AIM or CP merchants.

I assume that most Authorize.Net setups with s2member use AIM, so I was wondering if the MD5 setting is optional. I removed it within s2member settings, but checkout pages end up showing the following error:

Authorize.Net configuration error. Your Authorize.Net Secret MD5 Hash is not yet configured.

So it seems like Authorize.Net is saying it’s not particularly useful for AIM transactions, but s2member requires its presence nonetheless.

1 Like

+1 that this seems to be an urgent coming breakage for all/most s2member sites using

On the plus side, this seems like a fairly simple fix for the developers. In the “upgrade guide” ( they offer a sample function in C#.

I know that the new team will have a gazillion requests coming at them, but this could break sites as early as February. (That link is cagey about when exactly they’ll stop accepting the old MD5 hash.) Please consider making this a priority so no sites break. Thanks!

1 Like

Thanks for the heads-up, guys. I have it high on my list to sort this, and will likely share a hotfix here as soon as I can, so you can have it before the coming release. :slight_smile:



Regular releases are great but having problems or issues fixed asap is arguably #2 on my list.

Yes for this :+1:

1 Like

Thanks Cristián!

1 Like

Little over 8 business days left in the month - any status update on the hotfix for this? Thank you.

1 Like

Yes. Still working on it. Not forgotten. :slight_smile:

I will post something soon.


Awesome, thank you for the reply!

1 Like

A more clear and detailed announcement from Authorize.Net:

Phase 1 - Starting later this month to early February 2019, we will remove ability to configure or update MD5 Hash setting in the Merchant Interface. There are no changes to the existing API response.

Phase 2 - Stop sending the MD5 Hash data element in the API response. This change will require that applications support the SHA-512 hash via signature key. Dates for phase 2 will be announced later but is expected in the next 2-3 months.



So 6-12 months, lol.

1 Like

Thanks for this update! 2-3 months gives us all a little time to breathe. :slight_smile:

1 Like


How would I know about a hotfix? This affects 2 of my clients.

Do I check here or what?


1 Like

Yes, I’ll post it here when it’s ready. Krum and I are working on it. :slight_smile:

I do keep checking back but I find nothing since the post from 12 days ago. Am I missing something?

1 Like

Hi Gregg.

No, you haven’t missed it. There just hasn’t been an update yet. When I have it, this is where I’ll post it. :slight_smile:

Thank you for your patience! Here’s the fix. :smiley: (29.4 KB)

You’ll see three files in the zip. They go in these folders of s2Member Pro:


Although you should not have any problem from these, it’s always best to make a backup before your test.

Please report anything you find not working, or that could be improved. Your feedback is very appreciated and will be used to improve the fix before implementing it in the next release.

Looking forward to your results!

1 Like