Important updates into Authorize.net PayPal and 2Checkout Payment gateways

Important updates into Authorize.net PayPal and 2Checkout Payment gateways

Privacy and safety are the top most concerns with online payment and almost all payment gateways try to keep their technology up to date in order to ensure a secure transaction. Authorize.net, Paypal and 2Checkout have recently released a guideline about updates in their API, routing and other technology elements. In this blog post we will discuss these important updates and their implications on our Recurring & Subscription payment extension and Partial Payment Extension

Authorize.Net Technical Updates

1) Authorize.Net Networking Change

Akamai Network Technology will be adopted by June 2016 and all transactions are required to be routed through following routing URLs.

Ӣhttps://api2.authorize.net/xml/v1/request.api
Ӣhttps://api2.authorize.net/soap/v1/Service.asmx
Ӣhttps://secure2.authorize.net/gateway/transact.dll

Developers and stores have time to update these URLs in their system till June 16. In any case Authorize.net will route them automatically after June 2016. This automatic routing will cause a blockage in service for some time and it is advised to update the URLs manually in order to avoid disruption.

If your solution connects to Authorize.net directly via an IP address, you will need to update it to connect by domain name.

2) Transaction and Batch ID Change

In the coming months, due to system updates, it will be possible to receive Authorize.net IDs (Transaction ID, Batch ID, etc.) that are not in sequential order. If your system has any functionality that expects Authorize.net generated IDs to be sequential, please update it.

Additionally, please make sure that solution does not restrict any Authorize.net ID field to 10 characters. If you are required to define a character limit when storing any of IDs, the limit should not be less than 20 characters.

3) RC4 Cipher Disablement

If you have a solution that relies on RC4 to communicate with Authorize.net servers, please update it to a current, high-security cipher as soon as possible.

4) TLS Remediation for PCI DSS Compliance

TLS 1.0 and TLS 1.1 are under considerations of getting disabled by 2017, you are advised to upgrade to TLS 1.2 which is the strongest available protocol currently.

For detailed discussion on Authorize.net changes, you may refer to the following URLs

http://app.payment.authorize.net/e/es.aspx?s=986383348&e=1092286&elq=f3fc697babef46da843774e473c40399&elqaid=483&elqat=1&elqTrackId=b4d9a2a0f1424fe28f720ff9d8ae4d54


https://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Important-Authorize-Net-Networking-Change/ba-p/51272?utm_campaign=February%202016%20Technical%20Updates%20for%20Merchants.html&utm_medium=email&utm_source=Eloqua

Understand important security updates in @AuthorizeNet for #Secure #Payments. implement into #Magento Click To Tweet

PayPal Technical Upgrades

1) SSL Certificate Upgrade (Act by June 17, 2016)

Ensure your environment supports SHA-256 signing algorithm and discontinue the use of SSL connections that rely on the VeriSign G2 Root Certificate.

2) TLS 1.2 and HTTP/1.1 Upgrade (Act by June 30, 2017)

Verify that your environment supports TLS 1.2 & HTTP/1.1. If required make appropriate updates.

3) IPN Verification Postback to HTTPS (Act by June 30, 2017)

If you are using PayPal’s Instant Payment Notification (IPN) service, you will need to ensure that HTTPS is used when posting the message back to PayPal for verification. HTTP postbacks will no longer be supported. Also PayPal strongly recommends the use of ipnpb.paypal.com as IPN postbacks URL.

4) Discontinue Use of GET Method for Classic APIs (Act by June 30, 2017)

PayPal will no longer support the use of the GET HTTP request method for their classic NVP/SOAP APIs. If you currently use any of these APIs, you will need to ensure that your API requests only use the POST HTTP request method.

5) Merchant API Certificate Credentials Upgrade (Act by January 1, 2018)

The API certificate credentials issued by PayPal to use with the Classic API are being upgraded to SHA-256 signed 2048-bit certificates. If you currently connect to PayPal using API certificate credentials, you will need to generate a new API certificate via your account profile and use it for all API requests.

6) IP Address Update for Secure FTP Servers (Completed as of May 12, 2016)

If your integration is set up to systematically exchange files with PayPal’s Secure FTP Reporting / Batch Servers, please note that the IP addresses for these servers have changed. If your integration is hardcoded to the previous IP addresses, you will need to upgrade immediately to avoid any disruption of service.
Follow important security updates in @PayPal @PayPalSecurity. Implement in #Magento Click To Tweet

2Checkout PCI DSS Update

The 3.1 upgrade will dissolve the use of SSL 3.0 and TLS 1.0 as permitted security protocols, so 2Checkout will no longer support SSL 3.0 and TLS 1.0 as of June 30th, 2016. This will mean that all API requests, Vendor Admin sessions and standard checkout processes will need to use TLS 1.1 or TLS 1.2.

The 2Checkout Sandbox environment, sandbox.2checkout.com, has already been changed to support only TLS1.1 and TLS1.2. Tests can be performed today with your shopping cart integration and API calls against that environment, so you can get ahead of the June 30th deadline.

Question-Mark
What you need to do?
A Merchant needs to communicate at two levels

1) With Developer in order to update the payment processing in your Store. Either you can get an updated version from your extension or the store system or a developer can make necessary changes.
2) With Server administrator to make necessary updates in the server. All major server providers would have already made necessary changes.

What will happen if your service provider or you don’t make the changes by the due dates?
If you or your service provider do not make the necessary changes by the dates shown in the changes you will be unable to accept payments with the specified payment gateways.
A brief understanding of @2checkout security updates for #Magento Stores. Click To Tweet

Guidelines for Magento Stores

1) To take advantage of the uptime benefits Akamai Network Technology offers, you can change the “Gateway URL” and “Payment Update URL” of Authorize.net to https://secure2.authorize.net/gateway/transact.dll and https://api2.authorize.net/xml/v1/request.api respectively from Admin -> System -> Configuration -> Sales -> Payment Methods -> Authorize.net


1

2) In magento you can change the SHA-256 signed 2048-bit PayPal API Certificate from Admin -> System -> Configuration -> Sales -> Payment Methods -> PayPal

2

3) In magento you can change the PayPal’s Secure FTP Reporting / Batch Servers IP address from Admin -> System -> Configuration -> Sales -> Payment Methods -> PayPal


Customer Endpoint

Guidelines for Milople’s Magento Partial Payment Extension Owners

1) Milople’s Magento partial payment extension is compatible with all the above changes of payment gateways.

2) In case if the payment service experience a downtime, the Installments to be processed during that time will fail. We have written code to handle this and with next cron the failed transactions will be captured again.

Guidelines for Milople’s Magento Recurring and Subscription Payments Extension Owners

1) Milople’s Magento recurring and subscription payments extension is compatible with all the above changes of payment gateways.

2) In case if the payment service experience a downtime, the Installments to be processed during that time will fail.
To handle such transactions Store admin gets a “Pay Now” link at Admin -> Recurring and Subscription Payments -> Manage Subscriptions to attempt the subscription payment again. With this you will be able to capture the subscription amount from buyer’s card.




You are welcome to discuss any queries or issues in this regards into comment section bellow.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn
Leave a reply

Your email address will not be published. Required fields are marked *