Authorize.net, now a Visa company, is one of the oldest and most popular payment gateways in the Magento ecosystem. Many merchant services providers recommend Authorize.net as an ideal gateway to transmit credit card data for their eCommerce clients. So, it’s fair to say that many Magento merchants were frustrated today when they realized that their go-to payment gateway was not functioning as intended.
What problems are being reported
We’ve received reports of Magento merchants running into 5xx responses and RESPONSE_CODE_ERROR (3) messages, as well as errors like this being captured in log files:
PHP Fatal error: Call to a member function setMessage() on a non-object in /www/sites/www.<mysite>.com/files/html/app/code/core/Mage/Paygate/Model/Authorizenet.php
In essence, Authorize.net is being reported as non-functional in many Magento websites.
***We are expecting a similar issue to arise on or around March 14th, 2019 when Authorize.net deprecates the use of MD5 impacting Magento 1 and 2 merchants. Luckily, Magento has put out a patch. If you’re on M1 or M2, you’ll want to get the patch installed and tested ASAP***
How and when this happened
Here’s what we know so far:
Authorize.net released a security update to their gateway, which blocked the use of formerly acceptable characters. These changes were implemented to Authorize.net sandbox accounts on January 18th, 2019, and went live in production today, January 22nd, 2019.
Who was impacted
This impacted users on various platforms, including Magento and Zoey. This is not a Magento bug as much as it was a change to Authorize.net systems.
Why wasn’t this addressed in advance
Usually, when a change like this is made by a payment gateway, shipping carrier, or other 3rd party, a patch is released in advance of the changes going live. Sometimes, there’s not much notice, but there is a solve available. In this case, it’s unclear why multiple eCommerce platforms, including Magento, were unprepared. Magento is specifically known for supplying patches in advance of these kinds of incidents.
The jury is still out on a recommended permanent fix, but there are reports in the Magento forums that Authorize.net is rolling back this change. As this change was being made for security reasons, we can reasonably assume that this will only be a temporary reprieve.
The Zoey team has shared a fix that they’ve tested and verified for Magento 1, although it stands to reason that an official Magento patch will be released in the coming days.
Some Magento merchants that used extensions to connect to Authorize.net, such as those using SubscribePro for recurring subscription orders, were not impacted by this incident.
In the meantime, many merchants have already switched over to other gateways like PayPal. We’ve already seen an uptick in interest in Bolt, a SaaS checkout solution for Magento that can improve conversion rates and protect merchants from these types of incidents. Today’s experience is likely to further that trend.