Results 1 to 9 of 9
  1. #1
    Join Date
    May 2012
    Posts
    38
    Plugin Contributions
    0

    Default No Authorize.net communication

    Am trying to set up a Zen Cart installation I inherited from someone else. The authorize.net account exists and is active. Zen Cart is v1.3.8p3, installed about 2 years ago. The various authorize.net parameters (Login ID, Transaction Key, MD5 Hash) are set properly, as far as I can see, for the SIM method.

    When I test the account, it pretty clearly is not talking to authorize.net. I get the Zen Cart page for acquiring the credit card, and without encryption - no SSL connection. Am using the fake credit card numbers that Zen Cart displays for testing use. My "customer" gets a proper transaction-completed email.

    The SIM method is supposed to send the customer to an auth.net-served, encrypted page, right?

    This must be one of the common problems new users see, but I can't find an existing thread that seems to fit. I've been going over this for some time now, and all the settings appear to be what they should. Can anyone speculate what I'm doing wrong here, or suggest where else to look?

  2. #2
    Join Date
    Jan 2004
    Posts
    60,411
    Blog Entries
    4
    Plugin Contributions
    144

    Default Re: No Authorize.net communication

    It is very possible that the obsolete version of Zen Cart you're using on that site has been hacked because of the security vulnerabilities that existed in that version, and that could be the cause of your problems.

    As for the SIM module, if it's configured (in your ZC admin settings) to use "offsite" mode, then yes it will send the customer to an auth.net-served page, and will not use a ZC page to request card details.

    But instead of adding new ways of collecting payment, your first task should be focused on upgrading the site to a stable version.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donations always welcome: www.zen-cart.com/donate

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.



  3. #3
    Join Date
    May 2012
    Posts
    38
    Plugin Contributions
    0

    Default Re: No Authorize.net communication

    Gateway mode is set to "offsite", yes. Hmm, if hacked, then potentially someone has my userid and password for that zencart - unique to the installation, fortunately. Also the info for our auth.net account, yes? (now changed BTW)

    Is there any possibility *other* than hacking to explain the behavior? Seems that a hacker seeking credit card numbers would do a better job of imitating a secure site.

  4. #4
    Join Date
    Jan 2004
    Posts
    60,411
    Blog Entries
    4
    Plugin Contributions
    144

    Default Re: No Authorize.net communication

    In checkout ,how many payment options (radio buttons) are you presented with? What are they?

    In Admin->Modules->Payment, how many modules are showing green or yellow dots? Which ones, and why?

    I suspect that the credit card fields you're saying you see are coming from another module.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donations always welcome: www.zen-cart.com/donate

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.



  5. #5
    Join Date
    Jan 2004
    Posts
    60,411
    Blog Entries
    4
    Plugin Contributions
    144

    Default Re: No Authorize.net communication

    Quote Originally Posted by dream_mike View Post
    Seems that a hacker seeking credit card numbers would do a better job of imitating a secure site.
    True. But it doesn't minimize the urgency of doing an upgrade on your site, either way.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donations always welcome: www.zen-cart.com/donate

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.



  6. #6
    Join Date
    May 2012
    Posts
    38
    Plugin Contributions
    0

    Default Re: No Authorize.net communication

    I changed the relevant password fields at Authorize.net on Friday, as soon as you mentioned the possibility of hacking. I have deleted that entire zencart installation, and am proceeding with a 1.5.0 from zencart. I am sort of expecting this problem to replicate itself with that one, but we'll see

    Thank you for the caution.

    Slightly off topic, I actually have another installation (multiple subdomains) without auth.net - am using it to learn how to control zencart. That one was a Dreamhost 1-click installation from about a week ago - and it is v 1.3.9h.

    Is that version also known-compromised? And does anyone know why Dreamhost isn't installing the latest zencart?

  7. #7
    Join Date
    Jan 2004
    Posts
    60,411
    Blog Entries
    4
    Plugin Contributions
    144

    Default Re: No Authorize.net communication

    Quote Originally Posted by dream_mike View Post
    Is that version also known-compromised? And does anyone know why Dreamhost isn't installing the latest zencart?
    Based on my experiences, I suspect the answer is: probably just part of their general incompetence.
    They never could run it securely on their servers anyway.

    But this discussion thread is about Authorize.net, not DH.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donations always welcome: www.zen-cart.com/donate

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.



  8. #8
    Join Date
    May 2012
    Posts
    38
    Plugin Contributions
    0

    Default Re: No Authorize.net communication

    Hmm. Selection of Dreamhost happened before I got involved. Could you expand a little on your "never could run it securely on their servers anyway" comment? I might need to explain this to our site sysadmin.

    And thanks, again.

  9. #9
    Join Date
    Jan 2004
    Posts
    60,411
    Blog Entries
    4
    Plugin Contributions
    144

    Default Re: No Authorize.net communication

    They can't run with "Recreate Session" enabled, which thus leaves the store vulnerable to session hijacking.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donations always welcome: www.zen-cart.com/donate

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.



 

 

Similar Threads

  1. Authorize.net Communication Problem
    By Fuzzy Ink in forum Built-in Shipping and Payment Modules
    Replies: 3
    Last Post: 19 Mar 2009, 12:41 AM
  2. Authorize.net (AIM) Authorize.net (SIM)
    By Andy75 in forum Built-in Shipping and Payment Modules
    Replies: 2
    Last Post: 29 Jan 2009, 04:38 AM
  3. Authorize.net AIM Communication Error after moving server to GoDaddy VirtualDedicated
    By snowkrash in forum Built-in Shipping and Payment Modules
    Replies: 6
    Last Post: 26 Nov 2008, 06:33 AM
  4. Replies: 3
    Last Post: 27 Aug 2008, 12:32 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •