Payment Card Information (PCI) Data Security Standards (DSS) were created to protect consumers and their card information. Now, any company that stores, processes, or transmits card data must follow PCI compliance standards. LoanPro has made it easy to follow these standards with our sister software: Secure Payments. Secure Payments was developed to take payments and be PCI compliant so that the LoanPro loan management system (LMS) does not have to follow some of the more inconvenient rules. Secure Payments helps you protect your consumers while keeping LMS efficient.

PCI Compliance is broken down into twelve requirements across six categories.

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Stored Cardholder Data

1. Protect stored cardholder data
2. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

1. Use and regularly update anti-virus software or programs
2. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

1. Restrict access to cardholder data by business need to know
2. Assign a unique ID to each person with computer access
3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

1. Track and monitor all access to network resources and cardholder data
2. Regularly test security systems and processes

Maintain an Information Security Policy

1. Maintain a policy that addresses information security for all personnel

Secure Payments follows all PCI requirements. When you use Secure Payments to store, process, or transmit data you can rest assured that you will be PCI compliant. Secure Payments has the following features to make compliance easier for you:

• Automatic log-out after five minutes
• Password expiration after 90 days
• Frequent API token changes
• Field validations: ensures credit/debit card data is not being stored in unintended fields (also in place in LoanPro LMS)

You'll need to use an email address as the username login for your Secure Payments account. Unlike LoanPro, where multiple users can access the same account, Secure Payments only allows a single user per account. This ensures a far greater level of security and protects your customers' private information. A separate Secure Payments account is required for each of your LMS tenants. So, if you only have a production LoanPro account, then you will only need one Secure Payments account. If you purchased an additional LoanPro Sandbox account during your account activation, you will need to create an additional Secure Payments account.

The email address you use needs to be a real, accessible email account where Secure Payments can send important communications such as password reset emails or import reports. Many clients prefer to create a new email address at their company domain specifically for each Secure Payments account. For instance, if your domain was SampleLending.com, you could use these:

• Production – SecurePayments-Production@SampleLending.com
• Sandbox – SecurePayments-Sandbox@SampleLending.com (Not Required if you do not have a Sandbox account)

With an email address ready, navigate to the Secure Payments Signup Page. There, you'll begin by entering your email address and setting a password. Click "Sign Up" and the system will redirect you to the Login Page, where you will enter the credentials you just created.

Having successfully logged in, you'll now see a screen like the picture below. Click the banner across the top of the page prompting you to Activate your account.

Our activation walkthrough will guide you through the process. If you face any difficulty, contact our support staff, who can sort out any issues.

Once your account is activated, navigate into LoanPro under Settings > Company > Merchant to link your newly created Secure Payments account to LoanPro. Depending on your account setup, you may see one of the two screens. Click either select ‘Change Account’ or ‘I already Have One’ to simply link the new account. Follow the steps prompted on the screen to enter in your Secure Payments credentials.

You have now successfully set up and linked your Secure Payments account to LoanPro. This means you're ready to begin processing payments.

Since Secure Payments holds sensitive customer payment information, maintaining credentials in a secure way is an important thing to know. In this article, we'll discuss how to use, monitor, and update your credentials.

Reset Your Password in LoanPro

The primary email associated with your Secure Payments account will receive notifications when the password is about to expire. If you update your password in Secure Payments, either via the UI or the API, your LoanPro account will no longer be connected to Secure Payments. Due to this, we strongly recommend that you complete all your password updates in LoanPro to avoid any issues. 

To update your password, navigate to Settings > Company > Merchant > Secure Payments inside of your LoanPro account. Then, select 'Change password'.

When you click 'Change password', you will be asked for your old password and to enter a new one.

Once you have entered your password information, click 'Save'. You'll want to make sure that your old password is correct, since you will only have a few unsuccessful attempts to change the password before the account will be locked. If you don't remember your old password, contact support for assistance. 

Password Guidance

Because of the sensitive nature of the data it stores, access to Secure Payments should be closely guarded. Here are some best practices to ensure unauthorized parties don't gain access to your Secure Payments account.

One of the most common ways unauthorized parties gain access to an account is through password theft. It is the responsibility of each user to safeguard their password. You should change your password if any of the following occurs:

• You suspect your password may have leaked
• Your password was posted anywhere public
• Any device you use to log in to Secure Payments was lost or stolen

Always be conscious of password security. Don't share your password with anyone, and use a password manager instead of writing your password down.

Password Enforcement

LoanPro uses the following policies to enforce passwords:

• A user can attempt to login five times before they will be locked out for 30 minutes and need to change their password.
• Creating/changing your own password requires email verification and at least ten alphanumeric characters.

Secure Payments API Tokens

To communicate with Secure Payments API, requests for LMS and custom applications need to be authenticated. Secure Payments uses a token and secret to authenticate requests. These two tokens represent and give access to the Secure Payments account, so it's important to keep them safe. Here are the important points regarding Secure Payments credentials:

• LMS and custom applications are required to authenticate the account's token and secret to access Secure Payments.
• The token and secret do not expire.
• Unused authentication should be revoked.

API Requests

Most Secure Payments endpoints expect both the secret and token to be submitted as part of the request headers. The headers for your requests will need to be formatted like the following:

Authorization: {token}

Secret: {secret}

Tokens and secrets are a pair, and they don't work without each other: each secret is unique to each token and vice versa. While the token and secret do not expire, requests won’t be allowed if the account's password has. If this is the case, you'll receive a 401 response with an authentication error message.

Monitoring Expiration

You can monitor the expiration of your password via the Secure Payments API. To retrieve information about your Secure Payments user, send a GET request to the following endpoint:

https://securepayments.loanpro.io/api/users

The response from this endpoint will look something like this:

{
  "role": "user",
  "amount": 500,
  "nacha_action": true,
  "sftp_nacha_price": 0.28,
  "updated": "2019-10-01T19:05:33Z",
  "username": "user@email.com",
  "trial_account": false,
  "created": "2018-07-31T19:31:32Z",
  "routing_action": false,
  "card_lookup_price": 0.05,
  "days_since_update": 71,
  "echeck_price": 0.25,
  "days_remaining": 19,
  "balance": 4967.969999825582,
  "anet_price": 0.25,
  "anet_action": true,
  "address_verify_price": 0.09,
  "id": 798,
  "contract_signed": true,
  "minimum_balance": 50,
  "address_action": false,
  "echeck_action": true,
  "lookup_action": true,
  "bank_name_lookup_price": 0.01,
  "contact": "user@email.com",
  "country": "usa"
}

Generating New Authentication Credentials

It is possible to generate a new set of authentication credentials outside of the LoanPro UI. This is achieved by using sending the following POST request:

POST https://securepayments.loanpro.io/api/authenticate

{ 
   "username":"currentUsername",
   "password":"currentPassword"
}

If your request is successful, you will receive a response payload that looks like this:

{ 
   "token":"new token",
   "secret":"new secret"
}

Revoking Authentication Credentials

To revoke a set of credentials, send a POST request to the following endpoint:

POST https://securepayments.loanpro.io/api/revoke

Make sure you use the token and secret you want to revoke in the request headers to authenticate the request. The response from a successful revoke request should look like the following:

{ 
   "message":"Token revoked."
}

The Profile area of Secure Payments is where you view and update information that concerns your communication with Secure Payments. This includes three sections: API Credentials, Communication, and Multi-Factor Authentication Settings.

API credentials

The API Credentials page shows the information needed to interact with Secure Payments via the API.

You can change your current password by clicking the edit button.A warning text will pop-up explaining potential consequences of changing the password if the account is linked to a Loan Management System account. Click I Understand if you wish to proceed.

To change your password, simply enter your current password, the new password, and click Save.

Communication

The Communication tab lets you view and change the email where Secure Payments notifications are sent. Although this defaults to your username, changing this will not change your username. To edit this email, click the blue pencil icon in the top right corner. From there, just enter the new email and click 'Save'.

Login

When logging into the system, you have six attempts to before your account will be locked for 30 minutes this helps prevent brute-force, break-in attempts. You can either wait 30 minutes or contact an administrator to lift the lock. If your session is idle for 15 minutes, your session will be automatically ended, and you will be logged out of the software.

Any new password must be different from the last four passwords. We recommend the using a password manager and randomized, complex passwords.

Multi-Factor Authentication

On the Multi-Factor Authentication (MFA) Settings page, you can request to update your MFA, which is required for file upload in Secure Payments.

Secure Payments connects you to a number of services that charge for each use, but those costs are usually just a few cents. Rather than charging you per use, we have you create a balance in Secure Payments that you draw from. This section let's you configure that minimum balance and how much should be charged. Whenever your balance reaches the low point, you'll be charged the amount you specify. 

The Payment History page of Secure Payments shows the payments that have been made to increase your company balance. You can find Payment history under My Account in the navigation window on the left. To manually add funds to your account, click the icon in the top right corner.

Enter the amount that you want to increase your balance in the 'Amount' field and click 'Save'. As noted in this window, the primary payment profile associated with your account will be used to increase your balance.

The Actions section of Secure Payments is designed to let the user turn on or off a specific service that Secure Payments offers. This allows the user to pick and choose which services they would like to use.

To navigate to the Actions page, look under the 'My Account' section in the navigation panel to the left. The Actions page lists available services, a description and price per use of each, and a switch to toggle them on or off. The actions are split into four categories:

• United States Processing
• Canadian Processing
• Information Lookup
• Finicity

United States Processing

These settings determine whether different payment methods are available for US accounts.

Canadian Processing

Much like the United States Processing section does for US accounts, these settings control whether different payment methods are available for Canadian accounts.

Information Lookup

Here you'll find settings that determine whether different information gathering tools are available within individual accounts.

Finicity

These settings control the actions you can take with our Finicity integration.

If you ever need to check the fine print of your contract with Secure Payments or Finicity, we keep a copy saved and easily accessible within the software, as well as a complete signature history. To view your contracts and signatures, navigate to My Account > Contracts.

The page is divided into three tabs: Signature History, Secure Payments, and Finicity.