Secure Payments overview
Learn about Secure Payments, LoanPro's PCI-compliant sister software.
Secure Payments is a LoanPro product that integrates with both LMS and third-party payment processors to move money between you and your borrowers, including payments, funding transactions, and card swipes. We developed it as a separate software so that it can stay PCI-DSS compliant while leaving your day-to-day operations out of PCI scope. Secure Payments' code, procedures, and practices all meet a high standard for security, and that's where all of your customers' payment profile information is saved.
This article will walk through the tools available in Secure Payments and how to use them. Secure Payments also uses a separate API (with its own credentials), which you can learn about in our Secure Payments API developer docs.
What are PCI-DSS security standards?
Payment Card Information (PCI) Data Security Standards (DSS) were created to protect consumers and their card information. Now, any company that stores, processes, or transmits card data must follow PCI compliance standards. LoanPro has made it easy to follow these standards with our sister software: Secure Payments. Secure Payments was developed to take payments and be PCI compliant so that the LoanPro loan management system (LMS) does not have to follow some of the more inconvenient rules. Secure Payments helps you protect your consumers while keeping LMS efficient.
PCI Compliance is broken down into twelve requirements across six categories.
Build and Maintain a Secure Network and Systems
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Stored Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
Secure Payments follows all PCI requirements. When you use Secure Payments to store, process, or transmit data you can rest assured that you will be PCI compliant. Secure Payments has the following features to make compliance easier for you:
- Automatic log-out after five minutes
- Password expiration after 90 days
- Frequent API token changes
- Field validations: ensures credit/debit card data is not being stored in unintended fields (also in place in LoanPro LMS)
Account setup and linking
Before you use Secure Payments, you'll need to take two steps for setup: first, creating an account, and then linking it to your LMS account.
Creating a Secure Payments account
You'll need to use an email address as the username login for your Secure Payments account. Unlike LoanPro, where multiple users can access the same account, Secure Payments only allows a single user per account. This ensures a far greater level of security and protects your customers' private information. A separate Secure Payments account is required for each of your LMS tenants. So, if you only have a production LoanPro account, then you will only need one Secure Payments account. If you purchased an additional LoanPro Sandbox account during your account activation, you will need to create an additional Secure Payments account.
The email address you use needs to be a real, accessible email account where Secure Payments can send important communications such as password reset emails or import reports. Many clients prefer to create a new email address at their company domain specifically for each Secure Payments account. For instance, if your domain was SampleLending.com, you could use these:
- Production – SecurePayments-Production@SampleLending.com
- Sandbox – SecurePayments-Sandbox@SampleLending.com (Not Required if you do not have a Sandbox account)
With an email address ready, navigate to the Secure Payments Signup Page. There, you'll begin by entering your email address and setting a password. Click "Sign Up" and the system will redirect you to the Login Page, where you will enter the credentials you just created.
Having successfully logged in, you'll now see a screen like the picture below. Click the banner across the top of the page prompting you to Activate your account.

Our activation walkthrough will guide you through the process. If you face any difficulty, contact our support staff, who can sort out any issues.
In order to activate your Secure Payments account, you will be required to put a credit/debit card on file. You will only be charged money when you use additional paid services (see the Actions tab below).
Linking your Secure Payments and LoanPro accounts
Once your account is activated, navigate into LoanPro under Settings > Company > Merchant to link your newly created Secure Payments account to LoanPro. Depending on your account setup, you may see one of the two screens. Click either select ‘Change Account’ or ‘I already Have One’ to simply link the new account. Follow the steps prompted on the screen to enter in your Secure Payments credentials.


You have now successfully set up and linked your Secure Payments account to LoanPro. This means you're ready to begin processing payments.
Secure Payments credentials
Since Secure Payments holds sensitive customer payment information, maintaining credentials in a secure way is an important thing to know. In this article, we'll discuss how to use, monitor, and update your credentials.
Reset Your Password in LoanPro
The primary email associated with your Secure Payments account will receive notifications when the password is about to expire. If you update your password in Secure Payments, either via the UI or the API, your LoanPro account will no longer be connected to Secure Payments. Due to this, we strongly recommend that you complete all your password updates in LoanPro to avoid any issues.
To update your password, navigate to Settings > Company > Merchant > Secure Payments inside of your LoanPro account. Then, select 'Change password'.
When you click 'Change password', you will be asked for your old password and to enter a new one.
Once you have entered your password information, click 'Save'. You'll want to make sure that your old password is correct, since you will only have a few unsuccessful attempts to change the password before the account will be locked. If you don't remember your old password, contact support for assistance.
Password Guidance
Because of the sensitive nature of the data it stores, access to Secure Payments should be closely guarded. Here are some best practices to ensure unauthorized parties don't gain access to your Secure Payments account.
One of the most common ways unauthorized parties gain access to an account is through password theft. It is the responsibility of each user to safeguard their password. You should change your password if any of the following occurs:
- You suspect your password may have leaked
- Your password was posted anywhere public
- Any device you use to log in to Secure Payments was lost or stolen
Always be conscious of password security. Don't share your password with anyone, and use a password manager instead of writing your password down.
Password Enforcement
LoanPro uses the following policies to enforce passwords:
- A user can attempt to login five times before they will be locked out for 30 minutes and need to change their password.
- Creating/changing your own password requires email verification and at least ten alphanumeric characters.
Secure Payments API Tokens
To communicate with Secure Payments API, requests for LMS and custom applications need to be authenticated. Secure Payments uses a token and secret to authenticate requests. These two tokens represent and give access to the Secure Payments account, so it's important to keep them safe. Here are the important points regarding Secure Payments credentials:
- LMS and custom applications are required to authenticate the account's token and secret to access Secure Payments.
- The token and secret do not expire.
- Unused authentication should be revoked.
In the past, the token and secret were tied to login credentials (your username and password), but this is no longer the case.
API Requests
Most Secure Payments endpoints expect both the secret and token to be submitted as part of the request headers. The headers for your requests will need to be formatted like the following:
Authorization: {token}
Secret: {secret}
Tokens and secrets are a pair, and they don't work without each other: each secret is unique to each token and vice versa. While the token and secret do not expire, requests won’t be allowed if the account's password has. If this is the case, you'll receive a 401
response with an authentication error message.
Monitoring Expiration
You can monitor the expiration of your password via the Secure Payments API. To retrieve information about your Secure Payments user, send a GET request to the following endpoint:
https://securepayments.loanpro.io/api/users
The response from this endpoint will look something like this:
{
"role": "user",
"amount": 500,
"nacha_action": true,
"sftp_nacha_price": 0.28,
"updated": "2019-10-01T19:05:33Z",
"username": "user@email.com",
"trial_account": false,
"created": "2018-07-31T19:31:32Z",
"routing_action": false,
"card_lookup_price": 0.05,
"days_since_update": 71,
"echeck_price": 0.25,
"days_remaining": 19,
"balance": 4967.969999825582,
"anet_price": 0.25,
"anet_action": true,
"address_verify_price": 0.09,
"id": 798,
"contract_signed": true,
"minimum_balance": 50,
"address_action": false,
"echeck_action": true,
"lookup_action": true,
"bank_name_lookup_price": 0.01,
"contact": "user@email.com",
"country": "usa"
}
Generating New Authentication Credentials
It is possible to generate a new set of authentication credentials outside of the LoanPro UI. This is achieved by using sending the following POST request:
POST https://securepayments.loanpro.io/api/authenticate
{
"username":"currentUsername",
"password":"currentPassword"
}
If your request is successful, you will receive a response payload that looks like this:
{
"token":"new token",
"secret":"new secret"
}
Revoking Authentication Credentials
To revoke a set of credentials, send a POST request to the following endpoint:
POST https://securepayments.loanpro.io/api/revoke
Make sure you use the token and secret you want to revoke in the request headers to authenticate the request. The response from a successful revoke request should look like the following:
{
"message":"Token revoked."
}
With these steps complete, you're ready to start using Secure Payments.
When you first open Secure Payments, you'll land on the Customers page. On the left, you'll see a navigation pane listing other pages, which are categorized into four groups:
- Customers and cards
- Reports
- Tools
- Settings
- My account
Tools
This section only contains imports. Since customer payment profiles fall under PCI scope, the process to import them into LMS also involves Secure Payments. It's a straightforward process, but it does involve enough steps that it's handled in it's own article on Payment Profile Imports.
My account
This area is for information about your company, like your own payment profile, payment settings, and payment history. You can view your contract, and toggle which actions are available for your account.
Payment profiles
The Profile area of Secure Payments is where you view and update information that concerns your communication with Secure Payments. This includes three sections: API Credentials, Communication, and Multi-Factor Authentication Settings.
API credentials
The API Credentials page shows the information needed to interact with Secure Payments via the API.
Field | Description |
Username | Your username for logging into Secure Payments |
Account Created Date | The date your Secure Payments account was created |
Last Updated Date | The date you Secure Payments account was last updated |
Days Since Last Update | The number of days since your Secure Payments account was updated |
Days to Expire | The number of days until your Secure Payments account will expire |
Password (Encrypted) | Your password to log in to Secure Payments |
Token | The token used to reference your Secure Payments account when using the API |
Secret | The secret key used to authenticate your account when using the API |
You can change your current password by clicking the edit button.A warning text will pop-up explaining potential consequences of changing the password if the account is linked to a Loan Management System account. Click I Understand if you wish to proceed.
To change your password, simply enter your current password, the new password, and click Save.
Communication
The Communication tab lets you view and change the email where Secure Payments notifications are sent. Although this defaults to your username, changing this will not change your username. To edit this email, click the blue pencil icon in the top right corner. From there, just enter the new email and click 'Save'.
Login
When logging into the system, you have six attempts to before your account will be locked for 30 minutes this helps prevent brute-force, break-in attempts. You can either wait 30 minutes or contact an administrator to lift the lock. If your session is idle for 15 minutes, your session will be automatically ended, and you will be logged out of the software.
Any new password must be different from the last four passwords. We recommend the using a password manager and randomized, complex passwords.
Multi-Factor Authentication
On the Multi-Factor Authentication (MFA) Settings page, you can request to update your MFA, which is required for file upload in Secure Payments.
Payment settings
Secure Payments connects you to a number of services that charge for each use, but those costs are usually just a few cents. Rather than charging you per use, we have you create a balance in Secure Payments that you draw from. This section let's you configure that minimum balance and how much should be charged. Whenever your balance reaches the low point, you'll be charged the amount you specify.
Payment history
The Payment History page of Secure Payments shows the payments that have been made to increase your company balance. You can find Payment history under My Account in the navigation window on the left. To manually add funds to your account, click the icon in the top right corner.
Enter the amount that you want to increase your balance in the 'Amount' field and click 'Save'. As noted in this window, the primary payment profile associated with your account will be used to increase your balance.
Actions
The Actions section of Secure Payments is designed to let the user turn on or off a specific service that Secure Payments offers. This allows the user to pick and choose which services they would like to use.
To navigate to the Actions page, look under the 'My Account' section in the navigation panel to the left. The Actions page lists available services, a description and price per use of each, and a switch to toggle them on or off. The actions are split into four categories:
- United States Processing
- Canadian Processing
- Information Lookup
- Finicity
United States Processing
These settings determine whether different payment methods are available for US accounts.
Service | Description |
Bank Card | This service processes credit and debit card payments through one of the merchants integrated with Secure Payments. |
ACH/eCheck | This service processes bank account withdrawals through one of our integrated payment processors. |
SFTP | This service will create an unbalanced NACHA file and send it to a specified SFTP server. |
NACHA Payment Updates | This setting determines whether NACHA transactions will automatically move from a Processing status to Settled Successfully, and after how many days (banking or calendar). |
Canadian Processing
Much like the United States Processing section does for US accounts, these settings control whether different payment methods are available for Canadian accounts.
Service | Description |
Bank Card | This service processes credit and debit card payments through one of the merchants integrated with Secure Payments. |
ACH/eCheck | This setting toggles LoanPro's two Canadian e-check processors, EFT Canada and Versapay. |
SFTP | This service creates CPA-005 files and sendsthem to a specified SFTP server. |
Information Lookup
Here you'll find settings that determine whether different information gathering tools are available within individual accounts.
Service | Description |
Routing number | This service looks up the bank name from the routing number. |
AVS Address Verify | This service verifies the address associated with the payment profile. It can only be used through the Secure Payments API. |
Card Attribute Lookup | This service pulls additional information regarding the credit/debit card. With this turned on, you can block unwanted payment profiles using bank card controls. |
Advanced Attribute Lookup | Lookup more card information and funding attributes. |
Bank Account Attribute Lookup | This drop down lets you turn on the attribute lookup for bank accounts. The different options select different service levels. |
Finicity
These settings control the actions you can take with our Finicity integration.
Service | Description |
iFrame Creation | Toggles whether you're able to create Finicity iframes. |
Payment Profile Creation | Allows you to create payment profiles through your Finicity iframes. |
Contracts
If you ever need to check the fine print of your contract with Secure Payments or Finicity, we keep a copy saved and easily accessible within the software, as well as a complete signature history. To view your contracts and signatures, navigate to My Account > Contracts.
The page is divided into three tabs: Signature History, Secure Payments, and Finicity.
Signature History
On this tab, a small table gives you a history of your contract signatures for both Secure Payments and Finicity.
Each entry on the table includes the following information:
- Signature ID – A unique ID for each signature, distinguishing it from any others.
- Contract ID – An ID for the specific version of the contract.
- Service – Either Secure Payments or Finicity.
- Signed On – The date and time when the contract was signed. It's formatted YYYY-MM-DD HH:MM:SS UTC.
Secure Payments
This tab includes a PDF copy of your contract for Secure Payments. Selecting different dates from the ‘Signature Date’ dropdown allows you to find earlier copies. If you click the new tab icon in the top right (the arrow in a box), the PDF will open in its own tab, making it easier to read.
You can download or print a copy with buttons on the PDF itself.
Secure Payments used to go by the name ‘PCI Wallet’. Don't worry if your contract says PCI Wallet and uses the old logo; it's still the same software.
Finicity Contract
If you use LoanPro's integration with Finicity, this tab includes a PDF copy of your contract with them. Selecting different dates from the ‘Signature Date’ dropdown allows you to find earlier copies. If you click the new tab icon in the top right (the arrow in a box), the PDF will open in its own tab, making it easier to read.
Was this article helpful?
Unclassified Public Data