Payment Card Information (PCI) Data Security Standards (DSS) were created to protect consumers and their card information. Now, any company that stores, processes, or transmits card data must follow PCI compliance standards. LoanPro has made it easy to follow these standards with our sister software: Secure Payments. Secure Payments was developed to take payments and be PCI compliant so that the LoanPro loan management system (LMS) does not have to follow some of the more inconvenient rules. Secure Payments helps you protect your consumers while keeping LMS efficient.

PCI Compliance is broken down into twelve requirements across six categories.

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Stored Cardholder Data

1. Protect stored cardholder data
2. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

1. Use and regularly update anti-virus software or programs
2. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

1. Restrict access to cardholder data by business need to know
2. Assign a unique ID to each person with computer access
3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

1. Track and monitor all access to network resources and cardholder data
2. Regularly test security systems and processes

Maintain an Information Security Policy

1. Maintain a policy that addresses information security for all personnel

Secure Payments follows all PCI requirements. When you use Secure Payments to store, process, or transmit data you can rest assured that you will be PCI compliant. Secure Payments has the following features to make compliance easier for you:

• Automatic log-out after five minutes
• Password expiration after 90 days
• Frequent API token changes
• Field validations: ensures credit/debit card data is not being stored in unintended fields (also in place in LoanPro LMS)

ou'll need to use an email address as the username login for your Secure Payments account. Unlike LoanPro, where multiple users can access the same account, Secure Payments only allows a single user per account. This ensures a far greater level of security and protects your customers' private information. A separate Secure Payments account is required for each of your LMS tenants. So, if you only have a production LoanPro account, then you will only need one Secure Payments account. If you purchased an additional LoanPro Sandbox account during your account activation, you will need to create an additional Secure Payments account.

The email address you use needs to be a real, accessible email account where Secure Payments can send important communications such as password reset emails or import reports. Many clients prefer to create a new email address at their company domain specifically for each Secure Payments account. For instance, if your domain was SampleLending.com, you could use these:

• Production – SecurePayments-Production@SampleLending.com
• Sandbox – SecurePayments-Sandbox@SampleLending.com (Not Required if you do not have a Sandbox account)

With an email address ready, navigate to the Secure Payments Signup Page. There, you'll begin by entering your email address and setting a password. Click "Sign Up" and the system will redirect you to the Login Page, where you will enter the credentials you just created.

Having successfully logged in, you'll now see a screen like the picture below. Click the banner across the top of the page prompting you to Activate your account.

Our activation walkthrough will guide you through the process. If you face any difficulty, contact our support staff, who can sort out any issues.

Once your account is activated, navigate into LoanPro under Settings > Company > Merchant to link your newly created Secure Payments account to LoanPro. Depending on your account setup, you may see one of the two screens. Click either select ‘Change Account’ or ‘I already Have One’ to simply link the new account. Follow the steps prompted on the screen to enter in your Secure Payments credentials.

You have now successfully set up and linked your Secure Payments account to LoanPro. This means you're ready to begin processing payments.

Since Secure Payments holds sensitive customer payment information, maintaining credentials in a secure way is an important thing to know. In this article, we'll discuss how to use, monitor, and update your credentials.

Reset Your Password in LoanPro

The primary email associated with your Secure Payments account will receive notifications when the password is about to expire. If you update your password in Secure Payments, either via the UI or the API, your LoanPro account will no longer be connected to Secure Payments. Due to this, we strongly recommend that you complete all your password updates in LoanPro to avoid any issues. 

To update your password, navigate to Settings > Company > Merchant > Secure Payments inside of your LoanPro account. Then, select 'Change password'.

When you click 'Change password', you will be asked for your old password and to enter a new one.

Once you have entered your password information, click 'Save'. You'll want to make sure that your old password is correct, since you will only have a few unsuccessful attempts to change the password before the account will be locked. If you don't remember your old password, contact support for assistance. 

Password Guidance

Because of the sensitive nature of the data it stores, access to Secure Payments should be closely guarded. Here are some best practices to ensure unauthorized parties don't gain access to your Secure Payments account.

One of the most common ways unauthorized parties gain access to an account is through password theft. It is the responsibility of each user to safeguard their password. You should change your password if any of the following occurs:

• You suspect your password may have leaked
• Your password was posted anywhere public
• Any device you use to log in to Secure Payments was lost or stolen

Always be conscious of password security. Don't share your password with anyone, and use a password manager instead of writing your password down.

Password Enforcement

LoanPro uses the following policies to enforce passwords:

• A user can attempt to login five times before they will be locked out for 30 minutes and need to change their password.
• Creating/changing your own password requires email verification and at least ten alphanumeric characters.

Secure Payments API Tokens

To communicate with Secure Payments API, requests for LMS and custom applications need to be authenticated. Secure Payments uses a token and secret to authenticate requests. These two tokens represent and give access to the Secure Payments account, so it's important to keep them safe. Here are the important points regarding Secure Payments credentials:

• LMS and custom applications are required to authenticate the account's token and secret to access Secure Payments.
• The token and secret do not expire.
• Unused authentication should be revoked.

API Requests

Most Secure Payments endpoints expect both the secret and token to be submitted as part of the request headers. The headers for your requests will need to be formatted like the following:

Authorization: {token}

Secret: {secret}

Tokens and secrets are a pair, and they don't work without each other: each secret is unique to each token and vice versa. While the token and secret do not expire, requests won’t be allowed if the account's password has. If this is the case, you'll receive a 401 response with an authentication error message.

Monitoring Expiration

You can monitor the expiration of your password via the Secure Payments API. To retrieve information about your Secure Payments user, send a GET request to the following endpoint:

https://securepayments.loanpro.io/api/users

The response from this endpoint will look something like this:

{
  "role": "user",
  "amount": 500,
  "nacha_action": true,
  "sftp_nacha_price": 0.28,
  "updated": "2019-10-01T19:05:33Z",
  "username": "user@email.com",
  "trial_account": false,
  "created": "2018-07-31T19:31:32Z",
  "routing_action": false,
  "card_lookup_price": 0.05,
  "days_since_update": 71,
  "echeck_price": 0.25,
  "days_remaining": 19,
  "balance": 4967.969999825582,
  "anet_price": 0.25,
  "anet_action": true,
  "address_verify_price": 0.09,
  "id": 798,
  "contract_signed": true,
  "minimum_balance": 50,
  "address_action": false,
  "echeck_action": true,
  "lookup_action": true,
  "bank_name_lookup_price": 0.01,
  "contact": "user@email.com",
  "country": "usa"
}

Generating New Authentication Credentials

It is possible to generate a new set of authentication credentials outside of the LoanPro UI. This is achieved by using sending the following POST request:

POST https://securepayments.loanpro.io/api/authenticate

{ 
   "username":"currentUsername",
   "password":"currentPassword"
}

If your request is successful, you will receive a response payload that looks like this:

{ 
   "token":"new token",
   "secret":"new secret"
}

Revoking Authentication Credentials

To revoke a set of credentials, send a POST request to the following endpoint:

POST https://securepayments.loanpro.io/api/revoke

Make sure you use the token and secret you want to revoke in the request headers to authenticate the request. The response from a successful revoke request should look like the following:

{ 
   "message":"Token revoked."
}

To access the Customer section, head directly into Secure Payments and click the Customers tab on the left side of the page.

The Customers page has two main functions. You can search for existing customers by entering keywords into the “Search” field on left side of the screen, or you can add new customers.

Customer Creation and Personal Info

To enter a new customer record, click the black plus button at the top right corner of the screen.

This should pull up a screen where you can fill in the personal customer's personal information. Required fields for creating a customer are marked with an * and include the customer's first and last name, gender, birth date, and address. Fields marked with a 1 are required for a customer to have a card for their line of credit account. These include the customer's email, phone number, and Social Security Number (SSN). 

If you enter a ZIP code (not a postal code) in the address field, the city and state will be automatically populated for you. Above the mailing address section, there is a “Same as primary” link. If you click it, the mailing-address fields will be populated with the values from the corresponding primary-address fields.

Once you have entered all of the required customer information, click Save.

Payment Profiles

Once you have created a customer, you can click on their name to see their information. This will automatically take you to the personal information screen, which will contain the information you entered when creating the customer. To create a payment profile for your customer, navigate to the Payment Profiles tab to the left of the customer profile screen.

Click the black plus button to add a payment profile.

Once the Add Payment Profile screen pulls up, choose the type of profile (whether it is a bank card or a bank account) and enter the rest of the required information.

Click the Save button to complete the process.

Transaction History

The Transaction History tab is located right below the Payment Profile tab. Here you can see all the current and past transactions for the customer in Secure Payments. If needed, you can choose a date range to search transactions. By clicking the small info button to the far right of each transaction, you can see more details about the individual transactions.

Cards

If the customer has cards associated with a line of credit account, they will show up here in the Cards section. You'll see at a glance the card's status, available credit, and the card title. 

We plan on releasing future articles that will explain in-depth how to add a card to a customer's profile, but for now our Intro to Card article will help you understand how our card functionality works and what it can do for your operations. 

Notes

The final tab on the Customer Profile page is Note Manager. On the Note Manager page, you can see any previous notes and add new notes related to the specific customer. Simply click the plus button to add a new note.

Within the card manager, you'll see a list of all the cards you've issued. On the left, there are options to filter your results by type, program, status, and available balance.

Each individual card shows the following:

• the card's UUID
• the customer it's linked to
• the card's title
• the program it was created from
• its available balance
• the type (credit or prepaid)
• it's status
• the date when it was created (YYYY-MM-DD HH:MM:SS UTC)

The transaction history search lets you search through customer transactions. From this page, you can filter through results, get NACHA batch IDs, and get additional information about each transaction.

There are several ways to filter search results:

Most selections will automatically update your search results. If you are filtering by keyword, press Enter to run the search.

Once you have created a search, click the triple-bar icon in the top right corner to export them to a CSV file.

Transaction Summary

Select the lowercase 'i' icon next to any transaction to see its details (it's in the little red box in the picture above). Clicking it will display the following window which shows the transaction summary and history:

This window not only displays information but gives you the option to void a transaction or mark it as failed. Not every transaction will show you the option of "Mark Failed"; this is only available if the transaction is in 'Processing' status.

If you are marking a transaction as FAILED, an "R-Code" is required. Our NACHA Returns article explains what R-Codes are and lists all the available codes.

Summary Tab

This area shows basic info, as well as information about the account used to make the payment and the customer themselves.

Transaction History Tab

If you select 'HISTORY', you can see the history of the transaction by status:

The statuses of a transaction can be pending, processing, failed, or voided.

Additional Information Tab

If you select the 'Additional Information' tab, the following can be displayed depending on the transaction:

Fields that may be included in the additional information tab are as follows:

Swipe history shows all the purchases made through cards you've issued.

On the left, you can filter for the swipe's status, issuer, program, date, and amount. Each swipe shows that information, as well as the customer, card title, and Merchant Category Code (MCC). Clicking an individual entry brings up more detailed information about that swipe.

This tab shows Nacha files you've generated, allowing you to search by date and manually generate a file.

For more information, check out our full articles on Nacha batch processing.

This tab shows CPA005 files you've generated, allowing you to search by date and manually generate a file.

For more information, check out our full articles on CPA-005 files and batch processing.

Under the Reports section of the left side panel in Secure Payments, you'll find the Usage History. The Usage History section of Secure Payments is designed to show your current balance and usage so you can see where you are spending money in Secure Payments. Your current balance is visible at the top left of the list of transactions. Underneath the balance are two drop-downs you can use to filter the list of transactions by date range or by service type. You can also search by a custom date range by clicking on the date range itself.

The transaction list is the main body of the page, where you can see the ID, Date, Service, and Action for each transaction. By default, the transactions list will show you a list of all transactions for the current month, but when you select a filter, the results will show in the transaction list. If you want to export the transactions list, click the button with three bars, then click the Excel icon that appears.

To the right of the transactions list, there will be a box that say 'Total Number Of Calls.' This will give a summary of how many call of each servicing type have occurred.

The payment profiles section of Secure Payments is where you can add a payment profile for your account. This payment profile will be used to add funds to your account. To add a new payment profile, click the blue plus icon in the top right corner.

The following payment profile window will display and ask for basic card information such as cardholder name, card info, and billing address. Once you've entered the necessary information, click 'Save.'

After clicking 'Save', your payment profile information will be tokenized to ensure security.

You can use this token to access the payment profile through the API.

Here, you can add and manage instances of LoanPro's integrated payment processors. We actually recommend creating new processors from within LMS. For more details, check out our articles on creating payment processors and the individual articles for each processor.

This tab shows all the card programs you've created, organized by issuer. You can edit, or toggle the activity for all programs, and delete programs if they don't have any active cards.

Here you can manage your configurations with card issuers.

Here you can manage your settings for banking insight providers, like Finicity. For more information on using banking insight providers, reach out to your regular LoanPro contact.

Much like how LMS can send webhooks, Secure Payments can send information to a specified URL when certain events occur. In this article, we will explain how to add events to your Secure Payments account and provide some of the callback URLs used to link to your LoanPro account.

Adding Secure Payments Events

To view, edit, and delete events, navigate to Settings > Events inside your Secure Payments account.

Here, you can also use the toggle switches to the right of an event to turn it on or off. To add a new event, click the blue plus icon in the top right.

Next, select the event type for which you want to add a URL from the 'Event type' drop-down. Then, enter the URL in the URL field. You'll notice that each Secure Payments event can have up to 5 callback URLs. Click 'Save' to add the event to your settings.

Required Event Configurations

The NACHA Batch Generation, NACHA File Generation, and Transaction Status are likely already configured for your account. These three are required, as they communicate to the database and LoanPro's Loan Management System (LMS) when these events occur. We'll explain how to configure these in the instance that they aren't configured. All other events are optional, but we recommend setting them up if you'd like Secure Payments to send information to LMS.

NACHA Batch Generation

If you add the LoanPro callback URL for NACHA file generation, LoanPro will be updated with NACHA batch IDs. The batch IDs are assigned by Secure Payments for transactions processed with a NACHA processor. This is useful, as it will let you pull payments based on their batch ID.

To search by NACHA batch ID, go to Reports > Transaction History > Payment Breakdown.

LoanPro Callback URL:

https://loanpro.simnang.com/api/public/thirdparty.php/pciw/nacha-batch-generation/callback

NACHA File Generation

If you add the LoanPro callback URL for NACHA batch generation, LoanPro will be updated when a NACHA file is generated.

LoanPro Callback URL:

https://loanpro.simnang.com/api/public/thirdparty.php/pciw/nacha-file-generation/callback

Transaction Status

Including the LoanPro URL for transaction status updates will update payments' transaction status as they move through the payment process in Secure Payments.

LoanPro Callback URL:

https://loanpro.simnang.com/api/public/thirdparty.php/pciw/transaction-updated/callback

Other Events

As we mentioned above, these events are not required to be configured. But they are available if you'd like to use them. Here's a breakdown of what's available:

{
  "type": "checking"
}

{
  "message": "A bank account has been deleted under the Secure Payments account accounting@lending.company"
}

{
  "message": "A bank account has been updated under the Secure Payments account accounting@lending.company"
}

{
  "message": "A credit card was added under the Secure Payments account accounting@lending.company"
}

{
  "message": "A credit card was deleted under the Secure Payments account accounting@lending.company"
}

{
  "message": "A credit card was updated under the Secure Payments account accounting@lending.company"
}

{
  "message": "Secure Payments password for accounting@lending.company have been updated."
}

{
  "type": "Authorize.net",
  "processor": 1454,
  "transaction-id": 6486581
}

{
  "type": "Authorize.net",
  "id": 1739
}

{
  "type": "Authorize.net",
  "id": "1740"
}

{
  "type": "Authorize.net",
  "id": "1741"
}

{
  "message": "Secure Payments settings for accounting@lending.company have been updated."
}

To maintain payment card information (PCI) compliance, applications integrated with Secure Payments are required to use the Secure Payments iframe. It may be helpful to change the iframe style so it matches your user interface (UI). Secure Payments offers some custom styling options to make this possible.

To use the custom styling in Secure Payments, navigate to Iframe CSS: Menu > Settings > Iframe CSS.

The following styling options are available for the iframe:

• Font – This selection lets you choose the text font for the iframe. Available options include:
  • Arial
  • Arial Black
  • Comic Sans
  • Courier New
  • Georgia
  • Impact
  • Times New Roman
  • Trebuchet MS
  • Verdana
• Select Color – This color will display when a field is selected.
• Button Color – This changes the color of the buttons. Use a HEX code to get a specific color.
• Button Hover Color – This will change the color of a button when the cursor hovers over it. Use a HEX code to get a specific color.

These values will save automatically as you enter them.

Additionally, you have the ability to set a default country for the Secure Payments iframe.

Select United States or Canada, depending on what region you are in. 

The numbers on a credit or debit card aren't random; they convey information about the account. The first four to six digits on a card are referred to as a Bank Identification Number (BIN), and they indicate the account's type (debit, prepaid, etc.) and brand (Visa, MasterCard, etc.). When a payment profile with a bank card is created in Secure Payments, the system can use the BIN to determine the account's type and brand. All you have to worry about is whether you want to accept those types of payment profiles.

Using BIN ranges, Secure Payments can restrict certain types or brands of card with the click of a button. Within Secure Payments, you'll find these features under Settings > Bank Cards Control in the navigation pane at the left.

Types

The first set of controls allow you to restrict certain types of cards. If you don't want your customers paying with a credit card, for instance, you would just switch off 'Credit'. If you only wanted customers using prepaid debit cards, you would leave 'Prepaid' and 'Debit' on but switch off 'Credit' and 'All Others'.

Brands

The next set of controls governs which brands of cards are accepted, and the controls work just like the Types settings above. If you don't accept VISA, you would simply switch it off. If you only accept these four major brands, you would leave them on and switch 'All Others' off.

BIN Attributes

This last control determines what will happen if the BIN is not recognized. With this option on, you will still accept payment profiles even if the BIN attributes are not available. With this option off, you will not accept any payment profiles with unrecognized BIN attributes.

Card Attribute Lookup

All of these controls use cards' BIN ranges, but if your Secure Payments account doesn't lookup those ranges, it cannot block unwanted payment profiles. To turn on Card Attribute Lookup and enable Bank Card Control, go to My Account > Actions in the navigation pane on the left of the screen, and ensure 'Card Attribute Lookup' is turned on.

If you try to use Bank Card Control settings without Card Attribute Lookup, Secure Payments will display a notification with a link to turn it on.

NACHA has supplemented their fraud detection standards by requiring that lenders validate their borrowers' bank accounts. LoanPro is integrated with ValidiFI, whose services can help you validate your borrowers' bank accounts. These tools enable you to detect and prevent fraud, and maintain compliance with NACHA's due-diligence rules or any laws that your company is subject to. NACHA recognizes them as a preferred partner for account validation, meaning they can be trusted to provide top-tier service in this area.

ValidiFI's integration with LoanPro makes it simple and easy to validate any payment profiles you've entered on Secure Payments.

What are their service levels?

Through Secure Payments, you have access to three tiers of ValidiFI account validation: Basic, Standard, and Enhanced. All three tiers satisfy NACHA's standards, but the Standard and Enhanced options provide more information.

• Basic: Basic searches cost $0.34 per validation. They authenticate the routing number structure and status, and ensure that the account number conforms to the routing number. They also identify the most basic errors associated with data entry and outdated information. 
• Standard: Standard searches cost $0.66 per validation. They do everything the Basic search does, as well as screen and validate the payment profile against ValidiFI’s network of payment, banking, and merchant contributors. This helps eliminate common errors and confirm the status of routing and bank account numbers.
• Enhanced: Enhanced searches cost $0.99 per validation. They do everything that the Basic and Standard searches do, and then verify routing and account numbers against an expanded list of sources. This search will return account attributes associated with the score. This is ideal for ensuring maximum coverage and identifying the account's status. It also identifies accounts associated with administrative returns.

Here's a breakdown of the different analytical tools applied with each tier of validation:

Configuration

Within Secure Payments, click 'Actions' on the navigation pane on the left of the screen.

This page lists the different actions available in Secure Payments and lets you toggle each of them on or off. ValidiFI's services are listed as 'Bank Account Attribute Lookup', found near the bottom.

The drop-down menu lists the available service tiers.

Validating an account

Now that you've turned on bank account controls, the system will automatically validate any payment profiles you add. That validation happens any time the payment profile is saved or edited. Once you've created a payment profile, just navigate back to it in the Secure Payments UI and you'll see all the information ValidiFI found on the account. Add or edit a payment profile, then go to Customers > select a specific customer > Payment Profiles.

The Validation Response is a result, shorthand for what ValidiFI discovered. If there is an issue, it will be explained in the Message. This basic validation sample gives a result code of AVC8, and the message explains that while the routing number is valid, that bank has never used account numbers like the one this borrower gave. This would indicate either a simple typo or perhaps an attempt at fraud; in either case, the payment profile is likely unusable.

Result codes and controls

When an account is validated, the system will give you a result code explaining the results. You can configure your settings so that Secure Payments will not attempt to process payments from profiles with the result codes you specify. In the navigation pane at the left, select Bank Account Control. 

Toggling each result will determine whether the system will attempt to process payments with those codes. If a result code is turned on, the system will accept payment profiles that return it.

This table explains what each indicates:

The Profile area of Secure Payments is where you view and update information that concerns your communication with Secure Payments. This includes three sections: API Credentials, Communication, and Multi-Factor Authentication Settings.

API credentials

The API Credentials page shows the information needed to interact with Secure Payments via the API.

You can change your current password by clicking the edit button.A warning text will pop-up explaining potential consequences of changing the password if the account is linked to a Loan Management System account. Click I Understand if you wish to proceed.

To change your password, simply enter your current password, the new password, and click Save.

Communication

The Communication tab lets you view and change the email where Secure Payments notifications are sent. Although this defaults to your username, changing this will not change your username. To edit this email, click the blue pencil icon in the top right corner. From there, just enter the new email and click 'Save'.

Login

When logging into the system, you have six attempts to before your account will be locked for 30 minutes this helps prevent brute-force, break-in attempts. You can either wait 30 minutes or contact an administrator to lift the lock. If your session is idle for 15 minutes, your session will be automatically ended, and you will be logged out of the software.

Any new password must be different from the last four passwords. We recommend the using a password manager and randomized, complex passwords.

Multi-Factor Authentication

On the Multi-Factor Authentication (MFA) Settings page, you can request to update your MFA, which is required for file upload in Secure Payments.

Secure Payments connects you to a number of services that charge for each use, but those costs are usually just a few cents. Rather than charging you per use, we have you create a balance in Secure Payments that you draw from. This section let's you configure that minimum balance and how much should be charged. Whenever your balance reaches the low point, you'll be charged the amount you specify. 

The Payment History page of Secure Payments shows the payments that have been made to increase your company balance. You can find Payment history under My Account in the navigation window on the left. To manually add funds to your account, click the icon in the top right corner.

Enter the amount that you want to increase your balance in the 'Amount' field and click 'Save'. As noted in this window, the primary payment profile associated with your account will be used to increase your balance.

The Actions section of Secure Payments is designed to let the user turn on or off a specific service that Secure Payments offers. This allows the user to pick and choose which services they would like to use.

To navigate to the Actions page, look under the 'My Account' section in the navigation panel to the left. The Actions page lists available services, a description and price per use of each, and a switch to toggle them on or off. The actions are split into four categories:

• United States Processing
• Canadian Processing
• Information Lookup
• Finicity

United States Processing

These settings determine whether different payment methods are available for US accounts.

Canadian Processing

Much like the United States Processing section does for US accounts, these settings control whether different payment methods are available for Canadian accounts.

Information Lookup

Here you'll find settings that determine whether different information gathering tools are available within individual accounts.

Finicity

These settings control the actions you can take with our Finicity integration.

If you ever need to check the fine print of your contract with Secure Payments or Finicity, we keep a copy saved and easily accessible within the software, as well as a complete signature history. To view your contracts and signatures, navigate to My Account > Contracts.

The page is divided into three tabs: Signature History, Secure Payments, and Finicity.