Overview
To comply with updated PCI security standards, NMI now enforces a 90-day password expiration policy for all merchant accounts accessing the Merchant Portal, unless two-factor authentication (2FA) is enabled. This requirement ensures user credentials are updated regularly to reduce the risk of account compromise.
Navigating to Password Settings
To access password tools:
- In the Merchant Portal, click the Options menu on the left side panel.
- Select:
- Password Reset
The link is available to all users, regardless of admin status.
How Does the 90-Day Password Policy Work?
All merchant users must update their password every 90 days, unless they have 2FA enabled. The password policy enforces:
- A maximum lifespan of 90 days per password
- In-portal notifications as the expiration date approaches
- A mandatory reset process after expiration
Password Requirements
- It cannot match any password used by the account in the past year.
Password Older Than 80 Days, But Not Yet Expired
What Users See:
On login, the merchant will see:
“For security purposes, your Payment Gateway password will expire soon. Please enter a new password below and click Submit"
User Options:
- The merchant can Skip the update and continue using the portal (repeatable until day 90).
- OR the Merchant can Update Password immediately to avoid disruption.
Password Expired (90+ Days)
What Happens:
Users are blocked from logging in they see this message:
“Password Expired”
Next Steps:
- A password reset email is sent each time login is attempted
- The email contains a secure link to create a new password
- Previous reset links remain valid until used
Portal UI Enhancements
New options available in the Merchant Portal Options Menu:
- Two-Factor Authentication Settings
- Password Reset Shortcut
These are visible to all users, not just administrators.
Frequently Asked Questions
Why do I have to change my password every 90 days?
This is required under PCI DSS to improve account security and reduce the risk of compromise from stale credentials.
Will I get an email before my password expires?
No. Users are only notified in the portal starting 10 days before expiration.
Can I skip the password update?
Yes, but only until the last day, After that, you’ll be locked out and must reset your password.
What happens when my password expires?
You’ll be blocked from logging in. A reset email will be sent to your email address, and you must create a new password to regain access.
Do I need to switch to API key authentication now?
By the end of 2026, all merchants will be required to move from username/password authentication to API key authentication.
Do previous password reset links still work if I get multiple?
Yes. All reset emails remain valid until used.
How do I avoid 90-day password changes?
Enable 2FA on your account. Users with 2FA are exempt from the password rotation requirement.
Will changing my portal password break my API or SFTP integrations?
No. API and SFTP credentials are managed separately from your portal password. Updating your portal login will not impact your API or SFTP integrations, even if you're still using username and password authentication.