Overview
To comply with updated PCI security standards, NMI now enforces a 90-day password expiration policy for all affiliate accounts accessing the Partner Portal, unless two-factor authentication (2FA) is enabled. This requirement ensures user credentials are updated regularly to reduce the risk of account compromise.
Navigating to Password Settings
To access password tools:
- In the Parner Portal, click User Settings on the left side panel.
- Select:
- Password Reset
The link is available to all users, regardless of admin status.
How Does the 90-Day Password Policy Work?
All affiliate users must update their password every 90 days, unless they have 2FA enabled. The password policy enforces:
- A maximum lifespan of 90 days per password
- In-portal notifications as the expiration date approaches
- A mandatory reset process after expiration
Password Requirements
- It cannot match any password used by the account in the past year.
Password Older Than 80 Days, But Not Yet Expired
What Users See:
On login, you will see:
“For security purposes, your Payment Gateway password will expire soon."
User Options:
- You can can Skip Password Update and continue using the portal (repeatable until day 90).
- OR you can Update Password immediately to avoid disruption.
Password Expired (90+ Days)
What Happens:
Users are blocked from logging in they see this message:
“Password Expired”
Next Steps:
- A password reset email is sent each time login is attempted
- The email contains a secure link to create a new password
- Previous reset links remain valid until used
If you do not receive your partner password reset email, please contact us at support@nmi.com.
Portal UI Enhancements
New options available in the Partner Portal Menu :
User Settings
- Two-Factor Auth
- Password Reset Shortcut
*These are visible to all users, not just administrators.
Frequently Asked Questions
Why do I have to change my password every 90 days?
This is required under PCI DSS to improve account security and reduce the risk of compromise from stale credentials.
Will I get an email before my password expires?
No. Users are only notified in the portal starting 10 days before expiration.
Can I skip the password update?
Yes, but only until the last day, After that, you’ll be locked out and must reset your password.
What happens when my password expires?
You’ll be blocked from logging in. A reset email will be sent to your email address, and you must create a new password to regain access.
Do previous password reset links still work if I get multiple?
Yes. All reset emails remain valid until used.
How do I avoid 90-day password changes?
Enable 2FA on your account. Users with 2FA are exempt from the password rotation requirement.
Do I need to switch to API key authentication now?
By the end of 2026, all merchants will be required to move from username/password authentication to API key authentication.
Will changing my portal password break my API or SFTP integrations?
No. API and SFTP credentials are managed separately from your portal password. Updating your portal login will not impact your API or SFTP integrations, even if you're still using username and password authentication.