We’re making important changes to how users authenticate with the NMI Gateway Portal and API. This update is designed to improve platform security, protect merchant data, and reduce the risk of integration issues.
As a valued partner, we want to ensure you understand what’s changing and how to guide your merchants through the transition.
What’s Changing?
All users of the NMI Gateway Portal—both partners and merchants—will need to do one of the following:
- Enable Two-Factor Authentication (2FA) - Recommended for maximum security and to avoid integration issues.
- OR reset their password every 90 days - Users will be notified when it’s time to reset.
In addition:
All portal passwords must meet a new minimum length of 12 characters.
Merchants using username and password authentication for API or SFTP access will no longer be required to update the API or SFTP credentials every time the portal password changes. API and SFTP credentials will be managed separately. This new update allows merchants to remain PCI DSS compliant without disrupting API operations.
By the end of 2026, all merchants will be required to migrate from username and password authentication to API key authentication. No code changes will be required for this migration.
How to Migrate from Username/Password to a Security Key
Migrating to API Key authentication is a simple but essential improvement. Here’s how to help your merchants do it:
Step 1: Generate a Private Security Key
- Log into the merchant portal as an admin user.
- Navigate to Options → Settings → Security Keys.
- Click Add a New Private Key.
- Assign the key API permissions when prompted.
🔐 Only users with administrative access can create or manage security keys.
Step 2: Update the API Integration
- Replace the current
usernameandpasswordin the integration code. - Add a
security_keyparameter instead. - Set its value to the new API Key just generated.
Once this is complete, the integration will work just as before—only now with a more secure and reliable authentication method.
FAQs
Why am I being asked to reset my password at login?
Password resets are required at login for users without 2FA enabled who have not changed their password within the past 90 days.
Will merchants be notified about password expiration?
Yes. Users who opt for password resets (instead of enabling 2FA) will be notified automatically when their 90-day window is approaching.