We have identified a potential vulnerability that will soon be addressed with some process and code changes. In the meantime, we need to reinforce our internal policies to all teams that work with merchants in the Payment Portal.

Resetting Password

image.png

If a merchant reaches out asking to have their Payment Portal password reset, we should direct them to the Login page to use the ‘Forgot Password’ link. That will email the user with a password reset link they can use to reset their password. This is the most secure method of resetting a password and should always be the option we suggest.

Reset Password Link

If a merchant is unable to get our reset password link, we should encourage them to check their junk/spam folders before offering any other alternatives.

If the merchant is still unable to get the reset password link using our recommended method, we can send them the password reset URL located on the ‘Edit User’ page (2). This should only be our last resort but can be used if no other options are available.

If a merchant needs to have their password reset using this method, we should ONLY send this to the email address listed on the user’s ‘Edit User’ page (1). If they are unable to receive emails using this method, then we will need additional forms of verification in order to send it through other means.

image.png

Additional Form of Verification

If a merchant reaches out and is unable to receive emails to the email address listed on their user, we must take extreme caution. Additional verification must be taken to ensure we do not compromise their account. In order to send a password reset link anywhere other than the email address listed on the one listed in the Payment Portal, they must verify the last four digits of their bank account (listed on the Profile page). If they are unable to do so, it must be escalated to the PayFac Risk ([email protected]) for additional assistance.