Skip to main content

Merchant Accounts Page

Manage NMI security key mappings for PayArc Merchant IDs (MIDs) to enable automatic chargeback linkage and processing.

Overview

The Merchant Accounts page provides a simple interface to map PayArc Merchant IDs (MIDs) to NMI Transaction API security keys. This mapping is critical for the chargeback processor to:

  1. Receive PayArc dispute webhook (contains MID)
  2. Look up corresponding NMI security key
  3. Query NMI Transaction API for original transaction details
  4. Link dispute to order in middleware database

Without proper MID → NMI key mapping, chargebacks cannot be automatically linked to orders.

Access: GSM Middleware → Merchant Accounts (menu position 11)

Permission Required: manage_options

Interface Overview

Page Header

Title: "NMI Merchant Accounts"

Description:

Manage the NMI security key mappings used to process PayArc chargebacks. Each Merchant ID (MID) must have a corresponding NMI security key so disputes can be linked to the originating NMI transaction.

MID Location Tip:

Where to find the MID: The MID appears in the mid field of PayArc webhook payloads (e.g. "567000000016287").

Accounts Table

Columns:

ColumnDescriptionExample
Merchant ID (MID)PayArc MID (numeric)567000000016287
LabelFriendly name (optional)GSM Live
NMI Security KeyMasked key display••••••••••••
ActionsEdit / Delete buttonsEdit | Delete

Empty State:

No merchant accounts configured. Click "Add Account" to create one.

Add Account Button

Location: Below table

Button text: "Add Account"

Style: Primary (blue)

Action: Opens Add Merchant Account modal

Managing Accounts

Adding a New Account

Goal: Configure NMI key for a new PayArc MID

Steps:

  1. Click "Add Account" button at bottom of table

  2. Modal opens: "Add Merchant Account"

  3. Fill in form fields:

    Merchant ID (MID) Required

    • Type: Numeric string
    • Example: 567000000016287
    • Where to find: PayArc webhook payload (mid field)
    • Placeholder: 567000000016287

    Label Optional

    • Type: Text
    • Example: GSM Live, GSM Beta, Site A Production
    • Purpose: Friendly name to identify account
    • Placeholder: e.g. GSM Live, GSM Beta

    NMI Security Key Required

    • Type: Password (hidden when typing)
    • Format: Alphanumeric string (varies by NMI account)
    • Where to find: NMI Gateway → Settings → Security Keys
    • Placeholder: Enter NMI security key

  4. Click "Save Account" button

  5. Success: Modal closes, table refreshes with new account row

  6. Verify: New MID appears in table with label and masked key

Success message:

✅ Merchant account for MID 567000000016287 added successfully.

Editing an Account

Goal: Update label or NMI key for existing MID

Steps:

  1. Locate account in table by MID or label

  2. Click "Edit" button in Actions column

  3. Modal opens: "Edit Merchant Account"

  4. Form pre-populated with:

    • Merchant ID (MID) — Read-only (cannot change MID itself)
    • Label — Current value
    • NMI Security Key — Blank (for security, must re-enter to update)

  5. Update fields as needed:

    • Change label: Type new friendly name
    • Change NMI key: Enter new security key
    • Leave NMI key blank to keep existing key unchanged

  6. Click "Save Account" button

  7. Success: Modal closes, table refreshes with updated values

Success message:

✅ Merchant account for MID 567000000016287 updated successfully.

Deleting an Account

Goal: Remove MID → NMI key mapping when no longer needed

Steps:

  1. Locate account to delete in table

  2. Click "Delete" button in Actions column

  3. Confirmation prompt:

    ⚠️ Are you sure you want to delete the merchant account for MID 567000000016287? This action cannot be undone.

  4. Click "OK" to confirm deletion

  5. Success: Row removed from table

Success message:

✅ Merchant account deleted successfully.

Warning: If chargebacks are received for this MID after deletion, they will fail to link to orders (no NMI key available for transaction lookup).

Form Field Details

Merchant ID (MID)

Purpose: Unique identifier for PayArc merchant account

Format:

  • Numeric string (typically 15 digits)
  • Example: 567000000016287

Where to find:

  1. PayArc webhook payload: 
    {
      "api_response": {
        "mid": "567000000016287"
      }
    }
  2. PayArc dashboard: Account → Merchant Info → MID
  3. Ask PayArc support if unsure

Validation:

  • Required field
  • Should be numeric (letters/symbols invalid)
  • Must be unique (cannot add same MID twice)

Label

Purpose: Human-friendly name to identify account

Format:

  • Text (any characters allowed)
  • Max 100 characters
  • Example: GSM Live, Site A Production, Beta Testing Account

Best practices:

  • Include environment: GSM Live vs GSM Staging
  • Include site/brand: Site A Live, Site B Dev
  • Stay brief: Main Account ✅, This is our primary production merchant account for live transactions

Validation:

  • Optional field (can leave blank)
  • Not unique (multiple accounts can have same label)

NMI Security Key

Purpose: API key to authenticate with NMI Transaction API

Format:

  • Alphanumeric string (varies by NMI configuration)
  • Typically 20-40 characters
  • Example: 2F822Rw39fx762MaV7Yy41zU

Where to find:

  1. NMI Gateway dashboard:
    • Log in to NMI Merchant Portal
    • Settings → Security Keys
    • Copy "Transaction API Security Key"
  2. NMI support: Request if lost (cannot retrieve, must regenerate)

Security considerations:

  • Never share NMI keys publicly (commit to Git, paste in chat)
  • Stored encrypted in database (not plaintext)
  • Masked in UI — Shows ••••••••••••, cannot be retrieved via frontend
  • Password field — Hidden when typing for shoulder surfing protection

Validation:

  • Required field (when adding new account)
  • Optional when editing (leave blank to keep existing key)
  • No format validation (NMI accepts various formats)

Common Workflows

Initial Setup: Configuring First MID

Goal: Add first PayArc merchant account for chargeback processing

Prerequisites:

  • PayArc account configured and receiving transactions
  • NMI gateway account with Transaction API access
  • MID from PayArc account settings

Steps:

  1. Gather information:

    • Log in to PayArc dashboard → Account → Copy MID
    • Log in to NMI dashboard → Settings → Security Keys → Copy Transaction API key
    • Choose label (e.g., "GSM Live")

  2. Navigate to Merchant Accounts page:

    • GSM Middleware → Merchant Accounts

  3. Click "Add Account"

  4. Fill form:

    • MID: 567000000016287
    • Label: GSM Live
    • NMI Key: 2F822Rw39fx762MaV7Yy41zU

  5. Save and verify:

    • Click "Save Account"
    • See success message
    • Verify row appears in table

  6. Test chargeback flow:

    • Go to Testing Tools page
    • Click "Send Test Chargeback Webhook"
    • Select MID: 567000000016287
    • Submit test
    • Check Chargebacks page to verify linkage worked

Expected outcome: Chargeback appears in Chargebacks page with linked order and "Completed" status

Adding Multiple Sites (Multi-MID Setup)

Goal: Configure 5 PayArc accounts for different sites/brands

Scenario: Company operates 5 e-commerce sites, each with own PayArc MID

Steps:

  1. Create spreadsheet:

    SiteMIDNMI KeyLabel
    Site A5670000000162872F822Rw39fx762MaV7Yy41zUSite A Live
    Site B5670000000162888X931Cv28dy651JbU6Wx32tRSite B Live
    Site C5670000000162895Y642Dx17cz540KaT5Vx21sQSite C Live
    Site D5670000000162907Z853Ey06by439LaS4Uy10rPSite D Live
    Site E5670000000162914A964Fz95ax328MaR3Tx09qOSite E Live

  2. For each site, add account:

    • Click "Add Account"
    • Copy MID from spreadsheet
    • Copy label
    • Copy NMI key
    • Click "Save Account"
    • Repeat for next site

  3. Verify all 5 accounts in table

  4. Test each MID:

    • Send test chargeback webhook for each MID
    • Verify linkage works for all 5

Time estimate: 5-10 minutes for 5 accounts

Credential Rotation: Updating NMI Keys

Goal: Replace compromised or expired NMI keys

Scenario: Security audit requires rotating all NMI API keys

Steps:

Phase 1: Generate new keys in NMI

  1. Log in to each NMI account
  2. Settings → Security Keys
  3. Click "Regenerate Transaction API Key"
  4. Copy new key immediately (NMI only shows once)
  5. Keep old key active for now (don't revoke yet)

Phase 2: Update in GSM Middleware

  1. For each MID in Merchant Accounts table:
    • Click "Edit"
    • Paste new NMI key
    • Click "Save Account"
  2. Repeat for all accounts

Phase 3: Test

  1. Send test chargeback webhook for one MID
  2. Verify chargeback links successfully to order
  3. If successful, proceed to Phase 4
  4. If failed, revert to old key (re-edit, paste old key)

Phase 4: Revoke old keys

  1. Return to NMI gateway
  2. Revoke old Transaction API keys
  3. Confirm revoked keys no longer work (test chargeback should fail with old key)

Rollback plan: If issues occur after rotation, re-enter old keys in Phase 2 before revoking in Phase 4

Troubleshooting Failed Chargeback Linkage

Goal: Diagnose why chargeback not linking to order

Symptoms:

  • Chargeback appears in Chargebacks page with "Failed" status
  • Order Number shows "—" (dash)
  • Error message: "No NMI security key configured for MID 567000000016287"

Steps:

  1. Check if MID configured:

    • Navigate to Merchant Accounts page
    • Search table for MID from error message
    • If not found: MID not configured, proceed to Step 2
    • If found: MID exists, proceed to Step 4

  2. Add missing MID:

    • Click "Add Account"
    • Enter MID: 567000000016287
    • Enter label and NMI key
    • Save account

  3. Re-process chargeback:

    • Go to Testing Tools → Chargeback Testing
    • Re-send same chargeback webhook
    • Check Chargebacks page for success

  4. Verify NMI key correct:

    • Click "Edit" on MID row
    • Cannot see key (security), but can test:
    • Go to Testing Tools → NMI Connection Test
    • Enter MID's NMI key manually
    • Click "Test Connection"
    • If fails: NMI key invalid, get correct key from NMI dashboard
    • If succeeds: NMI key valid, issue elsewhere

  5. Check NMI transaction exists:

    • Log in to NMI gateway
    • Search for transaction ID from chargeback
    • If not found: Transaction doesn't exist in NMI (payment processed elsewhere?)
    • If found: Transaction exists, linkage should work

Common causes:

  • MID not configured (most common)
  • NMI key typo when originally entered
  • NMI key expired/revoked
  • Transaction not in NMI (payment via different gateway)

Security Considerations

NMI Key Protection

Storage:

  • ✅ Keys encrypted before storing in database (WordPress encryption functions)
  • ✅ Keys masked in UI (••••••••••••)
  • ✅ Cannot retrieve keys via frontend (read-only masking)
  • ✅ Cannot view via REST API without authentication

Access control:

  • ⚠️ Requires manage_options capability (WordPress Administrator)
  • ❌ Shop Managers, Editors cannot access
  • ✅ Audit log: All add/edit/delete actions logged in debug.log

Best practices:

  1. Rotate keys annually — Even if not compromised, proactive security
  2. Use separate NMI accounts per environment — Dev, staging, prod should have different keys
  3. Test after rotation — Always verify one chargeback links successfully before revoking old keys
  4. Document MID → Site mapping — Keep spreadsheet outside WordPress for disaster recovery
  5. Limit admin access — Only grant manage_options to trusted admins

Credential Backup

Export/Import support:

  • ✅ Merchant accounts included in Export/Import page
  • ✅ Export includes decrypted keys in JSON (plaintext)
  • ⚠️ Export file must be stored securely (encrypted storage recommended)

Backup strategy:

  1. Export configuration monthly (automated via WP-CLI)
  2. Store encrypted backup off-server (S3 with encryption, 1Password)
  3. Test restore quarterly (import on staging environment)
  4. Keep 3 months of backups (rotate older exports)

Data Storage

Database

WordPress Option: gsm_nmi_merchant_accounts

Structure:

[
    [
        'id' => 1,
        'mid' => '567000000016287',
        'label' => 'GSM Live',
        'nmi_key' => 'encrypted:AES256:base64encodedciphertext...',
    ],
    [
        'id' => 2,
        'mid' => '567000000016288',
        'label' => 'Site A Beta',
        'nmi_key' => 'encrypted:AES256:base64encodedciphertext...',
    ],
]

Encryption method:

  • Algorithm: AES-256-CBC (via WordPress encryption library)
  • Key: WordPress AUTH_KEY and SECURE_AUTH_KEY salts
  • Storage: nmi_key field prefixed with encrypted: indicator

Repository: src/Database/Merchant_Accounts_Repository.php

AJAX Endpoints

Get All Accounts:

  • Action: wp_ajax_gsm_get_merchant_accounts
  • Method: POST
  • Nonce: gsm_merchant_accounts
  • Response: Array of accounts with masked keys

Add Account:

  • Action: wp_ajax_gsm_add_merchant_account
  • Method: POST
  • Parameters: mid, label, nmi_key
  • Response: New account ID and success message

Update Account:

  • Action: wp_ajax_gsm_update_merchant_account
  • Method: POST
  • Parameters: id, mid, label, nmi_key (optional)
  • Response: Success message

Delete Account:

  • Action: wp_ajax_gsm_delete_merchant_account
  • Method: POST
  • Parameters: id
  • Response: Success message

Troubleshooting

"Merchant ID is required" Error

Cause: MID field left blank

Solution:

  1. Fill in MID field with numeric string
  2. Copy from PayArc webhook or dashboard
  3. Must be numeric only (no letters/special characters)

"NMI security key is required" Error

Cause: NMI key field left blank when adding new account

Solution:

  1. Log in to NMI gateway
  2. Settings → Security Keys
  3. Copy "Transaction API Security Key"
  4. Paste into NMI Security Key field
  5. If key doesn't exist, generate one in NMI first

"Merchant ID already exists" Error

Cause: Attempting to add duplicate MID

Solution:

  1. Check table - MID already configured
  2. If need to update, click "Edit" instead of "Add Account"
  3. If duplicate is error (different account with same MID), verify with PayArc support

Cannot Retrieve Lost NMI Key

Cause: NMI keys cannot be retrieved after initial generation (security feature)

Solution:

  1. If key stored elsewhere: Retrieve from password manager, documentation
  2. If key lost: Must regenerate in NMI gateway:
    • Log in to NMI dashboard
    • Settings → Security Keys
    • Click "Regenerate Transaction API Key"
    • Copy new key immediately (only shown once)
    • Update in Merchant Accounts page
    • Test with chargeback webhook

Chargebacks Still Failing After Adding MID

Cause: NMI key incorrect or transaction not in NMI

Solution:

  1. Verify NMI key:
    • Go to Testing Tools page
    • Test NMI connection with key
    • If fails, regenerate key in NMI and re-enter
  2. Check transaction existence:
    • Log in to NMI gateway
    • Search for transaction ID from chargeback
    • If not found, payment may have processed via different gateway
  3. Check MID match:
    • Verify MID in webhook payload matches MID in Merchant Accounts
    • Even one digit off causes failure

Edit Button Does Nothing

Cause: JavaScript error or cache issue

Solution:

  1. Check browser console:
    • Press F12 → Console tab
    • Look for JavaScript errors
    • Share error message with support if present
  2. Clear cache:
    • Hard refresh: Ctrl+Shift+R (Windows) or Cmd+Shift+R (Mac)
    • Or clear browser cache completely
  3. Disable conflicting plugins:
    • Deactivate other plugins temporarily
    • Test if Edit button works
    • Re-activate plugins one by one to identify conflict

Best Practices

  1. Configure all MIDs upfront — Add all merchant accounts during initial setup
  2. Use descriptive labelsSite A Live, Site B Staging vs. generic Account 1
  3. Test after adding — Send test chargeback webhook to verify MID → NMI linkage works
  4. Backup before rotation — Export configuration before updating NMI keys
  5. Test one, apply all — When rotating keys, test one MID first, then update rest
  6. Document mapping — Keep MID → Site → NMI Account spreadsheet for reference
  7. Limit access — Only grant manage_options to trusted administrators
  8. Rotate annually — Proactive security by regenerating NMI keys yearly
  9. Monitor chargeback logs — Check Chargebacks page daily for "Failed" status
  10. Encrypt backups — If exporting merchant accounts, encrypt JSON file