Auditing and Best Practices

User accounts

It is the customer’s responsibility to periodically audit user access and user permissions.

Terminated users should have their access immediately removed from both the Merchant Portal and XiPay WebGUI.

Periodic audits of the users is recommend to ensure that changes are not required due to organizational changes as well as terminated employees.

Approving Managers can export the XiPay users to an excel spreadsheet to facilitate auditing functions.

The Audit Log - History page in the portal can be used to view changes that have been made.

System Integrators should NEVER set the Client's XiPay Web Service Account password in Production. This should be done by the Client.

Any unauthorized or suspicious activities detected by the Customer, the Customer’s processor or Customer’s bank must be reported to the B2B Payments Security Officer ( immediately.

User Accounts should NEVER be shared; each user should have his/her own login credentials.


Client should make note of the certification expiration date that is found on the XiSecure page in Merchant Portal.

B2B Payments recommends adding a task reminder in Outlook or other calendar for a minimum of 30 days prior to the expiration date to review the certificate. The option to renew is available in MP within 60 days of expiration.

System Integrators should NEVER create the Client's certificate signing request (CSR) for Production. The private key file and private key password are generated when the CSR is created. This should be done by the Client.