yes, the error "Security header is not valid" means that the API credentials being used are not being excepted.
for express checkout, there are 3 server behaviors that need to be changed:
On the checkout.php page:
1)"Authentication For PayPal Express checkout"
On the pp_confirm.php page
2) "Get Payer Profile from PayPal Express Checkout"
3) "Process Transaction with PayPal Express checkout"
all 3 of these must be changed to use the Live API credentials, and in all three, you need to turn the sandbox off.