Payment Security Requirements (PCI DSS)
If your dispensary accepts debit cards or uses a POS system connected to a card network, you must comply with the Payment Card Industry Data Security Standard (PCI DSS). These rules apply regardless of cannabis legality at the state level.
Failure to follow PCI rules can result in fines, higher processing costs, audits, or loss of payment access.
What This Covers
- When PCI DSS applies to dispensaries
- POS and payment system security requirements
- Handling and access rules for cardholder data
- Device monitoring and inspection obligations
- Enforcement authority and consequences
When PCI DSS Applies
Explains when a dispensary is subject to PCI rules.
- Any acceptance of debit cards
- Any POS system connected to a card network
- Any system that processes, transmits, or stores payment data
Using a third-party processor does not remove responsibility.
POS and System Security Requirements
Defines baseline technical requirements.
- POS systems must be PCI-compliant
- Networks handling payment data must include:
- Firewalls
- Encryption
- Access controls
- Systems must be configured and maintained securely
Cardholder Data Handling
Sets rules for how payment data may be accessed.
- Card data must never be stored in plain text
- Card data must not be stored in unsecured systems
- Only trained staff may handle payment data
- Access must be limited to authorized users only
Payment Device Rules
Covers physical device security.
- Devices must be monitored for tampering
- Devices must be inspected regularly
- Compromised devices must be replaced immediately
Unsecured or altered devices are a compliance violation.
Enforcement and Oversight
Identifies who enforces PCI compliance.
- Payment Card Industry Security Standards Council
- Card networks (Visa, Mastercard, American Express, Discover)
- Merchant acquirers and payment processors
Noncompliance can result in:
- Fines and penalties
- Higher processing fees
- Mandatory PCI audits
- Suspension or termination of debit processing
What Operators Usually Miss
- Using a POS does not shift PCI responsibility
- Debit-only systems still fall under PCI rules
- Physical device checks are required, not optional
When This Comes Up
- Selecting a POS or payment processor
- Launching debit acceptance
- Payment processor reviews or audits
- Security incidents or chargebacks
What Happens If You Ignore This
- Loss of debit processing privileges
- Increased transaction costs
- Forced audits and remediation
- Disruption to daily sales
Related Pages
Source Material
