PCI DSS

The cannabis industry has been booming recently due in part to legalization legislation that has helped to alleviate barriers to market entry. Recent trends tell us that the cannabis marketplace is projected to grow at a staggering rate from $10.3 billion in 2018 to $39.4 billion by 2023. With more and more states opening up their borders for marijuana, many businesses are looking to technology to manage this increase in customers.

As of November 2018, 10 states have legalized recreational cannabis while 33 have approved it for medical uses. As more states are opening their borders to legal cannabis, business owners are beginning to become more digital in their endeavors thanks to this newfound legalization. But digitization isn’t all good if you don’t have a cybersecurity plan to protect your data.

Brands that are able to infuse innovative technology into their network infrastructure can use it to analyze and predict valuable consumer trends that will enable them to make critical decisions in the future. Having a cybersecurity plan in place to supplement this type of innovative undertaking is what will help your cannabis business thrive. Let’s look into the specific areas of interest that you should be focusing on when cultivating your cybersecurity plan and which proactive measures you need to take to avoid being a victim of a cyber-attack.

Need for Payment Cardholder Data Protection

There have been 2,216 confirmed data breaches in 2018. 76% of breaches were financially motivated. Cybercriminals are increasingly becoming more sophisticated. Data breach preparedness among the companies are at an alltime high. 324 data breaches involved stealing credit card data at the Point of Sale (POS) where card-present retail transactions are conducted. 414 credit card data breaches involved targeting payment web applications.

There’s one common security vulnerability leading to these payment cardholder data breaches at the POS and within web applications: Lack of payment cardholder data encryption.

PCI Point to Point Data Encryption (P2PE) to the rescue!

When it comes to ensuring that only authorized personnel are allowed into systems remotely, one of the best ways is to use a token. When it comes to keeping Credit Card Holder Data protected, one of the best solutions is tokenization. Many options exist for token use as well as for tokenization. We will discuss the basics of tokens, tokenization, and token service providers (TSPs) below.

The Payment Card Industry Security Standards Council (PCI SSC) releases regular updates to existing programs and creates new programs on an ongoing basis as security needs change. Staying abreast of the changes to PCI programs is essential to maintaining PCI compliance over time. Understanding what new programs are being created and how those programs might affect your operations is also important, as the creation of new PCI programs can impact security implementations in a variety of ways.

Protecting payment card data is essential in all environments, including when card data is taken over the telephone. Areas of organizations that interact with sensitive data in a telephone-based environment are particularly susceptible to fraud or theft of cardholder data. As such, protecting telephone-based payment card data is essential for all businesses that conduct transactions over the phone.

The act of storing primary account numbers (PANs) has already had a profound effect on network security for a plethora of organizations.  Massive data breaches have ensued over the years based on companies choosing to store PANs on their servers for ease of access.

Many companies who have been inflicted by a data breach use this excuse of consumer convenience in their choice to store PAN data on their network.  These companies who use this excuse also are not Payment Card Industry Data Security Standard (PCI DSS) compliant as the PCI DSS requires that merchants never store track data, for any reason.