The legalization of recreational and medical marijuana in many states and countries around the world has made the global marijuana market one of the fastest-growing industries. According to a recent report by the Grand View Research, Inc., the global legal marijuana market will grow to $66.3 billion by 2025.
Cannabis is being widely used as a pharmaceutical product. It is said to be effective in treating severe medical conditions like arthritis, cancer, and Parkinson’s disease. This has contributed to the increased demand for medicinal marijuana.
Moreover, recreational marijuana or the use of cannabis without medical justification is being legalized in many states and countries. In the United States, 11 states and the District of Columbia have legalized the recreational use of cannabis among adults. Countries like Canada, Belize, Jamaica, Argentina, and the Netherlands have also decriminalized the use of marijuana.
All these developments point to the expansion of the cannabis industry in the years to come. Marijuana dispensaries can maximize their growth potential by complying with the Payment Card Industry Data Security Standard (PCI DSS), an information security standard for payment processing. Cashless ATM or point of sale (POS) banking is considered a viable and important platform for marijuana dispensaries to grow their sales. With POS banking, online cannabis dispensaries can accept purchases from customers who use their credit and debit cards.
What is PCI DSS?
PCI DSS provides a set of security standards to guarantee that all organizations or firms that accept, process, handle, store, and transmit credit card information can maintain a safe and secure environment. It is administered and managed by an independent body, the Payment Card Industry Security Standards Council (PCI SSC). This organization was created by the payment card brands such as American Express, Discover, JCB, MasterCard, and Visa.
The said brands are also the ones enforcing compliance with the PCI DSS. They are also the ones who administer fines to financial institutions found to have violated or breached PCI DSS regulations. Fines can range between $5,000 to $100,000 a month. In turn, the financial institutions pass the fines to the merchant, who may also be subjected to additional penalties from the bank.
Compliance with PCI DSS goes beyond avoiding hefty fines from credit card companies. More importantly, it shows that an entity has undertaken appropriate steps in protecting consumer data from cybercrime and fraudulent use. It can mitigate the risks of potential revenue loss and erosion of customer trust and brand reputation.
PCI Compliance Levels
PCI DSS compliance applies to any organization regardless of the size, or the total number of transactions. As long as the organization accepts, handles, transmits, or stores any cardholder data, then it is covered by PCI DSS regulations.
However, there are various compliance levels depending on the number of transactions that a cannabis retailer does. These are:
- Level 1: This applies to cannabis retailers who process more than six million credit or debit card transactions in a year. Merchants should undergo an internal audit at least once a year to be conducted by an authorized PCI auditor. Moreover, they are required to submit to a PCI scan by an approved scanning vendor.
- Level 2: Applies to marijuana retailers who process one and six million credit or debit card transactions in a year. Similar to level 1 compliance, concerned entities are to complete a once-a-year assessment using a self-assessment questionnaire.
- Level 3: This applies to cannabis retailers who process between 20,000 and 1 million credit or debit card transactions a year.
- Level 4: This applies to merchants who process less than 20,000 transactions in a year.
In terms of PCI DSS requirements, level 1 has the most stringent requests. Merchants who qualify for level 4 have to comply with the least stringent requirements. While most marijuana merchants are classified as Level 3 or 4 merchants, it does not prevent them from maintaining compliance with the same diligence as bigger or more established organizations.
Costs may also vary depending on the levels. For Level 1, the cost could be at a low of $60 a month. Level 2 costs are slightly higher as it would involve regular network scan and the annual self-assessment questionnaire and certification of compliance. Costs can be as low as $1,200 per year. Level 2 compliance costs can range from $10,000 to $50,000 annually depending on the network size, while level 2 compliance costs can be over $50,000 a year.
PCI DSS Compliance Requirements
The PCI has outlined 12 compliance requirements for the PCI DSS. These cover security controls that entities should implement to protect credit card data:
- Installing and maintaining a firewall. Implementing and maintaining a firewall is considered essential to protecting cardholder data against fraudsters. Entities wishing to comply with PCI DSS should not only install and maintain a firewall but also create a secure zone for card data storage. Organizations must also install a firewall between wireless networks and their cardholder data environment. Documentation of firewall policies and procedures must also be instituted along this line.
- Not using vendor-supplied default system passwords. Marijuana merchants hoping to achieve PCI DSS compliance should not use vendor-supplied defaults for security parameters, including system passwords. This requirement, along with the installation and maintenance of a firewall, is towards the goal of building and maintaining a secure network.
- Protect stored cardholder data. The third requirement of the PCI DSS applies only if a merchant stores cardholder data. Marijuana merchants who don’t store cardholder data provide stronger protection as they eliminate a major target for online fraudsters. Marijuana retailers are encouraged not to store cardholder data unless it is necessary.
- Conduct employee training. Employees of cannabis retailers should be made aware of their firms’ data retention policy. They should also be educated and trained on the guidelines for handling and storing cardholder data. Moreover, entities hoping for PCI DSS compliance should make their primary account number storage accessible to as few employees as possible.
- Encrypt cardholder data transmission in networks. Open and public networks such as the Internet as well as wireless technologies like Bluetooth pose security risks to cardholder data. PCI DSS thus encourages covered entities to review all locations, devices, and systems where cardholder data is transmitted. Encryption keys or certifications should also be verified to be valid and trusted.
- Use and regular updating of antivirus software. The use of antivirus software is part of maintaining a vulnerability management program. Regularly updated antivirus programs can prevent viruses, worms, and Trojans attacks. Unless necessary, antivirus programs should be kept running at all times.
- Develop secure systems and applications. Like the preceding requirement, this is to ensure that all system components are secured from known vulnerabilities. The best way to achieve this requirement is to keep software patches updated. Doing so will keep a website protected against automated attacks.
- Restrict access to cardholder data. The three succeeding requirements are part of the overall goal of implementing strong access control measures. The seventh PCI requirement emphasizes the need to limit cardholder data access only to individuals whose job responsibilities call for it. Moreover, it requires organizations to have a written policy for accessing cardholder data and more importantly, for all affected parties to follow it.
- Identify and certify access to system components. As stated earlier, this is part of the strong access control measures being required by the PCI. Covered entities are asked to assign a unique identification to each individual with access to system components. Organizations may use two-factor authentication for enhanced security like the use of biometrics,tokens, or smartcards. This way, firms would ensure that only authorized personnel can access specific systems and components.
- Limit physical access to cardholder data. Physical security breaches may also result in data loss. Hence, PCI DSS requires firms to ensure that access to physical records is not only monitored but also limited. This requirement also stipulates that server rooms and data centers be restricted. Media or any device carrying data must be monitored and protected from tampering.
- Monitor all access to network resources. One of the most important requirements of PCI DSS compliance is that it requires firms to implement review logs and audit trails to monitor web assets and minimize the risks of a data breach. Audit trails record all actions from individual users such as access to data, invalid login attempts, and changes to authentication mechanisms like the deletion of objects. Said logs must also be viewed regularly.
- Regularly check and review security systems and processes. This requirement involves the scanning and reporting of potential vulnerabilities in a network, both internally and externally.
- Set up and implement a policy addressing information security. The last requirement for PCI DSS compliance is the setting up and implementation of a policy addressing information security for all personnel. It should cover the risk assessment to identify threats and vulnerabilities, usage policies, and an incident response plan. This policy should be shared with the staff and reviewed at least once a year.
Achieving PCI Compliance
The PCI DSS compliance journey can be summed up into three parts – assessment, remediation, and reporting.
Cannabis retailers hoping to become PCI compliant should start by performing their audit to identify the cardholder data they are responsible for. They may also take an inventory of their business processes and IT assets for payment card processing and then analyze these for vulnerabilities that may expose sensitive cardholder information.
An audit may also help a cannabis retailer to determine the number of transactions it processes annually and compare it with the requirements of the credit card company that it plans to support.
Cannabis retailers wishing to comply with PCI DSS regulations should then fill out the self-assessment questionnaire, a tool for validating PCI compliance. This checks if the business meets each of the 12 requirements discussed above. All requirements must be met for a business to be considered PCI compliant.
If an organization fails to meet the requirements of PCI DSS, it should work towards complying with those requirements. Most firms focus on fixing vulnerabilities discovered in the self-audit. One vulnerability that may be addressed is to move away from storing cardholder data unless necessary.
The next step in the PCI DSS compliance journey is to fill out the attestation of compliance (AOC), a document that certifies that an entity has fulfilled every PCI compliance step. There are nine different versions of the AOC, and firms have to complete one that is most relevant to their operations.
Organizations hoping to become PCI DSS compliant would also need to enlist an approved scanning vendor (ASV) for external vulnerability scans. An ASV is a company with a set of tools and solutions for conducting external vulnerability scanning services. RSI Security is an example of an ASV. It has more than a decade of experience and serviced more than 200 PCI compliant clients.
The final step is the submission of the accomplished SAQ and AOC to the acquirer bank and the relevant credit card company. Other documentation, such as ASV scan reports may also be requested. A qualified security assessor like RSI Security will then perform the validation of compliance.
The journey towards becoming a PCI DSS compliant company can be complex and arduous, especially for cannabis retailers who have no prior knowledge or experience in adhering to data security standards in the cannabis industry. Working with a reputable, qualified security assessor like RSI Security should help cannabis retailers get through the compliance process quickly and efficiently.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.