Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

Request a Consultation

2021 Cannabis Banking Legislation and What it Could Mean for PCI Compliance

Few industries have transformed as rapidly in recent years as cannabis. Ahead of the pandemic, enterprise seed-to-sale organizations were making business headlines with massive mergers and takeovers, highly competitive (and often litigious) fights for regional market shares, and the channeling of significant funds into favorable state-level campaigns across North America. With major hits to the economy due to COVID-19, however, these moguls seem to have reshaped their strategies in an effort to compete with local dispensaries and smaller growers, many of whom appear to have had sticking power simply due to their lack of sophisticated investments. As dust is settling, it appears that technological advancement–or lack thereof, may be key to the success or failure of cannabis organizations going forward. Those able to implement technology that not only sustains operations, but protects them from costly cyber-attacks, meets current and future regulatory requirements, and is flexible enough to adapt to evolving requirements are certain to have an edge. The key will be to choose an approach aligned to their business needs.

Banking Difficulties are Being Addressed First

One of the biggest hurdles faced by any cannabis organization in recent years has been banking, due to conflicting state versus federal legalization. A growing number of states have legalized cannabis, but banks are held to federal standards of compliance, and since cannabis use has not yet been legalized federally, banks–even in states that have legalized in recent years – still view banking for cannabis organizations as too risky. Their fear centers on the potential for a federal campaign to shut down operations that are state-legal, but not legal on a federal level. In the end, this has driven cannabis companies to operate on a cash-only basis. Acknowledged as perhaps the biggest struggle in cannabis to-date, the risks of a cash-only business model seem to have become more of a concern to most stakeholders in this debate than the desire to repress industry growth by withholding federal legalization. Further, most recognize that cash-only businesses  are inherently more difficult to track and managed with accuracy, leading to the likelihood of missed tax income.

In a season where every available tax dollar is needed to mitigate the ongoing pandemic, legislators are more anxious than in previous years to do away with this federal-state conflict and simply enable a greater flow of tax revenue.  

Pending Legislation and PCI Compliance

While some may have hopes of federal legalization of cannabis in the next year or two, we are unlikely to see that major change until possibly the second half of Biden’s administration (simply due to other priority items facing our country right now). However,  we might see a few business-enabling measures that have been stalled in recent years being brought to the floor for a vote, with enough support in both the Senate and House to pass. For instance, most industry analysts expect the SAFE Banking Act– which allows financial institutions to work with cannabis organizations without fear of prosecution– to be pushed through soon.  If and when that happens, we are likely to see a rapid transition away from cash-only businesses into greater reliance on eCommerce and in-store credit card acceptance.  

What does this mean in light of Payment Card Industry compliance standards (PCI-DSS)?

Meeting PCI Compliance is Not Easy or Fast for Big Companies

All organizations accepting payment cards must meet PCI compliance. Larger cannabis organizations who have not planned for this development (by designing their technology accordingly) may find themselves needing to quickly transform computer networks, segment environments that have cardholder data in them from those that don’t, provide secure acceptance channels, protect data at rest and in transit, and so on. Ask any retail organization who falls under PCI compliance requirements, and they will tell you how much work goes into meeting compliance standards every year. Annual risk assessments will need to be performed, audit documentation will need to be collected and updated throughout the year, and any breach of cardholder information (as well as any other potential compliance violations) could be met with heavy fines.  

These businesses would be wise to emulate strategies for compliance already utilized by enterprise retail, such as multi-channel tokenization, compliance management platforms, and so on.

Local Dispensaries Should Take Their Compliance Cues from Other Small Businesses

Like many other small businesses, dispensaries are often small and local. Because of this, they typically need their compliance to be easy, as “mom and pop shops” already have a lot on their plate. The advent of Square and other cheap and easy Point of Sale systems has eased this compliance burden for many small businesses, specifically aimed at small transaction volume businesses. These “out of the box” systems have 2 major advantages when it comes to PCI – 1. They are very cheap and easy to setup. Literally, take the system(s) out of the box, hook them up to an internet connection (or even a cell phone!) and you can start taking cards within the hour. 2. Here is the big one - They do not require the merchant to file PCI compliance since Square is the merchant in this setup. This means that all the PCI Compliance burden falls on Square and not the dispensary. So, it literally takes PCI compliance out of the picture for merchants who are just trying to make life easier for themselves and their customers. This kind of setup prevents small businesses from overinvesting, as well as having to take on burdensome PCI compliance tasks.

Changes Now Will Save Time and Money Later

In the end, those organizations–no matter how small or how large–who have planned their technology with the end in mind, will be in a much better financial position than those that have not gauged well. Investors and boards are wise, at this point, to inquire into the practices of organizations within their cannabis portfolio, as a financial risk mitigation measure. Are they taking steps to design secure networks with professionals who understand what it will take to be both secure and compliant? How are those organizations validating this security?

Additional Resources

Ask A Question