Navigating the Confusing, Crowded World of Cannabis Payments

When you’re a cannabis retail operator looking for electronic cannabis payment solutions you’re faced with a baffling array of options and it’s hard to pick out the ones you can trust and the ones that you should avoid at all costs. Every potential vendor is going to tell you that their solution is the best (trust me!) so you need to understand the basic landscape of cannabis payment solutions in order to know what questions to ask. There’s a lot of solid vendors out there that only want to help the industry but there are, sadly, those out there that prey upon a lack of familiarity with the crowded, confusing payments landscape to push solutions that are at best unsustainable and at worst fraudulent.

ACH transactions are a way for a person or a business to do direct bank money transfers.

These transactions are conducted on a computer network run by NACHA, the National Clearinghouse Association. Since these don’t run over the networks run by the credit card companies like Visa or Mastercard – known as “payment rails” – these transactions don’t violate their rules. While NACHA hasn’t officially made a statement either way about cannabis, their actions suggest they don’t have an issue processing these transactions over their network.

The downside with many ACH solutions is that they aren’t necessarily convenient for the buyer. Because a customer or patient can’t just pull out a bank card they are often required to download an app and provide banking details like account and routing numbers. This isn’t necessarily an issue from the second purchase forward, but this can be a bit of a pain for a customer or patient trying to use an app for the first time if they’re not expecting to have to go through an account onboarding process that might take several minutes. The upside to this is that there are platforms that allow the buyer to upload funds via ACH to an eWallet, which, after the initial transaction, will enable them to make instant purchases. Platforms also allow the buyer to automatically replenish their eWallet via ACH, allowing them to always have funds to make purchases. These purchases can also be combined with a store’s loyalty points program.

Questions to ask about ACH solutions:

What does a customer or patient need to do to use the solution?
How long does it normally take for the funds to transfer, allowing a user to make purchases?
Are there any contactless platforms that allow a buyer to purchase the product for delivery or curbside pickup?
Do you need additional hardware to display a single-use QR code specific to the transaction?

Cashless ATMs and PIN Debit solutions are among the most common electronic payment methods that allow customers to directly use cards.

To discuss the issues that go along with any card-based solution we need to take a step back and talk about how payments are processed. As previously mentioned, every credit card company has a set of rails used by merchants to process a sale over their network. Each transaction is sent as a packet of information that broadly contains the following information: name of business, location of business, any additional merchant information, and merchant category code (MCC).

Every transaction has to be associated with a four digit MCC used by the merchants to indicate the nature of the business and the transaction. The code that’s traditionally been used by cashless ATMs and PIN Debit solutions is 5912, reserved for pharmacies and “cannabis (where legal to do so)”. This is what’s used in Canada where credit cards are an option but it’s not an acceptable option in the US because the major credit card networks have clarified that their rails cannot be used for the purchase of marijuana. They do so by prohibiting activities associated with “controlled substances, or recreational/street drugs” (VISA) or even more broadly “any Transaction that is illegal” (Mastercard) in their operating agreements.

It’s important to note that you can’t just randomly choose an alternative MCC because miscoding constitutes fraud. You may remember a few years ago that California-based delivery company Eaze was prosecuted in 2019 for using MCC codes associated with things like “carbonated drinks, green tea, face creams and other products” in an attempt to obscure the fact that the network was being used for the direct purchase of marijuana.

It should be noted however that there are a few ATM networks out there that aren’t directly owned by the big credit card companies like NYCE, Allpoint, Star, and Moneypass. These companies have been relatively quiet regarding the use of their networks for the purchase of marijuana products, so there is an argument to be made that if card transactions are sent over those rails they’re not violating any operating rules, but anecdotally we’ve heard that some of these networks aren’t necessarily cannabis friendly and, as private companies, they’re able to change their mind (for or against) whenever they wish.

Questions to ask about Cashless ATMs and PIN Debit solutions:

What MCC code is the payment processor using?
What network is being used to process the transaction?

Credit cards are notoriously off-limits to cannabis because of the very public positions taken by the major card networks but that doesn’t stop companies from popping up offering credit card processing for cannabis purchases. Let’s clarify here at the outset – there is no way to directly purchase marijuana with a credit card in the United States with a credit card from American Express, Visa, Mastercard, or Discover.

So, with necessity being the mother of invention, some companies are trying out a new strategy to get credit card processing into dispensaries legally. Among them are solutions that take advantage of another MCC code: 6051. This code is associated with the purchase of “liquid and cryptocurrency assets” and some enterprising payment providers are using it to set up a structure where a customer isn’t “technically” buying marijuana. Instead they are “buying” what’s called a “stablecoin”, a form of cryptocurrency whose value is pegged 1:1 to the US dollar.

Questions to ask about cryptocurrency or stablecoin solutions:

What MCC code is the payment processor using?
What stablecoin is being leveraged?
How is the stablecoin preserving its value?
What will the offramping of funds from a crypto wallet to my DDA account look like to my bank?

Cannabis retail operators are faced with serious business and legal considerations when determining the payment processing solution provided to patients and customers. What solution will be the easiest for the customer? Is the solution compliant?

The cannabis industry’s evolving legal and regulatory landscape is challenging, especially with bad actors seeking to implement non compliant make-shift payment solutions intended to capitalize off of cannabis businesses seeking efficient and effective cannabis payment solutions. It is essential that you do your due diligence on cannabis payment solutions presented to your business to confirm that it will not cause an issue for you, the business and its patterns and customers. We hope that this article outlines considerations that will allow you to protect your business and its patients and customers.

Member Blog: The Importance of PCI Compliance for Cannabis Payments at a Dispensary

The cannabis industry has witnessed exponential growth recently, with legalizations sweeping across various states. The demand for cannabis products is soaring, prompting dispensaries and retailers to explore the convenience of digital payment solutions to meet customer preferences. However, in this rapidly evolving landscape, compliance with industry regulations is paramount, especially when processing cannabis payments securely. This blog post delves into the significance of PCI compliance for dispensary payments, highlighting the potential penalties for non-compliance and the need for a fully compliant cannabis payment processing solution.

The Booming Cannabis Market and the Rise of Digital Payments

The growing cannabis market has paved the way for cannabis retailers and dispensaries to embrace digital payment options to cater to their customers’ convenience and preferences. As more consumers seek cashless and contactless payment methods, integrating digital payments into dispensary operations has become essential. However, the dynamic nature of the cannabis industry requires strict adherence to security and compliance standards.

Understanding Cannabis PCI Compliance and its Significance

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to protect cardholder data during payment processing. Compliance with PCI DSS is mandatory for all organizations that accept, process, store, or transmit credit card information. In the cannabis industry, where the risk of fraud and cyber threats is high and consumers are more reluctant to share personal information, adhering to PCI compliance is crucial for safeguarding sensitive customer data and maintaining trust with your clientele.

Risks of Inadequate Cannabis Payment Processing Solutions

Using inadequate or illegal payment processing solutions like cashless ATMs, that are not fully compliant with PCI standards poses significant risks for cannabis retailers. Such solutions may leave cardholder data vulnerable to hacking attempts and data breaches, leading to financial losses and damage to the dispensary’s reputation. As the cannabis industry attracts attention from cybercriminals, investing in a robust and PCI-compliant payment processing solution becomes a proactive step towards safeguarding your dispensary’s future.

Penalties for Non-Compliance with PCI for Dispensary Payments

Failing to comply with PCI DSS can have severe consequences for cannabis retailers and dispensaries. All major digital payment processing companies enforce compliance and may impose substantial fines on businesses that do not meet the required regulations. These fines can range from thousands to hundreds of thousands of dollars per month, depending on the severity of the breach. Additionally, non-compliant businesses may face reputational damage, customer loss, and legal actions, potentially threatening the very existence of your dispensary.

The Role of PCI Compliance in Building Customer Trust

Customer trust is paramount in any business and the cannabis industry is no exception. When customers choose to shop at a dispensary, they expect their personal and financial information to be handled securely. Compliance with PCI DSS standards protects cardholder data and instills confidence in customers that their transactions are safe and their privacy is respected. Building this trust fosters loyalty and encourages repeat business, ultimately benefiting your dispensary’s bottom line.

Choosing a Compliant Cannabis Payment Processing Solution

To mitigate the risks associated with non-compliance and ensure that digital payments are processed securely, cannabis retailers must prioritize using a fully compliant payment processing solution. A reputable payment provider specializing in the cannabis industry can offer end-to-end encryption, tokenization, and secure payment gateways to protect sensitive customer data. By partnering with such a provider, dispensaries can process transactions safely and enhance customer trust without worrying about regulatory pitfalls.

A compliant cannabis payment processing solution is a non-negotiable requirement for dispensaries to stay ahead in this competitive landscape. Compliance is crucial, but various other considerations must be taken into account when choosing a cannabis payment processing solution. Cova’s free dispensary payments guide is a great resource to learn more about seamlessly transitioning to cashless payments. By embracing PCI DSS standards and prioritizing secure payment processing, cannabis dispensaries can foster customer trust, comply with industry regulations, and propel their growth in this exciting and evolving market.