The Complete Guide to Evaluating Your Cannabis Point-of-Sale Provider’s Security
Before you trust a vendor with 420,000+ customer records, make sure they can protect them.
Canna SecureCannaSecure
Why This Checklist Matters
The Stiiizy breach wasn’t Stiiizy’s fault—at least not directly.
A third-party POS vendor was compromised. The attackers exploited vulnerabilities in the vendor’s systems for an entire month before anyone noticed. By then, 420,000+ customer records were stolen, including passports, driver’s licenses, medical cards, and purchase histories.
Your POS vendor has access to:
- Every customer’s government ID
- Medical cannabis card information
- Complete purchase histories
- Payment data
- Employee credentials
- Your entire business operation
If they get breached, YOU get breached.
This checklist helps you:
- Evaluate new POS vendors before signing contracts
- Assess your current vendor’s security posture
- Identify gaps that put your business at risk
- Negotiate stronger security requirements
- Document due diligence for regulators and insurers
How to Use This Checklist
For New Vendors:
- Complete this assessment BEFORE signing any contract
- Require written responses to all questions
- Request supporting documentation
- Walk away from vendors who can’t answer or refuse
For Existing Vendors:
- Schedule a security review meeting
- Complete assessment together
- Identify gaps and remediation timelines
- Document everything for your compliance files
Scoring:
- Each section has a maximum score
- Calculate percentage for overall security rating
- Minimum acceptable score: 70%
- Target score: 85%+
- Below 60%: Do not use / replace vendor
SECTION 1: COMPANY & GOVERNANCE
Maximum Score: 50 points
1.1 Company Background
Question Response Score
How long has the company been in business? ☐ <2 years (0) ☐ 2-5 years (2) ☐ 5+ years (5) /5
How many cannabis clients do they serve? ☐ <50 (1) ☐ 50-200 (3) ☐ 200+ (5) /5
Is the company profitable/financially stable? ☐ Unknown (0) ☐ VC-funded/growing (3) ☐ Profitable (5) /5
Has the company ever filed for bankruptcy? ☐ Yes (0) ☐ No (5) /5
Are there pending lawsuits related to data breaches? ☐ Yes (0) ☐ Unknown (2) ☐ No (5) /5
Why it matters: Companies with short track records, financial instability, or breach history are higher risk. A vendor going out of business means your data could end up anywhere.
1.2 Security Leadership
Question Response Score
Do they have a dedicated Chief Information Security Officer (CISO) or security leader? ☐ No (0) ☐ Part-time/outsourced (3) ☐ Full-time CISO (5) /5
How many full-time security staff do they employ? ☐ 0 (0) ☐ 1-2 (2) ☐ 3-5 (4) ☐ 5+ (5) /5
Does security report directly to executive leadership? ☐ No (0) ☐ Yes (5) /5
Do they have a documented security policy? ☐ No (0) ☐ Yes, will share (5) /5
Is there a security awareness program for employees? ☐ No (0) ☐ Annual training (3) ☐ Ongoing program (5) /5
Why it matters: Security requires dedicated resources. A vendor with no security staff is relying on luck.
Request: Ask for the name and LinkedIn profile of their security leader. Verify they exist and have relevant experience.
Section 1 Score: ___ / 50
cannabisrisk.diySECTION 2: CERTIFICATIONS & COMPLIANCE
Maximum Score: 60 points
2.1 Security Certifications
Certification Status Score
SOC 2 Type II ☐ No (0) ☐ Type I only (5) ☐ Type II (10) /10
SOC 2 Report Date ☐ >18 months old (0) ☐ 12-18 months (3) ☐ <12 months (5) /5
ISO 27001 ☐ No (0) ☐ In progress (3) ☐ Certified (10) /10
PCI DSS (if processing payments) ☐ No (0) ☐ SAQ only (3) ☐ Level 1 (10) /10
HITRUST (if handling medical data) ☐ No (0) ☐ In progress (5) ☐ Certified (10) /10
Critical: SOC 2 Type II is the minimum acceptable standard for any vendor handling customer data. If they don’t have it, they should be actively working toward it with a defined timeline.
2.2 Compliance Documentation
Question Response Score
Will they provide a copy of their SOC 2 report? ☐ No (0) ☐ Executive summary only (3) ☐ Full report (5) /5
Will they provide penetration test results? ☐ No (0) ☐ Summary only (3) ☐ Full report (5) /5
Do they have documented security policies they’ll share? ☐ No (0) ☐ Partial (3) ☐ Full policy set (5) /5
2.3 SOC 2 Report Review
If they provide a SOC 2 report, review for:
Item Finding Score
Report issued by reputable auditor (Big 4, known firm)? ☐ No/Unknown (0) ☐ Yes (3) /3
Report covers all Trust Services Criteria you need? ☐ No (0) ☐ Partial (2) ☐ Yes (4) /4
Any qualified opinions or exceptions? ☐ Multiple (0) ☐ Minor (2) ☐ None (3) /3
Trust Services Criteria to look for:
- Security (required)
- Availability (important for uptime)
- Confidentiality (important for customer data)
- Processing Integrity (important for transactions)
- Privacy (important if handling medical data)
Section 2 Score: ___ / 60
SECTION 3: DATA PROTECTION
Maximum Score: 80 points
3.1 Encryption Standards
Question Response Score
Is all customer data encrypted at rest? ☐ No (0) ☐ Partial (3) ☐ Yes, all data (10) /10
What encryption algorithm is used at rest? ☐ Unknown (0) ☐ AES-128 (5) ☐ AES-256 (10) /10
Is all data encrypted in transit? ☐ No (0) ☐ Partial (3) ☐ Yes (10) /10
What TLS version is used? ☐ TLS 1.0/1.1 (0) ☐ TLS 1.2 (5) ☐ TLS 1.3 (10) /10
Are encryption keys managed separately from data? ☐ No (0) ☐ Unknown (3) ☐ Yes (5) /5
Do they use a Hardware Security Module (HSM) for key management? ☐ No (0) ☐ Yes (5) /5
Non-negotiable: AES-256 encryption at rest and TLS 1.2+ in transit are minimum requirements.
3.2 Data Handling
Question Response Score
What customer data do they store? Document: _________________ Info only
How long is customer data retained? ☐ Indefinitely (0) ☐ >3 years (2) ☐ ≤3 years (5) /5
Can data be deleted upon request? ☐ No (0) ☐ Yes, manual process (3) ☐ Yes, automated (5) /5
Is data anonymized/pseudonymized where possible? ☐ No (0) ☐ Partial (3) ☐ Yes (5) /5
Do they share data with third parties? ☐ Yes, many (0) ☐ Limited, disclosed (3) ☐ No (5) /5
Is there a data classification policy? ☐ No (0) ☐ Yes (5) /5
Request: Ask for their data flow diagram showing where customer data goes.
3.3 Data Backup & Recovery
Question Response Score
How often is data backed up? ☐ Weekly (1) ☐ Daily (3) ☐ Continuous/hourly (5) /5
Are backups encrypted? ☐ No (0) ☐ Yes (5) /5
Are backups stored in separate location/region? ☐ No (0) ☐ Yes (5) /5
What is the Recovery Time Objective (RTO)? ☐ >24 hours (1) ☐ 4-24 hours (3) ☐ <4 hours (5) /5
What is the Recovery Point Objective (RPO)? ☐ >24 hours (1) ☐ 1-24 hours (3) ☐ <1 hour (5) /5
How often are backups tested? ☐ Never (0) ☐ Annually (2) ☐ Quarterly+ (5) /5
Section 3 Score: ___ / 80
SECTION 4: ACCESS CONTROL
Maximum Score: 70 points
4.1 Authentication
Question Response Score
Is multi-factor authentication (MFA) available? ☐ No (0) ☐ Optional (5) ☐ Required (10) /10
What MFA methods are supported? ☐ SMS only (2) ☐ Authenticator app (5) ☐ Hardware keys (10) /10
Is MFA required for admin/privileged access? ☐ No (0) ☐ Yes (10) /10
What are the password requirements? ☐ Weak (<8 char) (0) ☐ Moderate (8-12) (3) ☐ Strong (12+, complexity) (5) /5
Is there account lockout after failed attempts? ☐ No (0) ☐ Yes (5) /5
Do they support Single Sign-On (SSO)? ☐ No (0) ☐ Yes (5) /5
Non-negotiable: MFA must be available and enforced for all administrative access.
4.2 Authorization & Access Control
Question Response Score
Is role-based access control (RBAC) implemented? ☐ No (0) ☐ Basic (3) ☐ Granular (5) /5
Can you define custom roles for your employees? ☐ No (0) ☐ Yes (5) /5
Is there separation of duties for critical functions? ☐ No (0) ☐ Yes (5) /5
Are access rights reviewed regularly? ☐ No (0) ☐ Annually (3) ☐ Quarterly (5) /5
Is there a process for revoking access upon termination? ☐ No (0) ☐ Manual (3) ☐ Automated (5) /5
4.3 Vendor Internal Access
Question Response Score
How many vendor employees can access your data? ☐ Unknown (0) ☐ Many (2) ☐ Limited, need-to-know (5) /5
Is vendor employee access logged? ☐ No (0) ☐ Yes (5) /5
Do they conduct background checks on employees? ☐ No (0) ☐ Yes (5) /5
Can you request a list of who accessed your data? ☐ No (0) ☐ Yes (5) /5
Section 4 Score: ___ / 70
SECTION 5: INFRASTRUCTURE SECURITY
Maximum Score: 60 points
5.1 Cloud/Hosting Security
Question Response Score
Where is data hosted? ☐ Unknown (0) ☐ On-premise (3) ☐ Major cloud (AWS, Azure, GCP) (5) /5
Is data hosted in the United States? ☐ No/Unknown (0) ☐ Yes (5) /5
Is the hosting provider SOC 2 certified? ☐ No (0) ☐ Yes (5) /5
Is the infrastructure in a single location or distributed? ☐ Single (2) ☐ Multi-region (5) /5
What is the guaranteed uptime SLA? ☐ <99% (0) ☐ 99-99.9% (3) ☐ 99.9%+ (5) /5
5.2 Network Security
Question Response Score
Is there a Web Application Firewall (WAF)? ☐ No (0) ☐ Yes (5) /5
Is there DDoS protection? ☐ No (0) ☐ Yes (5) /5
Is the network segmented? ☐ No (0) ☐ Yes (5) /5
Are there intrusion detection/prevention systems? ☐ No (0) ☐ IDS only (3) ☐ IDS/IPS (5) /5
Is network traffic monitored 24/7? ☐ No (0) ☐ Business hours (2) ☐ 24/7 (5) /5
5.3 Vulnerability Management
Question Response Score
How often are vulnerability scans performed? ☐ Never (0) ☐ Annually (2) ☐ Quarterly (3) ☐ Continuously (5) /5
How often are penetration tests performed? ☐ Never (0) ☐ Annually (3) ☐ More frequently (5) /5
What is the SLA for patching critical vulnerabilities? ☐ No SLA (0) ☐ >30 days (1) ☐ 7-30 days (3) ☐ <7 days (5) /5
Do they participate in a bug bounty program? ☐ No (0) ☐ Yes (5) /5
Section 5 Score: ___ / 60
SECTION 6: APPLICATION SECURITY
Maximum Score: 50 points
6.1 Secure Development
Question Response Score
Do they follow a Secure Software Development Lifecycle (SSDLC)? ☐ No (0) ☐ Informal (3) ☐ Formal process (5) /5
Is code reviewed for security before release? ☐ No (0) ☐ Peer review (3) ☐ Security-focused review (5) /5
Do they use static application security testing (SAST)? ☐ No (0) ☐ Yes (5) /5
Do they use dynamic application security testing (DAST)? ☐ No (0) ☐ Yes (5) /5
Are third-party libraries scanned for vulnerabilities? ☐ No (0) ☐ Yes (5) /5
6.2 API Security
Question Response Score
Is the API authenticated? ☐ No (0) ☐ API key only (3) ☐ OAuth/token-based (5) /5
Is API access rate-limited? ☐ No (0) ☐ Yes (5) /5
Are API calls logged? ☐ No (0) ☐ Yes (5) /5
Is there API documentation with security guidance? ☐ No (0) ☐ Yes (5) /5
Can API keys be rotated without service disruption? ☐ No (0) ☐ Yes (5) /5
Section 6 Score: ___ / 50
SECTION 7: INCIDENT RESPONSE
Maximum Score: 60 points
7.1 Incident Response Program
Question Response Score
Do they have a documented incident response plan? ☐ No (0) ☐ Yes (10) /10
Is there a dedicated incident response team? ☐ No (0) ☐ Ad-hoc (3) ☐ Dedicated team (5) /5
How often is the incident response plan tested? ☐ Never (0) ☐ Annually (3) ☐ Quarterly (5) /5
Do they have relationships with forensics firms? ☐ No (0) ☐ Yes (5) /5
Is there 24/7 incident response capability? ☐ No (0) ☐ On-call (3) ☐ 24/7 SOC (5) /5
7.2 Breach Notification
Question Response Score
What is their breach notification timeline? ☐ >72 hours (0) ☐ 48-72 hours (3) ☐ <24 hours (5) ☐ <12 hours (10) /10
Is breach notification contractually guaranteed? ☐ No (0) ☐ Yes (10) /10
Will they provide forensic reports after incidents? ☐ No (0) ☐ Summary (3) ☐ Full report (5) /5
Do they carry cyber insurance? ☐ No (0) ☐ Yes (5) /5
Non-negotiable: Breach notification within 24 hours should be contractually required.
Section 7 Score: ___ / 60
SECTION 8: LOGGING & MONITORING
Maximum Score: 40 points
8.1 Audit Logging
Question Response Score
Are all user actions logged? ☐ No (0) ☐ Partial (3) ☐ Comprehensive (5) /5
Are all admin actions logged? ☐ No (0) ☐ Yes (5) /5
Are logs tamper-proof/immutable? ☐ No (0) ☐ Yes (5) /5
How long are logs retained? ☐ <30 days (0) ☐ 30-90 days (3) ☐ 90+ days (5) /5
Can you access logs for your account? ☐ No (0) ☐ Limited (3) ☐ Full access (5) /5
8.2 Security Monitoring
Question Response Score
Is there real-time security monitoring? ☐ No (0) ☐ Yes (5) /5
Are anomalies automatically detected? ☐ No (0) ☐ Yes (5) /5
Is there a Security Information and Event Management (SIEM) system? ☐ No (0) ☐ Yes (5) /5
Section 8 Score: ___ / 40
SECTION 9: CANNABIS-SPECIFIC REQUIREMENTS
Maximum Score: 50 points
9.1 Compliance Integration
Question Response Score
Is the POS certified/integrated with Metrc? ☐ No (0) ☐ Yes (10) /10
Is the POS certified/integrated with BioTrack? ☐ No (0) ☐ N/A (5) ☐ Yes (10) /10
Is the POS certified/integrated with Leaf Data? ☐ No (0) ☐ N/A (5) ☐ Yes (10) /10
Are compliance syncs encrypted end-to-end? ☐ No (0) ☐ Yes (5) /5
What is the sync failure notification time? ☐ >1 hour (0) ☐ <1 hour (3) ☐ Real-time (5) /5
9.2 Cannabis Data Handling
Question Response Score
Is medical patient data separated from recreational? ☐ No (0) ☐ Yes (5) /5
Are medical cannabis cards encrypted separately? ☐ No (0) ☐ Yes (5) /5
Can ID scan images be automatically deleted after verification? ☐ No (0) ☐ Yes (5) /5
Section 9 Score: ___ / 50
SECTION 10: CONTRACTUAL PROTECTIONS
Maximum Score: 50 points
10.1 Security Commitments
Question Response Score
Will they sign a Business Associate Agreement (BAA) if you handle medical data? ☐ No (0) ☐ Yes (10) /10
Will they agree to annual security assessments by you or third party? ☐ No (0) ☐ Yes (5) /5
Is there an SLA for security patch application? ☐ No (0) ☐ Yes (5) /5
Are there penalties for security SLA breaches? ☐ No (0) ☐ Yes (5) /5
10.2 Data Rights
Question Response Score
Do you retain ownership of all your data? ☐ No (0) ☐ Yes (5) /5
Can you export all data upon termination? ☐ No (0) ☐ Yes (5) /5
Will they delete your data upon contract termination? ☐ No (0) ☐ Yes, with certification (5) /5
Is there a data processing agreement (DPA)? ☐ No (0) ☐ Yes (5) /5
10.3 Liability & Insurance
Question Response Score
Do they carry cyber liability insurance? ☐ No (0) ☐ Yes (5) /5
What is the coverage amount? ☐ <$1M (1) ☐ $1-5M (3) ☐ >$5M (5) /5
Will they indemnify you for breaches caused by their negligence? ☐ No (0) ☐ Yes (5) /5
Section 10 Score: ___ / 50
SCORING SUMMARY
Section Max Score Your Score Percentage
- Company & Governance 50
___%
- Certifications & Compliance 60
___%
- Data Protection 80
___%
- Access Control 70
___%
- Infrastructure Security 60
___%
- Application Security 50
___%
- Incident Response 60
___%
- Logging & Monitoring 40
___%
- Cannabis-Specific 50
___%
- Contractual Protections 50
___%
TOTAL 570 ___ **___% **
OVERALL RATING
Score Range Rating Recommendation
485-570 (85-100%) ⭐⭐⭐⭐⭐ Excellent Low risk. Proceed with confidence.
400-484 (70-84%) ⭐⭐⭐⭐ Good Acceptable. Address gaps contractually.
342-399 (60-69%) ⭐⭐⭐ Fair Significant gaps. Require remediation plan with timeline.
285-341 (50-59%) ⭐⭐ Poor High risk. Consider alternatives.
<285 (<50%) ⭐ Unacceptable Do not use. Find different vendor.
CRITICAL REQUIREMENTS (NON-NEGOTIABLE)
The following are absolute requirements. If ANY of these are not met, do not proceed with the vendor:
Requirement Met?
☐ SOC 2 Type II certification (or Type I with Type II in progress)
☐ AES-256 encryption for data at rest
☐ TLS 1.2+ encryption for data in transit
☐ Multi-factor authentication available and enforceable
☐ Breach notification within 24-48 hours contractually guaranteed
☐ Annual penetration testing performed
☐ Data hosted in United States
☐ Willingness to sign security addendum
If any box is unchecked, STOP. Do not proceed.
RED FLAGS (IMMEDIATE DISQUALIFICATION)
Walk away immediately if you encounter:
❌ “We don’t have SOC 2 and aren’t planning to get it”
❌ “We can’t share our security documentation”
❌ “Our security is proprietary/confidential”
❌ Refusal to answer specific security questions
❌ “We’ve never been breached” (everyone gets tested; this shows lack of visibility)
❌ No dedicated security personnel
❌ Data stored outside United States without disclosure
❌ Inability to provide penetration test results or summary
❌ No incident response plan
❌ Refusal to agree to breach notification timeline
❌ “Trust us, we’re secure”
QUESTIONS TO ASK IN PERSON
Beyond the checklist, ask these open-ended questions:
Security Philosophy
- “Tell me about your security team’s background and experience.”
- “How do you stay current with emerging threats?”
- “What’s the biggest security investment you’ve made in the past year?”
- “How do you balance security with user experience?”
Incident History
- “Have you ever experienced a security incident? If so, what did you learn?”
- “How would you handle a breach that affected our customer data?”
- “Walk me through what happens when you discover a vulnerability.”
Cannabis-Specific
- “How do you handle the unique regulatory requirements of cannabis?”
- “What cannabis-specific security training does your team receive?”
- “How do you ensure Metrc/BioTrack credentials are protected?”
Future-Proofing
- “What’s on your security roadmap for the next 12 months?”
- “How do you handle new compliance requirements?”
- “Are you prepared for potential federal regulation changes?”
DOCUMENTATION TO REQUEST
Request these documents BEFORE signing:
Required:
☐ SOC 2 Type II Report (full report, not just executive summary) ☐ Penetration Test Summary (within last 12 months) ☐ Security Policy Overview ☐ Data Flow Diagram ☐ Incident Response Plan Summary ☐ Business Continuity/Disaster Recovery Overview ☐ Certificate of Insurance (cyber liability)
Recommended:
☐ Vulnerability Scan Results Summary ☐ Employee Security Training Program Overview ☐ Third-Party Vendor Security Policy ☐ Data Processing Agreement Template ☐ Security Addendum Template
If Handling Medical Data:
☐ Business Associate Agreement (BAA) Template ☐ HIPAA Compliance Documentation
CONTRACT SECURITY ADDENDUM
Add these clauses to your vendor contract:
Security Standards Clause
Security Requirements. Vendor shall implement and maintain administrative, technical, and physical safeguards designed to: (a) ensure the security and confidentiality of Customer Data; (b) protect against anticipated threats to the security or integrity of Customer Data; (c) protect against unauthorized access to Customer Data; and (d) ensure proper disposal of Customer Data. Such safeguards shall include, at minimum:Encryption of Customer Data at rest using AES-256 or equivalentEncryption of Customer Data in transit using TLS 1.2 or higherMulti-factor authentication for all administrative accessAnnual penetration testing by qualified third partyMaintenance of SOC 2 Type II certification covering Security trust services criteria
Breach Notification Clause
Security Incident Notification. Vendor shall notify Customer within twenty-four (24) hours of discovering any Security Incident affecting Customer Data. “Security Incident” means any unauthorized access to, acquisition of, or disclosure of Customer Data, or any event that materially compromises the security, confidentiality, or integrity of Customer Data. Such notification shall include: (a) a description of the incident; (b) the types of Customer Data involved; (c) the approximate number of affected individuals; (d) the actions taken to contain the incident; and (e) the Vendor contact for further information.
Audit Rights Clause
Security Audits. Upon thirty (30) days’ written notice, and not more than once per calendar year (or immediately following any Security Incident), Customer may audit Vendor’s security practices and controls related to the protection of Customer Data. Such audit may be conducted by Customer or a qualified third party selected by Customer. Vendor shall provide reasonable cooperation and access to personnel, systems, and documentation necessary to conduct the audit. Alternatively, Vendor may provide Customer with an updated SOC 2 Type II report and penetration test summary in lieu of an on-site audit, provided such reports are less than twelve (12) months old.
Data Return & Deletion Clause
Data Return and Deletion. Upon termination or expiration of this Agreement, Vendor shall, at Customer’s election: (a) return all Customer Data in a commonly usable format; or (b) securely delete all Customer Data. Within thirty (30) days of termination, Vendor shall provide written certification that all Customer Data has been returned or deleted in accordance with Customer’s instructions, including deletion from all backups, archives, and disaster recovery systems within ninety (90) days.
Insurance Requirements Clause
Insurance. Vendor shall maintain cyber liability insurance with coverage of not less than Five Million Dollars ($5,000,000) per occurrence. Upon request, Vendor shall provide Customer with a certificate of insurance evidencing such coverage.
Indemnification Clause
Security Indemnification. Vendor shall indemnify, defend, and hold harmless Customer from and against any and all claims, damages, losses, and expenses (including reasonable attorneys’ fees) arising from any Security Incident caused by Vendor’s failure to comply with its security obligations under this Agreement or its negligent or wrongful acts or omissions.
VENDOR COMPARISON MATRIX
Use this to compare multiple vendors:
Criteria Vendor A Vendor B Vendor C
Company Name
Overall Score /570 (%) /570 (%) /570 (___%)
SOC 2 Type II ☐ Yes ☐ No ☐ Yes ☐ No ☐ Yes ☐ No
Encryption (Rest)
Encryption (Transit)
MFA Available ☐ Yes ☐ No ☐ Yes ☐ No ☐ Yes ☐ No
Breach Notification SLA ___ hours ___ hours ___ hours
Penetration Testing ☐ Annual ☐ Other ☐ Annual ☐ Other ☐ Annual ☐ Other
Metrc Integration ☐ Yes ☐ No ☐ Yes ☐ No ☐ Yes ☐ No
Cyber Insurance $___M $___M $___M
Pricing $/month $/month $/month
Contract Length ___ months ___ months ___ months
Willingness to Sign Security Addendum ☐ Yes ☐ No ☐ Yes ☐ No ☐ Yes ☐ No
Red Flags
Strengths
Weaknesses
Recommendation ☐ Proceed ☐ Caution ☐ Avoid ☐ Proceed ☐ Caution ☐ Avoid ☐ Proceed ☐ Caution ☐ Avoid
ANNUAL VENDOR REVIEW CHECKLIST
Conduct this review annually for existing vendors:
Documentation Review
☐ Request updated SOC 2 Type II report ☐ Request penetration test summary from past 12 months ☐ Review any security incidents since last review ☐ Confirm cyber insurance is still active
Access Review
☐ Audit which employees have admin access ☐ Remove any terminated employees ☐ Verify MFA is enabled for all admins ☐ Rotate any shared credentials
Contract Review
☐ Confirm security addendum is still in place ☐ Review any contract amendments ☐ Verify breach notification requirements ☐ Check insurance coverage amounts
Performance Review
☐ Review any outages or incidents ☐ Assess customer support responsiveness ☐ Evaluate sync reliability (Metrc/BioTrack) ☐ Gather employee feedback on usability
Market Review
☐ Research alternatives in market ☐ Compare pricing to current contract ☐ Assess new features available ☐ Evaluate vendor financial stability
DOWNLOADABLE RESOURCES
Members can download:
- POS Vendor Security Assessment Checklist (Excel) - Fillable spreadsheet with auto-scoring
- Security Addendum Template (Word) - Ready-to-use contract language
- Vendor Comparison Matrix (Excel) - Side-by-side evaluation tool
- Annual Review Checklist (PDF) - Printable review guide
- Questions to Ask Script (PDF) - Conversation guide for vendor meetings
[DOWNLOAD ALL TEMPLATES - ZIP]
WHEN TO SWITCH VENDORS
Consider replacing your POS vendor if:
⚠️ They score below 60% on this assessment
⚠️ They refuse to provide SOC 2 report
⚠️ They won’t agree to breach notification requirements
⚠️ They experience a breach and don’t notify you promptly
⚠️ They have repeated sync failures with Metrc/BioTrack
⚠️ They stop investing in security (no new certifications, testing)
⚠️ Their financial situation becomes unstable
⚠️ Customer support becomes unresponsive
⚠️ Contract terms become unfavorable at renewal
Switching is disruptive, but it’s better than being the next Stiiizy.
CONCLUSION
Your POS vendor is a critical partner—and a critical risk.
They have access to everything: customer IDs, medical cards, purchase histories, payment data, employee credentials. A single vulnerability in their system becomes YOUR breach.
Use this checklist to:
- Evaluate vendors BEFORE signing contracts
- Assess your current vendor’s security posture
- Identify and address gaps
- Negotiate stronger contractual protections
- Document due diligence for compliance and insurance
The time to assess your vendor’s security is BEFORE the breach, not after.
Questions about vendor security?
Ask in #vendor-security channel in our private Discord Or email: security@cannasecure.tech
Related Resources:
- The Complete Dispensary Cybersecurity Hardening Guide
- Cannabis Incident Response Template
- Metrc Security Configuration Guide
- Employee Security Training Materials
