POS Vendor Security Assessment Checklist
The Complete Guide to Evaluating Your Cannabis Point-of-Sale Provider's Security
Before you trust a vendor with 420,000+ customer records, make sure they can protect them.
CannaSecure
Why This Checklist Matters
The Stiiizy breach wasn't Stiiizy's fault—at least not directly.
A third-party POS vendor was compromised. The attackers exploited vulnerabilities in the vendor's systems for an entire month before anyone noticed. By then, 420,000+ customer records were stolen, including passports, driver's licenses, medical cards, and purchase histories.
Your POS vendor has access to:
- Every customer's government ID
- Medical cannabis card information
- Complete purchase histories
- Payment data
- Employee credentials
- Your entire business operation
If they get breached, YOU get breached.
This checklist helps you:
- Evaluate new POS vendors before signing contracts
- Assess your current vendor's security posture
- Identify gaps that put your business at risk
- Negotiate stronger security requirements
- Document due diligence for regulators and insurers
How to Use This Checklist
For New Vendors:
- Complete this assessment BEFORE signing any contract
- Require written responses to all questions
- Request supporting documentation
- Walk away from vendors who can't answer or refuse
For Existing Vendors:
- Schedule a security review meeting
- Complete assessment together
- Identify gaps and remediation timelines
- Document everything for your compliance files
Scoring:
- Each section has a maximum score
- Calculate percentage for overall security rating
- Minimum acceptable score: 70%
- Target score: 85%+
- Below 60%: Do not use / replace vendor
SECTION 1: COMPANY & GOVERNANCE
Maximum Score: 50 points
1.1 Company Background
| Question | Response | Score |
|---|---|---|
| How long has the company been in business? | ☐ <2 years (0) ☐ 2-5 years (2) ☐ 5+ years (5) | /5 |
| How many cannabis clients do they serve? | ☐ <50 (1) ☐ 50-200 (3) ☐ 200+ (5) | /5 |
| Is the company profitable/financially stable? | ☐ Unknown (0) ☐ VC-funded/growing (3) ☐ Profitable (5) | /5 |
| Has the company ever filed for bankruptcy? | ☐ Yes (0) ☐ No (5) | /5 |
| Are there pending lawsuits related to data breaches? | ☐ Yes (0) ☐ Unknown (2) ☐ No (5) | /5 |
Why it matters: Companies with short track records, financial instability, or breach history are higher risk. A vendor going out of business means your data could end up anywhere.
1.2 Security Leadership
| Question | Response | Score |
|---|---|---|
| Do they have a dedicated Chief Information Security Officer (CISO) or security leader? | ☐ No (0) ☐ Part-time/outsourced (3) ☐ Full-time CISO (5) | /5 |
| How many full-time security staff do they employ? | ☐ 0 (0) ☐ 1-2 (2) ☐ 3-5 (4) ☐ 5+ (5) | /5 |
| Does security report directly to executive leadership? | ☐ No (0) ☐ Yes (5) | /5 |
| Do they have a documented security policy? | ☐ No (0) ☐ Yes, will share (5) | /5 |
| Is there a security awareness program for employees? | ☐ No (0) ☐ Annual training (3) ☐ Ongoing program (5) | /5 |
Why it matters: Security requires dedicated resources. A vendor with no security staff is relying on luck.
Request: Ask for the name and LinkedIn profile of their security leader. Verify they exist and have relevant experience.
Section 1 Score: ___ / 50
SECTION 2: CERTIFICATIONS & COMPLIANCE
Maximum Score: 60 points
