IT Compliance for California Cannabis Dispensaries: A Practical Guide

Back to Blog

Cannabis retail in California is a fully legal, state-regulated industry — and one of the most IT-intensive retail environments a business owner can operate. A licensed dispensary must simultaneously satisfy the California Department of Cannabis Control's surveillance and record-keeping mandates, maintain live connectivity to a state-run seed-to-sale tracking system, process payments in a banking environment that remains restrictive despite legalization, and protect customer data under a state privacy law that applies to any business collecting personal information.

That stack of obligations sits on top of the same basic challenge facing any retail operation: keeping systems running, staff productive, and customers moving through the door. When the IT infrastructure isn't purpose-built for this environment, compliance gaps appear — and in the cannabis industry, a compliance gap doesn't just cost money. It puts your license at risk.

This guide walks through the eight IT areas where dispensary operators most commonly face compliance exposure, and what a well-architected IT environment looks like in each area.

Why Cannabis IT Compliance Is Distinctively Complex

Most regulated industries deal with one primary compliance framework. A medical office has HIPAA. A contractor working with the Department of Defense has CMMC. A dispensary has all of the following simultaneously: DCC regulations at the state level, local municipal permitting conditions that often impose additional surveillance and operational requirements, Metrc reporting obligations tied to the state tracking system, PCI DSS requirements for card payments, CCPA obligations for customer data, and often strict cash-handling documentation requirements because conventional banking services remain limited.

The cash dimension alone sets cannabis retail apart from nearly every other regulated industry. Because many financial institutions remain unwilling to serve cannabis businesses — a consequence of federal scheduling — a significant portion of dispensary transactions still occur in cash. Cash-heavy operations attract physical security risk, require detailed cash management audit trails, and create IT infrastructure demands around point-of-sale reconciliation and vault logging that most retail IT frameworks were never designed to accommodate.

Add to this that state and local regulators can conduct compliance inspections with limited advance notice, and that the surveillance and record-keeping systems regulators will want to review must be functioning and current at the time of inspection. The consequence of IT failure in this environment is not just operational disruption — it is a potential licensing action.

California DCC IT Requirements: Surveillance and Record-Keeping

The California Department of Cannabis Control's regulations specify surveillance system requirements in detail. Dispensaries are required to maintain continuous video surveillance of all areas where cannabis products are displayed, handled, or stored — including sales floors, storage rooms, point-of-sale areas, and entry and exit points. The standard retention requirement is 90 days of continuous recording, though local jurisdictions sometimes impose longer periods as a condition of their local permits.

Camera specifications matter. DCC regulations require that cameras produce footage adequate to identify individuals and activities in the recorded areas, which in practice means a minimum resolution capable of capturing usable facial images and clear product-handling activity. Low-resolution cameras that produce blurry, low-detail footage may satisfy a simple checkbox but will fail a substantive review. Our team designs surveillance systems to exceed the minimum resolution threshold — typically deploying 4MP or higher IP cameras at key positions — so that the footage is genuinely useful for compliance purposes, not just technically compliant.

Footage must be stored in a format that allows immediate retrieval. If a DCC inspector or a law enforcement agency requests footage from a specific date and time, the ability to pull that footage quickly and accurately is a direct compliance requirement. This means the NVR or DVR managing your surveillance storage must be organized, indexed, and capable of exporting clips in a common format. It also means the storage infrastructure must have enough capacity to hold 90-plus days of multi-camera footage without overwriting, which requires careful planning against the number of cameras, recording resolution, and frame rate.

Local requirements frequently add to state minimums. A municipality may require exterior parking lot coverage, specific camera angles at the entrance to capture license plates, or longer retention periods. Before finalizing your surveillance infrastructure design, the applicable local permit conditions need to be reviewed alongside DCC regulations — both sets of requirements must be met simultaneously.

Metrc: Seed-to-Sale Tracking and IT Reliability

Metrc — the Marijuana Enforcement Tracking Reporting Compliance system — is California's state-mandated platform for tracking cannabis from cultivation through retail sale. Every unit of cannabis product at a licensed dispensary carries a Metrc tag. Every sale, transfer, return, and disposal must be recorded in Metrc. The system is the regulatory ledger for cannabis commerce in California, and maintaining accurate, timely entries is a core licensing obligation.

Metrc is a cloud-based platform accessed via internet connection, which means its reliability is entirely dependent on your dispensary's internet connectivity. If your internet is down, you cannot record transactions in Metrc in real time. Depending on how long the outage lasts and how your staff manages the interruption, you can accumulate a backlog of unrecorded transactions that represents a compliance gap — and if that gap is discovered during an inspection, it requires explanation.

The standard IT solution for Metrc reliability is the same one used for NICS connectivity in other regulated retail environments: dual-WAN failover. A primary broadband connection — cable, fiber, or fixed wireless — paired with a cellular backup that activates automatically when the primary connection fails. The failover is transparent to staff; Metrc stays reachable, transactions continue recording, and the compliance record stays clean. The cost of a properly configured failover setup is modest relative to the cost of a compliance citation or license condition resulting from a recording gap.

Beyond connectivity, Metrc reliability requires that the workstations or POS terminals used to access Metrc are stable, maintained, and monitored. A workstation running outdated software, an unsupported browser, or a degraded hard drive is a failure point in your Metrc workflow. Managed IT services that include endpoint monitoring can flag these issues before they produce an outage rather than after.

POS Systems, PCI DSS, and Cash Management IT

Cannabis-specific POS platforms — including Dutchie, Flowhub, Treez, and similar systems — are designed around the compliance needs of cannabis retail. They integrate with Metrc for automatic transaction logging, handle cannabis-specific inventory at the unit and batch level, and manage the menu and pricing display requirements common in this industry. But they also process electronic payments where they're accepted, which brings the full scope of PCI DSS into play for the cardholder data those transactions generate.

The payment landscape for dispensaries is unusual. Conventional Visa and Mastercard processing is not available at most cannabis retailers due to the card networks' policies. The payment options most commonly deployed include cashless ATM systems, ACH debit networks, and emerging compliant debit card solutions operating through state-chartered financial institutions. Each of these has different technical integration requirements and different PCI DSS scope implications. Understanding which payment method your dispensary uses and what its specific compliance obligations are is a prerequisite to building the right network and security architecture around it.

Cash management is where cannabis IT diverges most sharply from general retail. Dispensaries that operate primarily in cash require point-of-sale systems that produce detailed cash drawer reconciliation records, automated safe and vault logging, and audit trails that satisfy both DCC documentation requirements and internal accounting controls. The IT infrastructure supporting cash management — the terminals, the receipt printers, the drawer hardware, and the back-office reconciliation software — must be reliable, accurate, and integrated with the same discipline as any card processing environment.

• 1
  POS on a dedicated, isolated VLAN. Payment terminals and the POS application must be separated from all other network traffic. This is the foundational PCI DSS network control and the primary mechanism for limiting the scope of a potential payment data compromise.
• 2
  End-to-end encrypted payment processing. Whether you're running a cashless ATM, an ACH debit solution, or a compliant debit network, the payment processing hardware should encrypt transaction data at the point of interaction. Avoid any solution that transmits unencrypted payment data over your local network.
• 3
  Daily cash reconciliation with system-generated audit logs. Manual cash counts reconciled against POS records at end of shift, with logs retained per DCC documentation requirements. The POS system must generate these logs automatically — manual logs are an audit risk.
• 4
  No shared credentials on POS terminals. Each staff member should have an individual login. Shared credentials make it impossible to attribute a transaction, an override, or a discrepancy to a specific employee — which is a compliance problem during any audit or investigation.
• 5
  Annual PCI DSS self-assessment. Complete the applicable PCI DSS Self-Assessment Questionnaire each year. The specific SAQ depends on your payment method and integration type. Your payment processor can advise on which applies to your setup.

Network Segmentation: Four Separate Environments

A properly designed dispensary network has at least four logically separated segments, each with its own access controls and firewall rules governing what can communicate between them. Collapsing these onto a single flat network is the most common IT mistake our team finds in cannabis retail environments — and it is the mistake with the broadest compliance and security consequences.

POS and payment network. All terminals that process transactions, whether cash or electronic, belong on a dedicated segment. This segment should have no access to the internet except the specific endpoints required for Metrc reporting and payment processing. No general browsing, no email, no administrative access from this segment.

Surveillance network. IP cameras and the NVR that stores their footage belong on a completely isolated segment. This is both a security requirement — IP cameras are among the most frequently compromised network devices — and a performance requirement. Surveillance traffic is high-bandwidth and should not compete with business traffic. The surveillance segment should have no outbound internet access except the specific endpoints required for remote viewing or cloud backup, if those features are used.

Seed-to-sale and business operations network. The workstations used to access Metrc, manage inventory, run back-office applications, and perform administrative tasks belong on a dedicated business network. This segment can have broader internet access than the POS or surveillance segments, but it should still be governed by firewall rules and monitored for anomalous activity. Managed security monitoring applied to this segment provides early warning of compromise before it propagates.

Guest and customer WiFi. If your dispensary offers customer-facing WiFi — whether in a waiting area or as part of a customer experience feature — that network must be completely isolated from all three of the above segments. Guest WiFi users should reach the internet and nothing else. A misconfigured guest network that allows lateral movement into the POS or surveillance segment is a PCI DSS violation and a DCC compliance risk simultaneously.

The hardware that enforces this segmentation — managed switches with VLAN support and a business-grade firewall — is not optional infrastructure. It is the technical control that makes all of the compliance requirements above achievable in practice.

Data Security: Cannabis License Data and CCPA

Dispensaries collect a category of personal information that has no equivalent in most other retail environments: customer identity verification records. California law requires dispensaries to verify customer age and identity before sale. The ID verification data collected in that process — names, birthdates, and ID numbers — is personal information under the California Consumer Privacy Act. If your dispensary operates a loyalty program or maintains a customer account system, the scope of personal data you hold expands significantly.

CCPA grants California residents specific rights regarding their personal data: the right to know what data is collected and how it's used, the right to request deletion, and the right to opt out of the sale or sharing of their data. Dispensaries serving California customers are subject to CCPA if they meet the applicable thresholds. Compliance requires documented data inventories, privacy notices, and operational processes for responding to consumer rights requests — and the IT infrastructure must support those processes, which means knowing where customer data lives, who can access it, and how it is protected in transit and at rest.

Cannabis license data — your own DCC license information, employee license records for cannabis workers, and compliance documentation — is a separate category of sensitive data that should be stored in controlled, access-limited systems. License revocation or compliance issues stemming from data manipulation or unauthorized access to licensing records are rare but not unheard of. Treating license-related records with the same access controls as financial data is the correct posture.

What Happens When Your Metrc Connection Goes Down

This is the scenario dispensary operators most frequently underestimate — because until it happens, it doesn't feel like an IT problem. An internet outage at a dispensary is not just a productivity disruption. It is an active compliance event.

When Metrc is unreachable, transactions that occur during the outage cannot be recorded in real time. DCC regulations require that Metrc entries be made promptly. The longer the outage, the larger the compliance gap. Staff who are not trained on offline procedures may handle the interruption inconsistently — some recording transactions on paper for later entry, others simply waiting, others not documenting what occurred at all. An inconsistent response to a connectivity outage is worse than a documented one, because it makes the eventual reconciliation harder to explain.

The technical prevention is dual-WAN failover. The operational prevention is written procedures for connectivity interruptions: how transactions are documented during the outage, who is responsible for back-entering them into Metrc once connectivity is restored, and how the back-entry is verified against the physical transaction record. Both layers are necessary. A failover connection that activates in under two minutes handles most outages invisibly. Written procedures handle the edge cases that failover doesn't catch — extended outages, cellular coverage gaps, or system-level Metrc issues that affect all licensees simultaneously.

Our team recommends that dispensary operators treat Metrc connectivity with the same priority as their POS payment connectivity. Both are sale-stopping, compliance-impacting failures when they go down. Both deserve the infrastructure investment that prevents them from going down in the first place.

Cybersecurity for Cannabis Retailers

Cannabis businesses are increasingly targeted by cybercriminals for reasons that are specific to the industry. Cash-heavy operations are assumed to have weaker financial controls. Regulated businesses are known to hold detailed records — license data, transaction histories, customer identity verification — that have value in criminal markets. And the cannabis industry's history of operating outside mainstream financial systems has left some operators with IT infrastructure that was built for speed rather than security, creating exploitable gaps.

Phishing is the most common initial access vector. Dispensary staff receive email impersonating DCC, Metrc support, cannabis banking partners, or delivery service providers. A staff member who clicks a malicious link or provides credentials to a fake login page can hand an attacker direct access to business systems — including Metrc, POS administration, and financial accounts. Security awareness training is not optional at this point; it is a documented control that reduces the most statistically likely attack path.

Ransomware targeting cannabis businesses has been documented in multiple states, and the leverage it creates is specific to the industry. Encrypted Metrc access records, encrypted surveillance footage archives, and encrypted cash reconciliation logs create compliance emergencies simultaneously with the operational emergency. Paying a ransom does not restore compliance standing — it just gets the data back, if the attacker honors the payment at all.

The baseline cybersecurity controls for a dispensary environment include endpoint detection and response (EDR) software on all business workstations, multi-factor authentication on all cloud accounts and remote access systems, immutable offsite backups that ransomware cannot reach or encrypt, and network monitoring that identifies anomalous behavior before it escalates into a full incident. These are not theoretical controls — they are the specific mechanisms that prevent the specific attacks currently targeting cannabis retailers.

For dispensaries operating in Southern California, working with an MSP that understands the cannabis regulatory environment means not having to explain why Metrc uptime and surveillance retention matter to an IT provider who only thinks in generic retail terms. The compliance context changes what infrastructure decisions are made and how urgently they're treated.