CBD, Payment Processing, and PCI Compliance

May 2, 2018

Online vendors of CBD oil are accustomed to being classified as high-risk businesses, but when it comes to payment processing PCI DSS compliance, a small to medium-size eCommerce site is almost certainly considered “low-risk.”

PCI DSS defines risk based on how many transactions a company processes. This means that all of the service providers that you work with – your payment processor, payment gateway, bank, eCommerce platform – are likely considered to be high-risk. High-risk, which is “PCI DSS Level 1” on the compliance scale, translates to handling 1 million or more payment card transactions a year.

Anyone whose business involves payment cards (credit, debit, and/or prepaid cards) is responsible for complying in some fashion – even if it’s only doing your due diligence when selecting service providers – with the payment processing PCI DSS. Read on to find out what you need to do.


PCI DSS stands for “Payment Card Industry Data Security Standard.” Typically, people just refer to the standard as PCI.

The standard itself is a set of 12 minimum technical and operational best practices for securing payment card data when it is captured, in transit, or at rest. This covers the entire sale cycle – you capture the data when a consumer provides his or her payment card information. That info then travels through various links in the payment services chain and ultimately is stored “at rest” in a database.

Payment processing PCI DSS compliance is intended to help businesses prevent, identify, and defend against security threats involving the use of data associated with payment cards. The PCI DSS was established and is updated as needed by the PCI Security Standards Council, which was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa Inc. The current version of the PCI DSS is v 3.2.


Yes, any merchant that accepts payment cards needs to be in compliance with the payment processing PCI DSS requirements. If you don’t comply, you may be subject to fines and penalties – worst-case scenario you can lose your ability to accept payment cards.

The compliance requirements vary according to the type and size of your business. Payment processing PCI DSS compliance has four tiers. The number of transactions a business processes typically determines the standards they need to comply with – the more the transactions, the more you need to do to secure data. A company that handles a lot of transactions, such as a Payment Processor, is required to comply with a much stricter standard. A merchant with a small, online store that processes less than a few thousand transactions a month has more basic responsibilities.

Here’s how Visa breaks it down:

  • A PCI DSS Level 1 merchant processes over 6 million Visa transactions per year. But payment card providers may decide that any specific business, due to its perceived risks or after experiencing a data breach, falls under Level 1.
  • A PCI DSS Level 2 merchant processes 1 million to 6 million Visa transactions per year.
  • A PCI DSS Level 3 merchant processes 20,000 to 1 million Visa e-commerce transactions per year.
  • A PCI DSS Level 4 merchant processes less than 20,000 Visa e-commerce transactions per year.


store transaction between a man and a clerk


In general, a small business selling CBD products will work with third-parties such as payment processors like T1 Payments, e-commerce web platforms, or other service providers to accept card payments.  While you cannot absolve yourself of all responsibility for PCI compliance when working with third parties, your primary duty is due diligence. In other words, you need to find out what level of payment processing PCI DSS compliance your partners must comply with and determine, to the best of your ability, whether they do.

Service providers can opt to have an annual onsite assessment conducted by a qualified auditor or may conduct an annual self-assessment. Choosing one method over another is not particularly indicative of the provider’s compliance. 

So how do you validate whether your partner really is compliant with PCI DSS?

Google to see if they have experienced any security breaches. If so, find out when it happened, why, and how the problem was mitigated. If a provider has experienced multiple breaches, you might want to consider other options.

Talk to the sales rep. or customer care person about payment processing PCI DSS compliance. Some providers may tell you that they go beyond compliance with PCI DSS and that’s a good thing to hear because it’s meant only to address a standard set of security protections. Simply working with businesses that provide compliance for PCI DSS Level 1 to Level 4 merchants isn’t enough when looking to protect your customers from incidents of a data breach.

Use your best judgment as an indicator of a provider’s compliance. Ask yourself these questions: Is the company well-established? Does it have solid relationships in the financial industry? Does its customer support and/or sales department respond easily and knowledgeably to questions about PCI DSS, or is there a very long pause? Do they seem to be irritated that you asked about compliance? Is PCI DSS compliance mentioned on the company’s website?

Bottom line: payment processing PCI DSS compliance becomes a part of your job description when you run an eCommerce business site. As a small business owner with partners handling payment card processing, your business’s risk exposure is probably minimal, but you need to choose the right partners. Keep records of the questions you ask potential partners and their answers to prove you did your due diligence. Choose established providers and remember that the least expensive option may end up costing you the most in the long run.

T1 Payments specializes in meeting the needs of high-risk merchants, providing a full suite of payment processing, including advanced fraud scrubbing and other risk management tools, and payment gateway services that integrate with over 175 different shopping carts. It can help with payment processing PCI DSS compliance for any CBD business.

T1 also provides flat fee merchant accounts, complies fully with PCI DSS (Level 1), and offers comprehensive account monitoring, reporting, and support to help high-risk merchants avoid chargebacks, fraud, and other business risks. To find out more about our customizable global payment solutions for high-risk merchants, please call 866-518-2216.