Home Security
Legal Pages

Security

Last Updated: April 1, 2026
Cannabis businesses face elevated security risks. Our infrastructure is purpose-built for the cannabis payments environment, with multiple layers of protection at every touchpoint.
PCI DSS Level 1 SOC 2 Type II P2PE Terminals FIPS 140-2 HSMs TLS 1.3

PCI DSS Compliance

MMJPay maintains PCI DSS Level 1 certification — the highest tier — requiring annual on-site assessment by a certified Qualified Security Assessor (QSA), quarterly network vulnerability scans, annual penetration testing, and strict network segmentation isolating cardholder data.

Encryption & Tokenization

  • Point-to-Point Encryption (P2PE) on all certified terminals — card data is encrypted at the point of interaction before it reaches your network
  • All data in transit uses TLS 1.3
  • Cardholder data is tokenized immediately — raw card numbers are never stored
  • Encryption keys managed via hardware security modules (HSMs) with FIPS 140-2 certification
  • Data at rest encrypted using AES-256

Access Controls

  • Role-based access control (RBAC) — employees access only data required for their function
  • Multi-factor authentication required for all employee access to production systems
  • All access logged and subject to quarterly reviews
  • Terminated employee access revoked within one hour of separation

Monitoring & Detection

  • 24/7 Security Operations Center (SOC) with dedicated security analysts
  • SIEM platform aggregating logs across all systems
  • IDS/IPS on all network segments
  • Automated anomaly detection for unusual transaction patterns
  • Real-time fraud scoring on all transactions

Physical Security

Our infrastructure is hosted in SOC 2 Type II certified data centers with biometric access controls, 24/7 on-site security, redundant power and cooling, and geographically distributed facilities for disaster recovery.

Incident Response

Incidents are triaged within 1 hour of detection. Affected merchants are notified within 72 hours of confirmed breach as required by applicable law.

Merchant Security Best Practices

  • Enable two-factor authentication on your merchant portal account
  • Never share portal credentials; remove access promptly when employees leave
  • Report suspicious terminal behavior or unexpected transactions immediately
  • MMJPay will never ask for your password via email

Report a Vulnerability

Security disclosures: [email protected]. Please do not publicly disclose vulnerabilities until we have investigated and remediated.

Banking and payment processing built exclusively for the cannabis industry. Compliant, reliable, always in your corner.

Copyright 2026. MMJPay. All Rights Reserved.

PCI DSS Level 1  ·  FDIC Insured  ·  FinCEN Compliant