As of March 31, 2025, the transition period for PCI DSS v4.0.x ends—and a host of once-optional controls become obligations for all U.S. cannabis and hemp e-commerce merchants, including dispensaries, direct-to-consumer (DTC) brands, and marketplace facilitators. Whether you’re a startup selling hemp CBD online or a multistate cannabis e-commerce platform, PCI DSS cannabis ecommerce requirements are evolving rapidly.

This guide will help you understand what changes on March 31, 2025, and how to proactively address your compliance, risk, and documentation obligations under PCI DSS v4.0.1 and the new e-commerce implementation guidance released in early 2025.

PCI DSS 4.0.1: Key Federal Changes That Go Live March 31, 2025

The Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 brings substantial security and compliance uplift for all entities that process, store, or transmit payment card data. After March 31, 2025, requirements previously marked as “best practice” move into the mandatory column [PCI Security Standards Council | McDermott Will & Emery].

Major changes for cannabis and hemp e-commerce merchants include:

• Mandatory new requirements around e-commerce website scripts and integrity protection (notably Requirements 6.4.3 and 11.6.1).
• Enhanced multi-factor authentication (MFA) rules for user and administrative access to the cardholder data environment (CDE).
• Updated eligibility and scope for Self-Assessment Questionnaires (SAQs)—especially for merchants using embedded checkouts, hosted fields, or tokenization providers.
• Expanded requirements for change detection, logging, and real-time monitoring of payment pages.
• Stricter expectations for third-party provider due diligence and sharing of PCI responsibilities between marketplace facilitators, payment service providers (PSPs), and merchants.

Outsourcing e-commerce or card processing does not remove your PCI obligations: All cannabis/hemp entities that accept cards online must complete the appropriate SAQ and maintain supporting evidence—even if all cardholder data is handled via a PSP or external gateway [McDermott Will & Emery].

What’s Changed in E‑Commerce? New E‑Commerce Implementation Guidance

In early 2025, the PCI Security Standards Council issued specific guidance clarifying compliance for modern e-commerce implementations:

• Headless commerce and embedding scripts (for checkout or payment entry fields) bring increased complexity and risk for script injection/skimming attacks.
• Merchants using tokenization and hosted fields must carefully document their data flows and service provider roles.
• Multi-factor authentication now applies to almost all admin access, but may also apply to privileged user functions on e-commerce platforms.
• Marketplace, facilitator, and platform relationships require clear boundaries about who controls each PCI requirement—and how each party provides evidence of compliance extracted from their own infrastructure and controls.

Key Compliance Takeaway: If you rely on headless, embedded, or API-driven e-commerce checkouts, your PCI scope and your annual Self-Assessment Questionnaire (SAQ) type may have changed. Always confirm your current scope before your next attestation cycle [PCI SSC].

PCI DSS Compliance Checklist for Cannabis/Hemp E‑Commerce (2025)

Use this actionable checklist to get ready for the March 31, 2025 PCI DSS v4.0.1 deadline:

1. Identify Cardholder Data Flows (Data Mapping)

• Map all points where card data is collected, transmitted, or displayed—including embedded fields, hosted payment pages, direct API connections, and third-party scripts.
• Illustrate data flows from consumer browser to your site/platform to your payment processor.
• Catalog all scripts and third-party components present on e-commerce payment pages.

2. Validate Your SAQ Type and Scope

• Confirm current qualification for SAQ A, SAQ A-EP, or SAQ D, depending on exposure to cardholder data and e-commerce structure ([Scandiweb | Centraleyes]).
• New SAQ A criteria now exclude merchants who use custom or third-party scripts affecting payment pages—many cannabis and hemp retailers must now use A-EP or even D.
• For marketplace/aggregator platforms, clarify the PCI DSS validation boundaries between your organization and the facilitator.

3. Implement and Document Script Controls (Requirements 6.4.3 & 11.6.1)

• Maintain a list/inventory of all scripts running on your e-commerce payment pages.
• Justify and authorize each script and implement technical controls (e.g., CSP headers, script integrity checks).
• Use a change detection or file integrity monitoring tool to detect unauthorized changes to payment page content and scripts. Alerts must be generated on modification.

4. Strengthen Multi-Factor Authentication (MFA) Coverage

• Enforce MFA for all administrative and privileged user access to the e-commerce environment, even if no cardholder data is stored on your own servers.
• For cloud-based commerce or SaaS platforms, ensure MFA scope covers both your staff and any third-party partners with backend access [OneSpan].

5. Tune Anti-Fraud and Age Verification Systems

• Implement risk-based authentication, 3D Secure (3DS), or equivalent solutions for high-risk/age-gated online orders.
• Tune real-time anti-fraud systems for anomalous ordering, resale indicators, and chargebacks—especially critical for DTC cannabis and hemp sales.
• Retain evidence of age verification and flagged high-risk transaction reviews for annual assessments.

6. Logging, Monitoring, and Evidence Retention

• Automatic logging of all access, changes, and administrative actions on payment systems and checkout pages.
• Review audit logs regularly using automated mechanisms as required under PCI DSS 4.0.1 (SecurityMetrics).
• Archive monitoring evidence and system logs to support your next annual assessment or Attestation of Compliance (AOC).

7. Clarify Third-Party/Service Provider Roles

• Request and review Attestations of Compliance (AOCs) from all payment gateways, PSPs, and embedded checkout vendors.
• Determine exactly which PCI controls are covered by providers—and which remain your obligation.
• For marketplace facilitators, get clear documentation splitting PCI responsibility by process (e.g., order capture, cardholder data entry, post-sale services).

8. Prepare for Annual Assessment and Documentation

• Gather all required evidence for your current SAQ and/or external Report on Compliance (ROC).
• Keep up-to-date policy documentation, evidence of ongoing training, and procedural logs.
• Ensure staff understand their roles in PCI compliance and that you can demonstrate ongoing compliance (not just point-in-time) in 2025.

Marketplace Facilitators and PSPs: Who Owns Compliance?

Complex cannabis/hemp e-commerce ecosystems—especially federated marketplaces and platforms—raise challenging PCI responsibility questions:

• As a merchant on a marketplace: You are still responsible for your own PCI DSS assessment and evidence within your control, even if most card data is processed by the platform or an external PSP.
• As a facilitator/aggregator: You must document the PCI DSS roles for every payment flow you enable, including any custom scripts, order data, or intermediate services you control.
• Reconciling SAQ and platform attestations: You cannot simply inherit a platform or facilitator’s SAQ/AOC; you must adapt their evidence into your own PCI DSS documentation and assessments for 2025 (Gorspa | McDermott Will & Emery).

If in doubt, consult the latest PCI SSC guidance or specialist advisors—especially for highly customized, headless, or multi-vendor cannabis commerce sites.

Takeaways: What Cannabis & Hemp E‑Commerce Merchants Must Do NOW

• Review and update your PCI DSS scope, SAQ eligibility, and cardholder data flows in early 2025.
• Audit scripts and third-party elements on e-commerce payment pages and deploy monitoring/integrity controls well before March 31, 2025.
• Confirm provider responsibilities and documentation—do not assume platforms fully cover your PCI DSS requirements.
• Automate logging, monitoring, and review cycles for your site and connected systems.
• Retain evidence and prepare for more rigorous annual PCI DSS assessments after the 2025 cutover.

For dispensaries, DTC brands, and e-commerce operators, embracing robust PCI DSS cannabis ecommerce compliance is non-negotiable. The new e-commerce landscape needs proactive preparation, strong documentation, and an understanding that risk and compliance are shared responsibilities.

For more in-depth federal and state regulatory support, or to streamline your PCI DSS readiness, use CannabisRegulations.ai to stay ahead of compliance deadlines and build a trusted, secure cannabis or hemp e-commerce business.