Dispensary Security Requirements and Best Practices

State cannabis regulators don't leave security to the imagination. Across the country, dispensary security rules are codified in licensing statutes, administrative codes, and agency rulemaking — and failing to meet them can mean fines, license suspension, or permanent closure. This page covers the regulatory framework governing dispensary physical security, surveillance, access control, and cash handling, along with how those requirements translate into day-to-day operations.

Definition and scope

A dispensary security requirement is any state-mandated or locally-mandated standard that a licensed cannabis retail facility must satisfy to protect inventory, employees, customers, and the public. These requirements exist because cannabis businesses occupy a legally unusual position: they handle a federally controlled substance, operate largely in cash (a consequence of limited banking access explored more fully at Dispensary Banking and Payments), and store high-value inventory that is inherently portable.

The scope is broad. Requirements typically address physical structure (vault specifications, door reinforcement), electronic surveillance (camera placement, resolution, retention), alarm systems, personnel practices, and record-keeping. The regulatory context for dispensary operations clarifies how these mandates sit within the larger licensing and compliance architecture — security is rarely a standalone checklist, but rather one pillar of a full compliance program.

At the federal level, the Financial Crimes Enforcement Network (FinCEN) has issued guidance (FIN-2014-G001) establishing Bank Secrecy Act expectations for cannabis businesses, which indirectly shapes how dispensaries manage cash and documentation. State agencies — California's Department of Cannabis Control (DCC), Colorado's Marijuana Enforcement Division (MED), Michigan's Cannabis Regulatory Agency (CRA), and others — publish their own detailed security matrices.

How it works

Security compliance at a licensed dispensary operates in discrete layers, each addressed by state administrative code:

1. Physical perimeter controls. Most states require exterior doors to be solid-core or equivalent steel construction, with commercial-grade locks. Dispensaries in states like California (California Code of Regulations, Title 16, §5042) must maintain a limited-access area separating retail space from storage. Windows in storage areas are typically required to be barred, secured with security film, or eliminated entirely.

2. Video surveillance systems. Camera requirements are among the most specific in any licensing code. Colorado's MED (1 CCR 212-3, Rule 3-225) specifies that cameras must capture a minimum 720p resolution, cover all points of sale, all storage areas, all entry and exit points, and the exterior perimeter. Footage retention periods commonly range from 30 to 90 days depending on the state.

3. Alarm systems. A monitored intrusion alarm connected to a licensed security company is a near-universal requirement. Many states additionally mandate panic or duress buttons at each point-of-sale terminal and at the manager's station.

4. Vault and safe storage. Controlled inventory must be secured in a locked vault or safe when the facility is closed. Weight, anchoring, and fire-rating specifications vary, but a common floor requirement is a UL-verified safe bolted to the building's structure.

5. Personnel and access logs. Employees must typically wear visible identification, and dispensary operators must maintain access logs documenting who entered restricted areas and when. These logs are subject to inspection by state licensing authorities without advance notice.

6. Cash handling protocols. Given that most dispensaries operate as cash-intensive businesses, security plans must address cash transport, safe drop procedures, and armored courier use. Some states require that cash transport routes and schedules not be predictable or repeated.

Common scenarios

Security failures tend to cluster around a few patterns. Surveillance blind spots — a camera mounted too high, angled wrong, or left on a degraded recording setting — account for a disproportionate share of compliance citations in state audit reports. California's DCC has cited inadequate video coverage as one of the leading correctable deficiencies in routine inspections.

Staffing gaps represent another category. Security guard requirements vary: California requires a licensed security guard on the premises during all operating hours (BPC §26070); other states require only that a security plan account for after-hours response. The distinction matters operationally — a dispensary on the dispensary licensing requirements path needs to verify guard licensing requirements in its specific jurisdiction before opening.

Cash storage overflows — when daily receipts exceed safe capacity — create ad hoc risk that a written security plan may not address. This is particularly acute for high-volume medical dispensaries, where patient traffic can be dense and transactions are tightly logged through track-and-trace systems like METRC.

Decision boundaries

Not every security measure is required, and over-engineering creates its own operational friction. The line between mandatory and voluntary generally falls along three criteria:

• State versus local jurisdiction. A state licensing code sets the floor; municipal ordinances can add requirements but not remove them. A dispensary in a city with a 90-day camera retention mandate isn't compliant with just the state's 30-day standard.
• Medical versus adult-use license type. Some states apply stricter physical security standards to adult-use retail than to medical facilities, while others do the reverse. The contrast between medical vs recreational dispensary licensing structures often carries security-specific differences worth reviewing in the relevant state code.
• Square footage and daily transaction volume. Several states tier their surveillance requirements by facility size. A micro-retailer under 1,000 square feet may have fewer required camera positions than a full-scale adult-use store, though minimum coverage points (entrance, exit, POS, storage) remain constant.

The full picture of what drives security compliance — from inventory tracking to staff background check mandates — sits within the broader dispensary compliance requirements framework. The dispensary industry statistics page provides context on how the industry scale shapes why regulators treat security with the seriousness normally reserved for financial institutions.