Last updated: February 2025

Selling CBD, vape, supplements, or adult products on Shopify UK? Here's how to set up a store that's legally compliant, properly structured, and able to take payments without the risk of account freezes or sudden shutdowns.

High risk doesn't mean high stakes — it means higher standards

If you're selling CBD, vape products, supplements, or adult items on Shopify in the UK, you're operating in a category that the mainstream payment and platform infrastructure wasn't built for. Shopify Payments won't support you. Stripe will decline your application. PayPal will eventually close your account. And if you get through onboarding with a specialist processor that still relies on card networks, you're never entirely sure how long that relationship will hold.

This isn't because what you're selling is illegal. It's because card networks and the processors that depend on them apply categorical risk rules that don't distinguish between compliant, well-run operators and those at the margins. You get treated the same regardless of how carefully you've set up your business.

The good news is that with the right structure — business registration, compliant content, proper age verification, appropriate legal pages, and a payment processor that's built for regulated UK ecommerce — you can build a Shopify store that operates reliably, avoids the account freeze risk, and doesn't require you to constantly look over your shoulder at your payment infrastructure.

This guide covers every layer of that structure, in the order you need to build it.

Quick summary

• High-risk categories on Shopify include CBD, vape, nicotine products, supplements making health claims, and adult products — "high risk" means higher compliance requirements, not that you're doing anything wrong

• The setup requirements that protect your store from shutdown are legal business registration, compliant product copy, age verification for restricted items, properly drafted legal pages, and the right payment gateway

• Shopify Payments, Stripe, and PayPal all block these categories — specialist payment providers are required, and not all of them are equal

• Pay by Bank via Fena bypasses card network classification entirely — eligibility is based on legal UK operation rather than card category policy — and is FCA-regulated, chargeback-free, and built for regulated UK ecommerce

• Getting the compliance foundations right before launch is substantially less painful than rebuilding after an account freeze or enforcement action

What "high risk" actually means on Shopify

Shopify's classification of product categories as high-risk reflects the risk profile those categories carry for card network processors, not a judgement on the legality of what you're selling. Categories end up as high-risk for several distinct reasons.

Regulatory complexity.

Products like CBD operate in a regulatory environment that's evolving and genuinely complex — FSA novel food authorisation requirements, THC content limits, labelling standards. The regulatory uncertainty creates processing risk that card networks prefer to avoid categorically rather than assess individually.

Historical chargeback rates.

Some categories attract elevated dispute rates — often from customer misunderstanding of product descriptions or expected effects rather than fraud or non-delivery. Elevated chargeback rates make card processors cautious, and caution becomes categorical restriction.

Card network acceptable use policies.

Visa and Mastercard set global policies on which product types can be processed through their networks. These policies don't always align with UK law — something that's legal and regulated in the UK can still fall outside card network acceptable use globally. Processors operating on card infrastructure have to follow network rules regardless of local legality.

Age-restricted products.

Anything requiring age verification — vape products, nicotine, adult content — carries specific compliance requirements that card processors treat as additional risk exposure.

Understanding why the classification exists helps you understand what the solution requires. The answer isn't just finding a processor willing to onboard you — it's building a store structure that demonstrates compliance at every layer.

Step one: register your business properly

The foundation of any compliant UK ecommerce store is a properly registered business with a verifiable identity. For high-risk categories in particular, this matters more than for standard retail because the compliance documentation you'll need at multiple points — for payment processor onboarding, for supplier verification, for any regulatory enquiry — all traces back to the registered business.

Register with Companies House. Use a valid UK business address that you can verify. The business name should match what appears on your store and in any communications to customers.

If you're selling regulated products — CBD under FSA novel food requirements, nicotine products under TRPR regulations — understand what those specific frameworks require for your product category. The payment processor compliance is one layer; the product compliance is a separate but equally important one. Both need to be in place.

Keep registration documents, any relevant certifications or licences, supplier agreements, and product documentation organised and accessible. These will be requested during payment processor onboarding and may be needed at other points.

Step two: build a professional store with compliant copy

The content of your Shopify store — product descriptions, marketing copy, brand messaging, imagery — needs to meet compliance standards that are more demanding for regulated categories than for standard retail.

The most important compliance requirements affect what you can and can't claim about your products. For CBD and supplements, the FSA and ASA are clear: health claims that imply the product diagnoses, treats, or cures a medical condition are not permitted for food supplements without specific authorisation. Phrases like "cures anxiety," "relieves chronic pain," "heals inflammation," or any equivalent wording are non-compliant. The same applies to performance claims that imply medical effects.

Permitted copy focuses on the product itself — what it contains, where it's sourced, how it's produced — without making claims about its effects on health conditions. Lifestyle positioning that doesn't imply medical benefit is generally acceptable, but the line can be fine and the ASA enforcement is active in this space. When in doubt, conservative wording is the right call.

For adult product categories, imagery and content must comply with UK advertising standards. Overly explicit content in product images or descriptions creates both compliance risk and payment processor risk — most processors review store content as part of onboarding and will decline or terminate merchants whose content falls outside their standards.

For all categories, avoid superlative claims that aren't verifiable — "the UK's best," "100% effective," "guaranteed results" — as these create both advertising compliance issues and customer expectation problems that generate disputes.

A professional design that looks credibly established helps in two ways: it builds customer trust, and it signals to payment processors and any other reviewers that this is a well-run operation rather than a hasty setup.

Step three: implement age verification

For age-restricted product categories — vape and nicotine products, adult content, and certain other categories — age verification is a legal requirement in the UK, not an optional best practice.

The UK Vaping Industry Association and MHRA guidance on nicotine products requires age verification before sale. For adult content and products, the Online Safety Act creates age assurance requirements. For alcohol, similar requirements apply.

Shopify's app ecosystem includes several age verification solutions — Age Check, AgeID, and others — that integrate with product pages and checkout to require verification before purchase can proceed. The right choice depends on your specific product category and the level of verification that regulatory requirements mandate. Some categories require basic date-of-birth self-declaration; others require more robust identity verification.

Implement age verification at both the product page level and the checkout. Product-level verification prevents restricted content from being accessible to unverified visitors. Checkout-level verification ensures that no restricted purchase can be completed without verification being completed first.

Document your age verification implementation as part of your compliance record. If your operation is ever reviewed — by a regulator, by a payment processor conducting a risk audit, or by a supplier conducting due diligence — being able to demonstrate that compliant age verification is in place is important evidence of responsible operation.

Step four: publish and maintain your legal pages

Every Shopify store needs legal pages. High-risk stores need them to be more carefully drafted and more easily findable than standard ecommerce legal pages — because they form part of the compliance evidence that supports your payment processing relationship and any regulatory review.

Terms and Conditions

should cover the specific requirements of your product category — intended use statements for research compounds or supplements, age restriction acknowledgements, geographical restrictions on sale where relevant, and clear statements about what the products are and aren't.

Privacy Policy

must comply with UK GDPR, covering what data you collect, how it's used, how long it's retained, and the customer's rights. This is a legal requirement for all UK ecommerce, but high-risk categories warrant particular care because the data involved may be more sensitive.

Refund and Returns Policy

should reflect UK consumer protection law — the right to return most goods within 14 days for online purchases — while being clear about any specific exclusions or conditions that apply to your product category.

Shipping Policy

should be transparent about delivery timelines, costs, and any geographical restrictions. For regulated products, including any customs or import restrictions for international orders is important.

Intended Use and Disclaimers

are particularly important for CBD, supplements, and research compounds. Statements clarifying that products are not intended to diagnose, treat, cure, or prevent any medical condition need to be visible and clear — both for regulatory compliance and to reduce the customer misunderstanding that drives disputes.

Make all legal pages easily accessible from the footer of every page on your store. Hidden or difficult-to-find legal pages create both trust problems with customers and compliance problems in any review.

Step five: choose a payment gateway that works for your category

This is where many high-risk Shopify stores get it wrong — not through lack of effort, but by choosing the wrong type of solution.

Shopify Payments and PayPal are non-starters for CBD, vape, adult products, and most supplement categories with health claims. They will either decline your application or terminate your account during a risk review, and the timing is unpredictable. Merchants who have built their store and customer base on these processors and then face sudden termination have no payment infrastructure and no warning period.

Traditional specialist high-risk card processors solve the access problem but introduce others: fees of 4–7% per transaction, rolling reserves that hold back a percentage of turnover, lengthy underwriting processes, and the same underlying card network exposure — just with a processor that has a higher risk appetite. The account freeze risk doesn't disappear; it's reduced.

Pay by Bank via Fena approaches the problem differently, and it's the approach worth understanding before defaulting to a specialist card processor.

Fena uses UK open banking payment rails — FCA-regulated, direct bank-to-bank — rather than card network infrastructure. Because card networks are not involved, card network acceptable use policies don't apply to the payment flow. A merchant selling legal CBD or vape products in the UK isn't restricted by Fena because the restriction mechanism that applies to card-based processors simply doesn't exist in the open banking model.

FCA authorisation.

Fena is FCA-authorised to provide open banking payment services. The payment infrastructure operates under the same regulatory oversight as the banking system itself — not under card network rules that have no relationship to UK law.

No chargebacks.

Pay by Bank transactions don't go through card networks, so card chargeback mechanisms don't apply. For high-risk categories where chargeback rates drive processor risk assessments, removing chargebacks from the equation materially changes the risk profile of the operation.

Same-day or instant settlement.

Funds settle directly to your bank account without the rolling reserves or delayed settlement windows typical of specialist card processors. Revenue earned is revenue available.

Compliance tooling included.

Fena's integration includes KYC verification and age verification capabilities — the compliance infrastructure high-risk merchants need as part of the payment flow rather than as a separate system to configure and maintain.

Shopify-native integration.

Fena integrates directly with Shopify as a checkout payment option alongside any other methods you offer. It doesn't require replacing your store setup — it adds a payment option that works for your category.

For merchants who want to maintain card payment options alongside Pay by Bank — whether through a specialist card processor or any other available route — Fena operates as a complementary addition rather than a requirement to replace everything else.

Common mistakes that lead to account freezes — and how to avoid them

Knowing what not to do is as useful as knowing what to do, and the mistakes that lead to account freezes in high-risk categories follow consistent patterns.

Using Shopify Payments or Stripe as a primary processor.

These processors will terminate high-risk category accounts. The timeline is unpredictable but the outcome is consistent. Using them as a primary processor while planning to add a compliant alternative "later" is a risk that regularly results in stores being left without payment infrastructure at a critical moment.

Non-compliant product copy.

Health claims on CBD or supplement products are the most common content compliance failure. Payment processors review store content, and non-compliant claims are grounds for termination independently of any regulatory action.

Missing or inadequate age verification.

For age-restricted categories, missing age verification is both a legal compliance failure and a payment processor compliance failure. Processors who do support these categories typically require evidence of age verification as part of onboarding.

Unclear intended use statements.

For research compounds and certain supplements, the absence of clear intended use statements creates both regulatory risk and dispute risk. Customers who purchase something without a clear understanding of its intended use are more likely to dispute the transaction.

Multiple simultaneous payment providers without a stable primary.

Operating with multiple payment providers in unstable relationships — onboarding with a new processor while still dependent on a previous one being terminated — creates operational vulnerability. Establishing a stable primary payment infrastructure before the previous one fails is significantly better than building it under pressure.

Frequently asked questions

What makes a Shopify product category high risk in the UK?

High-risk classification reflects regulatory complexity, card network acceptable use policies, or historical chargeback rates associated with the category — not necessarily the legal status of the products. CBD, vape and nicotine products, adult content, and supplements making health claims are all commonly classified as high risk by card processors and Shopify Payments even when they're sold legally and compliantly in the UK.

Can I use Shopify Payments or PayPal for CBD or vape products?

No. Both platforms block these categories through their acceptable use policies. Merchants who attempt to process these products through Shopify Payments or PayPal risk account termination, held funds, and payment disruption. Specialist payment options are required for these categories.

How do I add age verification to a Shopify store?

Shopify's app ecosystem includes several age verification solutions that integrate with product pages and checkout. The right choice depends on your specific product category and the regulatory requirements that apply to it. Age verification should be implemented at both the product page and checkout stages, and the implementation should be documented as part of your compliance record.

Do I need a licence to sell CBD or vape products on Shopify UK?

A specific licence isn't typically required, but the compliance requirements are detailed and specific. CBD products must comply with FSA novel food authorisation requirements if they make food supplement claims. Vape and nicotine products must comply with TRPR regulations including TPD-compliant product specifications and age verification requirements. Marketing must comply with ASA standards. Non-compliance in any of these areas creates regulatory risk independently of payment processing.

Why does Pay by Bank via Fena work for high-risk UK merchants?

Pay by Bank uses open banking payment rails rather than card network infrastructure. Card network acceptable use policies — the mechanism that blocks high-risk categories from Shopify Payments and similar processors — simply don't apply to the open banking payment flow. Eligibility is based on legal operation in the UK and meeting Fena's compliance requirements, not on a categorical card network policy. Fena is FCA-authorised, which provides regulated payment infrastructure appropriate for compliant high-risk merchants.

What is the risk of using a specialist high-risk card processor instead of Pay by Bank?

Specialist high-risk card processors solve the access problem but typically come with fees of 4–7% per transaction, rolling reserves, and the ongoing risk of account termination if dispute rates rise or the processor's risk appetite changes. They're still using card network infrastructure, so the fundamental card network risk classification hasn't been removed — it's been accommodated by a processor with higher risk tolerance. Pay by Bank bypasses this layer entirely.

How quickly can I launch a compliant high-risk Shopify store with Fena?

The timeline depends primarily on how quickly the compliance foundations can be established — business registration, compliant copy, age verification, and legal pages. Fena's onboarding for Pay by Bank is designed to be faster than traditional specialist card processor underwriting, which can take weeks due to extensive documentation requirements. The integration with Shopify is straightforward and doesn't require significant development work.