Platform Compliance for Hemp‑THC E‑Commerce: Shopify, BigCommerce, and WooCommerce Rules in 2025

Selling hemp-derived THC and CBD products online in the U.S. isn’t just a question of “is it legal?” It’s also a question of whether your commerce platform, payment stack, and carrier will allow it—today, next month, and when state rules change mid‑promotion.

In 2025, merchants learned the hard way that a storefront can be compliant with one layer (the Farm Bill definition of hemp), while still being non‑compliant with another layer (FDA/FTC marketing rules, card‑network risk controls, platform acceptable‑use policies, or carrier restrictions). The result is a fragile stack: a single failed attestation, chargeback spike, or prohibited shipping destination can freeze funds or take a store offline.

This guide focuses on federal considerations and practical platform rules for Shopify, BigCommerce, and WooCommerce in 2025, with build patterns you can implement to reduce shutdown risk.

Informational only—not legal advice.

The federal baseline (and why it doesn’t guarantee platform approval)

Hemp legality: the Farm Bill definition still matters to platforms

Most mainstream commerce providers anchor their policies to the federal definition of hemp from the 2018 Farm Bill—generally, hemp is cannabis (and derivatives) with no more than 0.3% delta‑9 THC on a dry‑weight basis. USDA has summarized this definition in its legal opinion and hemp program materials.

External reference: USDA hemp legal summary (PDF) https://www.ams.usda.gov/sites/default/files/HempExecSumandLegalOpinion.pdf

But platforms and processors often go beyond that baseline. Many evaluate:

• whether the product is intoxicating or marketed as intoxicating (even if it’s Farm Bill‑compliant)
• whether the product category is treated as high-risk under bank and card‑network underwriting
• whether you’re making prohibited health claims
• whether you can reliably age-gate and block restricted states/ZIPs

FDA + FTC: the marketing layer that can break your payments

Even where hemp-derived cannabinoids are lawful under the Controlled Substances Act carve‑out, the FDA continues to object to many uses of CBD in foods, beverages, dietary supplements, and products that make drug-like claims. FDA warning letters remain a key risk signal for platforms, acquirers, and insurers.

• FDA warning-letter hub for cannabis-derived products: https://www.fda.gov/news-events/public-health-focus/warning-letters-cannabis-derived-products
• Example FDA warning letter referencing CBD as an unapproved new drug (Pico IV Inc., March 6, 2025): https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/pico-iv-inc-700591-03062025

The FTC layer matters just as much: if your product pages, ads, or affiliates imply treatment/cure claims without competent and reliable scientific evidence, you invite enforcement and also processor de-risking.

• FTC “Health Claims” topic page: https://www.ftc.gov/news-events/topics/truth-advertising/health-claims

NAD/BBB National Programs: a quieter enforcement channel

The National Advertising Division (NAD) publishes decision summaries and helps set standards around substantiation, disclosures, and influencer marketing—issues that routinely show up in cannabinoid product advertising.

• NAD decision summaries portal: https://bbbprograms.org/media/newsroom/decisions

2025 reality: platform policy + payments policy are different “gates”

A common failure pattern in hemp‑THC e‑commerce is treating the platform as the only gate. In practice you face at least four independent gates:

1. Platform acceptable-use policy (AUP) / restricted product policy
2. Payment processor + acquiring bank underwriting
3. Card‑network risk programs (dispute/fraud monitoring, negative option/subscription scrutiny)
4. Carrier rules (what you can ship, where, and under what documentation)

Your store is only as resilient as the strictest gate in that chain.

Shopify: allowed for some hemp-derived products, but with strict conditions

Shopify’s policy posture in the U.S. is best described as: the storefront may be allowed, but payments require specialized routing.

What Shopify allows (U.S.)

Shopify states it supports the sale of hemp and hemp-derived products when laws in both the merchant’s location and the shipping destination permit it—and warns that noncompliance can lead to action up to termination.

• Shopify hemp policy hub: https://help.shopify.com/en/manual/compliance/legal/hemp

For U.S. merchants selling hemp and hemp-derived products containing CBD, Shopify requires you to comply with platform requirements and be prepared to produce documentation on request.

• Shopify “Requirements for selling hemp and hemp-derived products in the United States”: https://help.shopify.com/en/manual/compliance/legal/hemp/requirements-for-selling-hemp-in-the-united-states

Shopify also publishes “considerations” emphasizing compliance across jurisdictions and terms.

• Shopify “Considerations for selling hemp products”: https://help.shopify.com/en/manual/compliance/legal/hemp/requirements

The payments catch: Shopify Payments is typically not the answer

For hemp/CBD categories, Shopify generally expects merchants to use third‑party payment providers that explicitly support these sales. Shopify’s own documentation explains you can use compatible third‑party providers and that it is the merchant’s responsibility to confirm support.

• Shopify payment options for hemp sales: https://help.shopify.com/en/manual/compliance/legal/hemp/payments

Practical takeaway: build Shopify as your UX engine, but treat payments as a separate compliance project with underwriting, documentation, and ongoing monitoring.

Another hidden limit: the Shop app and channel rules

Even if your standalone Shopify store is compliant, your products may be blocked from certain sales channels due to channel‑specific prohibited product lists.

• Prohibited products on Shop (channel policy): https://help.shopify.com/en/manual/online-sales-channels/shop/eligibility/prohibited-products

Shopify compliance build notes (what underwriters look for)

To keep a Shopify hemp‑THC store stable, assume you’ll be asked to show:

• COAs and batch testing documentation
• a written restricted-state shipping policy
• a defensible age verification workflow
• refund/return policy clarity (chargeback reduction)
• claims substantiation and review workflow

BigCommerce: flexible storefronts, but payment processing is almost always “bring your own”

BigCommerce is often chosen for regulated or high‑risk categories because it’s less prescriptive at the platform layer and integrates with many gateways. The catch is that BigCommerce does not magically solve banking and card acceptance.

BigCommerce’s hemp/CBD ecosystem is partner-driven

BigCommerce recognizes that not all partners support hemp/CBD sales and maintains a collection for apps that “support CBD.”

• BigCommerce “Supports CBD” app collection: https://www.bigcommerce.com/apps/collections/supports-cbd/

BigCommerce also publishes educational resources on selling CBD and emphasizes state-by-state variation and the need to avoid unlawful drug claims.

• BigCommerce CBD legal trends: https://www.bigcommerce.com/articles/selling-cbd-online/cbd-legal-trends/

BigCommerce payments: expect third‑party gateways and high‑risk underwriting

In practice, BigCommerce hemp storefronts typically depend on:

• a high‑risk merchant account
• a compatible gateway integration
• fraud tooling and dispute controls

Merchants should treat the “platform decision” and the “acquirer decision” as separate approvals.

BigCommerce compliance build notes

BigCommerce shines when you need:

• multi‑storefront logic (e.g., separate catalogs for restricted states)
• headless implementations (where you control the checkout experience)
• robust API control for SKU metadata and policy-driven blocks

But you must still engineer:

• pre‑checkout age verification
• state/ZIP restrictions
• SKU‑level compliance flags
• claims review and audit trail

WooCommerce: maximum control, maximum responsibility

WooCommerce is not a single “platform policy.” It’s an ecosystem: WordPress (host), WooCommerce (cart), plugins, and—most importantly—your gateway and hosting provider policies.

WooPayments: CBD/hemp-derived products not permitted

WooCommerce’s documentation is explicit that CBD and other hemp-derived products cannot be sold using WooPayments due to processor restrictions.

• WooPayments CBD policy page: https://woocommerce.com/document/woopayments/our-policies/cbd/

WooPayments also lists prohibited/restricted products and reiterates that CBD sales currently require different gateways.

• WooPayments prohibited/restricted products (includes CBD guidance): https://woocommerce.com/document/woopayments/our-policies/prohibited-and-restricted-products/

Hosting matters: WordPress.com/Pressable have specific gateway requirements

If you host on WordPress.com or Pressable, WooCommerce publishes guidelines requiring specific payment solutions (notably Square in the U.S., Viva.com/Viva Wallet in certain regions).

• WooCommerce CBD/hemp-derived guidelines for WordPress.com/Pressable: https://woocommerce.com/document/woocommerce-cbd/

Practical takeaway: with WooCommerce you can build almost any compliance feature—but you can also accidentally choose a host/gateway pair that will terminate you.

WooCommerce compliance build notes

WooCommerce is often best for teams that want:

• deep checkout control (custom verification steps)
• server-side policy enforcement
• custom data retention and audit logs

But it requires mature ops:

• plugin governance (security and script risk)
• vulnerability management
• PCI scope discipline

Payments in 2025: card-network monitoring + high-risk underwriting are the real “platform rules”

Visa monitoring changed: VAMP is a 2025 wake-up call

In 2025, Visa consolidated fraud and dispute monitoring into the Visa Acquirer Monitoring Program (VAMP). The official fact sheet explains new ratios and thresholds used to identify above‑standard and excessive risk portfolios.

• Visa VAMP fact sheet (2025 PDF): https://corporate.visa.com/content/dam/VCOM/corporate/visa-perspectives/security-and-trust/documents/visa-acquirer-monitoring-program-fact-sheet-2025.pdf

Why it matters for hemp‑THC e‑commerce: acquirers may tighten underwriting, require stronger fraud controls, or terminate merchants if dispute and fraud metrics rise. Your compliance stack must include chargeback prevention (clear descriptors, fast customer support, transparent policies, and evidence packages).

Mastercard monitoring: expect scrutiny when dispute ratios climb

Mastercard’s excessive chargeback and fraud monitoring programs are widely operationalized by acquirers. Even if your platform is fine, an adverse chargeback profile can lead to higher reserves, rolling holds, or account closure.

Operational reference (processor documentation): Braintree overview of Mastercard’s Excessive Chargeback Program: https://developer.paypal.com/braintree/articles/risk-and-security/card-brand-monitoring-programs/mastercard-programs/excessive-chargeback-program

Subscription/KYC risk: “negative option” issues affect hemp merchants disproportionately

If you sell subscriptions (gummies, tinctures, beverages) the category is already high‑risk. Layering continuity billing on top increases scrutiny. Build:

• clear subscription terms above the CTA
• a cancellation flow that’s easy and logged
• renewal reminders
• KYC/light identity proofing for suspicious signups

PCI DSS 4.0.1 in 2025: payment-page script security and SAQ A changes

Many hemp‑THC merchants use hosted payment pages or iFrames specifically to reduce PCI scope. PCI DSS v4.0.1’s “future-dated” requirements became enforceable March 31, 2025, and the PCI SSC published an updated SAQ A in January 2025.

• PCI SSC announcement (SAQ A updates; effective March 31, 2025): https://blog.pcisecuritystandards.org/important-updates-announced-for-merchants-validating-to-self-assessment-questionnaire-a

Even where SAQ A validation is simplified, the underlying reality remains: script injection and checkout manipulation are top threats. If your store runs many third-party scripts (pixels, affiliate tags, CRO tools), you need governance.

Practical controls to implement in 2025:

• inventory all scripts that can touch checkout or payment pages
• enforce least privilege for tags (limit who can publish)
• use CSP/SRI where feasible
• monitor for unexpected DOM changes on checkout
• keep a change log for themes and critical plugins

Shipping and carrier restrictions: compliance doesn’t end at checkout

USPS: hemp mailable with documentation and retention requirements

USPS updated Publication 52 to address hemp-based products and record retention, including retaining laboratory test results for a period (USPS has referenced a two‑year retention update).

• USPS Postal Bulletin (Publication 52 hemp-based products update, Aug. 26, 2021): https://about.usps.com/postal-bulletin/2021/pb22579/html/updt_002.htm
• USPS Publication 52 (PDF): https://pe.usps.com/cpim/ftp/pubs/pub52/pub52.pdf

Practical takeaway: if you ship via USPS, maintain an audit-ready packet for hemp shipments (COAs, licensing where applicable, policies), and do not assume international shipments are permitted.

UPS: allows certain hemp derivatives with conditions

UPS publicly states it accepts hemp derivatives or products containing hemp derivatives only as permitted by applicable federal, state, and local laws.

• UPS hemp/CBD shipping policy page: https://www.ups.com/us/en/support/shipping-support/shipping-special-care-regulated-items/prohibited-items/hemp-cbd-marijuana

Operational takeaway: build adult-signature capability into your shipping rules for age-restricted SKUs and verify UPS account terms for your exact product set.

FedEx: verify service guide and prohibited-item rules carefully

FedEx publishes prohibited item guidance (especially for international). Merchants should confirm whether their specific products are accepted under the current service guide and account terms.

• FedEx prohibited items page: https://www.fedex.com/en-gp/shipping/prohibited-items.html

Because carrier risk tolerance changes, your tech stack should support carrier switching without breaking compliance (e.g., automatically enforcing adult signature when required).

The 2025 compliance build: three engineering patterns that prevent shutdowns

The following patterns directly address the user’s research notes and are the highest ROI for preventing platform, payments, and shipping failures.

1) Pre-checkout age verification + blocked shipping logic by state/ZIP

A simple “Are you 21+?” pop-up is rarely enough for high-risk payment partners.

Build a layered approach:

• Pre‑checkout gating (before cart/checkout) to deter minors
• Checkout hard-stop using third‑party age verification or ID proofing for age‑restricted SKUs
• Shipping address rules that block prohibited states and restricted ZIP codes (and block PO boxes when your carrier/adult signature program requires it)
• Delivery method rules: require adult signature where your carrier program demands it

Also log:

• verification timestamps
• verification outcome (pass/fail) and method
• minimal necessary attributes (data minimization)

2) CBD/THC product flags that drive tax, shipping, and operational blocks

Treat compliance as data.

At the SKU level, add flags like:

• ishempcbd
• isintoxicatinghemp (even if Farm Bill‑compliant)
• agerestricted21
• restricted_states (list)
• carrier_allowed (per carrier)
• requiresadultsignature

Then wire those flags into:

• tax rules (including state-specific excise or special handling where applicable)
• shipping methods and packaging instructions
• POS scanner blocks (if you also sell in-person)
• customer-service scripts (returns/refunds, cancellations)

The goal is to prevent “human memory” from becoming your compliance control.

3) Documented claims review for product pages (FTC/NAD readiness)

Most enforcement pain comes from marketing language, not lab reports.

Create a claims review workflow:

• define prohibited claims (treat/cure/mitigate disease)
• require substantiation packets for structure/function or general wellness claims
• review before publishing new PDP copy, emails, and ads
• enforce influencer disclosure standards

Log every change:

• what changed on the PDP
• who approved it
• what substantiation supports it
• when it went live

External references:

• FTC health claims topic: https://www.ftc.gov/news-events/topics/truth-advertising/health-claims
• NAD decision summaries: https://bbbprograms.org/media/newsroom/decisions

Audit trail: what to log so you can defend decisions later

In 2025, the merchants who survived platform and processor reviews were the ones who could quickly produce records.

Maintain an audit trail that includes:

• consent logs (age gate, terms acceptance, privacy)
• KYC checks for subscriptions and high-risk orders (especially velocity or mismatch events)
• COA retention mapped to lots/batches and linked to SKUs
• policy snapshots (shipping restrictions, returns, subscription terms)
• SKU-level blocks that can be turned on instantly when a state changes rules (including “mid‑cart” enforcement)

A practical rule: if a regulator, platform, bank, or carrier asked “why did you ship this product to that address on that date?” you should be able to answer in minutes.

Choosing the right platform in 2025 (decision guidance)

Pick Shopify if you want speed + strong storefront UX, and can manage third-party payments

Best for:

• brands optimizing conversion and rapid iteration
• teams comfortable working with specialized hemp-friendly payment providers

Plan for:

• Shopify hemp compliance requirements and documentation readiness
• third-party payment routing
• channel restrictions (e.g., Shop)

Key references:

• Shopify hemp overview: https://help.shopify.com/en/manual/compliance/legal/hemp
• Shopify U.S. requirements: https://help.shopify.com/en/manual/compliance/legal/hemp/requirements-for-selling-hemp-in-the-united-states
• Shopify hemp payments guidance: https://help.shopify.com/en/manual/compliance/legal/hemp/payments

Pick BigCommerce if you need flexibility and gateway variety, and you’re building a policy-driven catalog

Best for:

• merchants expecting complex product restrictions by geography
• teams with technical resources to implement API-driven compliance logic

Start here:

• BigCommerce CBD app ecosystem: https://www.bigcommerce.com/apps/collections/supports-cbd/
• BigCommerce legal trends guidance: https://www.bigcommerce.com/articles/selling-cbd-online/cbd-legal-trends/

Pick WooCommerce if you need maximum control and can run mature security + compliance operations

Best for:

• teams that want custom checkout verification and server-side enforcement
• businesses with internal engineering and security discipline

Remember:

• WooPayments does not allow CBD/hemp-derived product sales: https://woocommerce.com/document/woopayments/our-policies/cbd/
• Hosting provider rules can force gateway choices: https://woocommerce.com/document/woocommerce-cbd/

Key takeaways (business + compliance)

• Platform permission is not payment permission. Treat payments and underwriting as a separate compliance track.
• Build compliance into your data model. SKU flags + automated rules prevent accidental violations.
• Age verification must be defensible. Layer pre-checkout friction with checkout hard-stops and shipping logic.
• Marketing claims are a top enforcement risk. Implement a documented review workflow aligned to FTC/NAD expectations.
• Expect change. Your tech stack must support instant SKU blocks and jurisdiction rules when laws shift.

Next step: operationalize compliance with CannabisRegulations.ai

If you’re designing or rebuilding a hemp‑THC e‑commerce stack, don’t wait for a shutdown notice to discover a platform, bank, or carrier mismatch. Use https://cannabisregulations.ai/ to monitor policy changes, track federal and state compliance updates, and build repeatable workflows for cannabis compliance, licensing readiness, marketing review, and enforcement response—so your storefront stays live and your payment rails stay stable.