Vape merchants create a difficult risk problem for acquirers, payment service providers, and payment facilitators. The category combines age-restricted commerce, federal product authorization, state-specific sales rules, interstate shipping requirements, fast-changing inventories, and complex supplier networks.
A merchant may appear compliant during onboarding and create material exposure later by adding unauthorized products, changing suppliers, opening new sales channels, or shipping into jurisdictions it was never approved to serve.
The central challenge is that vape merchant risk cannot be assessed through an MCC, a tobacco retail license, or a one-time website review. Providers need to verify the merchant’s products, operating model, sales channels, and geographic reach, then monitor them for change.
Where Vape Merchant Risk Actually Lives
Why Vape Merchant Risk Is Different
Vape merchants are not inherently unlawful. The risk comes from the number of variables that determine whether a specific product can be sold through a particular channel in a particular jurisdiction.
A merchant may have a valid business registration and retail license while carrying products that cannot lawfully be marketed. A product permitted at the federal level may also face additional state restrictions involving flavors, product listings, delivery, licensing, or taxes.
The merchant’s regulatory role can also change without an obvious change to its storefront. Under the FDA’s regulations for electronic nicotine delivery systems, a business that only resells finished products is generally treated as a retailer. A vape shop that mixes e-liquids, modifies devices, imports products, or manufactures private-label inventory may also take on manufacturer obligations.
This means two merchants with similar websites and MCCs may have materially different risk profiles.
A meaningful review must determine:
- What exact products the merchant sells
- Who manufactures, imports, and supplies them
- Whether the products can currently be marketed
- Where the merchant sells and ships them
- How customer age is verified
- Whether the business mixes, modifies, distributes, or manufactures products
- Whether the current operation still matches what was approved during onboarding
These are the types of differences that require vertical-specific risk checks, rather than a generic high-risk label applied to the entire sector. Ballerine’s high-risk vertical framework is designed to extend standard KYB with category-specific checks across underwriting, monitoring, and decisioning.
How Regulation Expanded Around Vape Merchants
The current environment developed through several layers of federal and state action. Each layer introduced additional information that payment providers may need to verify.
2009 to 2016: Vape Products Enter the Federal Tobacco Framework
The 2009 Family Smoking Prevention and Tobacco Control Act established the FDA’s authority over tobacco-product manufacturing, distribution, and marketing.
In 2016, the FDA’s Deeming Rule expanded that authority to electronic nicotine delivery systems, including e-cigarettes, e-liquids, components, and parts. It also clarified that activities such as mixing e-liquids or modifying devices can cause a vape shop to be regulated as a manufacturer rather than only as a retailer.
For merchant risk teams, this introduced an important distinction between what a business sells and what it does to the product before sale.
2019 and 2024: Age-Verification Requirements Tighten
Federal Tobacco 21 legislation made it unlawful to sell tobacco products, including e-cigarettes and e-liquids, to anyone under 21.
Beginning September 30, 2024, retailers were also required to check photographic identification for purchasers under 30. The rule applies to brick-and-mortar and online tobacco retailers, and the FDA conducts compliance inspections across both channels.
For an online vape merchant, a homepage pop-up asking the visitor to confirm that they are over 21 should not be treated as evidence of an effective age-verification program. The real control environment includes checkout, identity verification, account use, shipping, and delivery.
2021: The PACT Act Expands to Vaping Products
The Prevent All Cigarette Trafficking Act was amended in 2021 to cover electronic nicotine delivery systems.
Under the PACT Act requirements for vape sellers, covered interstate sellers may be required to register with the ATF and state tax authorities, file reports, maintain records, follow packaging and delivery requirements, verify age, and comply with the laws of each destination jurisdiction. The law also generally prohibits covered products from being mailed through the U.S. Postal Service.
This creates a significant difference between a local retail shop and a merchant that accepts online orders and fulfills them across multiple states.
2022: Synthetic Nicotine Comes Under FDA Authority
Federal law clarified in 2022 that the FDA’s tobacco authority covers nicotine from any source, including laboratory-produced or synthetic nicotine.
As a result, a product does not sit outside the regulatory framework merely because the nicotine was not derived from tobacco. Claims such as “tobacco-free nicotine” or “synthetic nicotine” should not be accepted as proof that the product can be sold without authorization.
2025: States Add Product-Level Sales Lists
Federal authorization is no longer the only product-level check that may apply.
California’s AB 3218 took effect on January 1, 2025 and created an Unflavored Tobacco List. Covered products that do not appear on the list are treated as flavored products and are ineligible for sale in the state. The implementing framework also provides for fees and civil penalties involving manufacturers, distributors, wholesalers, and delivery sellers.
This adds a second layer to the product review. A risk team may need to determine whether the exact product can be federally marketed and whether it can be sold in the merchant’s particular state and channel.
2025 and 2026: Enforcement Extends Across the Commercial Chain
Recent enforcement has focused on more than the manufacturers named on product packaging.
In September 2025, the Department of Justice and FDA announced the seizure of more than 2.1 million allegedly illicit vaping products from five distributors and six retailers across seven states. The government alleged that several businesses continued selling or distributing products after receiving previous FDA warnings.
In November 2025, a coalition of state attorneys general called on an ecommerce platform to strengthen its controls against merchants allegedly using its services to sell unlawful tobacco and vape products. The public letter identified dozens of websites and supplied information about more than 200 additional sites for review.
In March 2026, New York authorities announced that more than 28,000 pounds of illicit vapor products had been seized during an investigation into wholesale distribution and shipments to sub-distributors and unlicensed retailers.
The payment-risk implication is clear. Exposure can develop through importers, wholesalers, online sellers, storefronts, fulfillment networks, and the platforms that enable them.
According to Fairfax County police, a 2026 investigation found that a network of vape shops was allegedly being used to distribute unlawful products across multiple locations
Why Product-Level Verification Matters
The FDA maintains an up-to-date list of e-cigarettes authorized for sale. As of May 5, 2026, the list contained 45 products, which the agency identified as the only e-cigarettes that could lawfully be sold in the United States at that time. The FDA also states that marketing authorization does not mean a product is safe or “FDA approved.”
Authorization is product-specific. It does not automatically extend to every flavor, device, pod, nicotine concentration, or package sold under the same brand.
This is especially important following the FDA’s May 2026 authorization of the first fruit-flavored e-cigarettes. The development means risk teams cannot assume that every fruit-flavored product is unauthorized, just as they cannot assume that every product sold under an authorized brand is lawful. The exact product must be matched against current FDA records.
Broad merchant claims are not enough:
- “The manufacturer is FDA registered”
- “The brand has authorized products”
- “The application is being reviewed”
- “The product uses synthetic nicotine”
- “The product is FDA compliant”
A defensible review should capture the manufacturer, model, flavor, nicotine concentration, packaging, supplier, and any available regulatory identifiers.
Product status also needs to be checked repeatedly. A catalog collected during onboarding can become outdated when the merchant changes suppliers, introduces new flavors, or replaces one device with a visually similar product.
Where Payment-Provider Exposure Develops
Inventory Changes After Approval
A merchant may be approved with a limited catalog and add higher-risk products later.
Changes may include new disposable devices, flavors, imported inventory, private-label products, or supplier substitutions. The merchant may keep the same product URL while replacing the name, photograph, packaging, or underlying SKU.
Without continuous merchant monitoring, a provider may continue processing a merchant whose present-day inventory is materially different from the catalog originally reviewed. Ballerine’s monitoring capabilities analyze website content, metadata, digital channels, behavioral signals, and changes to the merchant’s risk profile.
Undisclosed Remote Sales
A merchant approved as a local store may later introduce ecommerce, social-media ordering, subscriptions, or interstate delivery.
That change can activate PACT Act registration, reporting, age-verification, carrier, tax, and licensing requirements. It also exposes the merchant to the rules of every jurisdiction into which it ships.
Providers should know where the merchant accepts orders, where products are delivered, which carriers are used, and whether restricted destinations can complete checkout.
Age Controls That Do Not Work in Practice
A written Tobacco 21 policy does not prove that a merchant prevents underage sales.
Risk reviewers need to examine the actual customer journey. That includes the age gate, account creation, identification checks, payment, delivery, and any alternative ordering routes offered through social media or messaging applications.
The control should also be tested across desktop, mobile, and third-party delivery channels. A compliant primary website provides limited protection if the same products can be ordered through a direct message with no meaningful age check.
Supplier and Product Opacity
A merchant may be unable to demonstrate where its inventory came from or whether invoices match the products being sold.
Relevant concerns include inconsistent supplier names, product packaging that differs from invoices, unexplained intermediaries, private-label inventory, or rapid growth following a supplier change.
Supplier evidence is particularly important when the merchant imports goods or operates across wholesale and retail channels.
Activity Outside the Approved Business Model
A vape merchant may begin mixing liquids, modifying devices, operating additional domains, or selling products outside the provider’s acceptable-use policy.
Legal status and internal policy fit are related but separate questions. A product may be lawful while falling outside a sponsor bank’s risk appetite. A merchant may also fit an approved category while violating product, shipping, or age-verification rules.
Merchant policy fit analysis helps providers evaluate the merchant’s website, products, images, and broader digital presence against their own acceptable-use policies, rather than relying on keywords or MCC codes alone.
Vape Merchant Red Flags
No single signal proves misconduct. The following indicators should trigger additional verification when they appear alone or in combination:
- An exact product cannot be matched to current FDA records.
- The merchant describes products as “FDA approved.”
- Supplier invoices do not match the inventory shown online.
- New flavors, devices, or private-label products appear after onboarding.
These warning signs often appear together. In September 2025, the DOJ and FDA announced the seizure of more than 2.1 million allegedly illicit vaping products from distributors and retailers across seven states. Several of the businesses had reportedly continued selling or distributing products after receiving prior FDA warnings. The case shows how unauthorized inventory, supplier relationships, and post-onboarding catalog changes can combine into a broader merchant-risk issue.
- The merchant begins shipping nationally despite disclosing only local retail activity.
- Age verification relies only on a self-attested website pop-up.
- Social-media accounts advertise products missing from the official website.
- Product images or packaging change while the listing URL remains the same.
- The merchant cannot explain whether it imports, mixes, modifies, or manufactures products.
- Transaction volume or geography changes sharply after a supplier or catalog update.
- Several domains, storefront names, or payment descriptors are connected without a clear commercial explanation.
- Adverse media or regulatory actions identify the merchant, its suppliers, or related businesses.
These signals should lead to evidence gathering and contextual review. A keyword match or isolated image should not automatically produce an adverse decision.
Building a Stronger Vape Merchant Control Framework
1. Document the Actual Operating Model
The merchant file should identify physical locations, ecommerce domains, social channels, fulfillment arrangements, suppliers, products, jurisdictions served, and any manufacturing or modification activity.
A configurable merchant onboarding workflow can combine KYB, web, ownership, policy, and transaction signals into a single merchant risk profile.
The approved model must be specific enough for the provider to recognize when it changes.
2. Verify Exact Products
Collect the merchant’s current catalog and compare exact SKUs with the FDA’s authorized-product resources and any relevant state product lists.
The review should not clear an item simply because the brand or manufacturer is familiar. Uncertain matches should be escalated for additional documentation.
3. Test Age, Checkout, and Shipping Controls
Review the purchase journey rather than relying only on written policies.
Test whether the merchant verifies identity, blocks restricted destinations, applies the same controls across devices, and prevents customers from bypassing the primary website through social or delivery channels.
4. Monitor Products and Channels for Change
Monitoring should cover text, images, product packaging, menus, social profiles, secondary domains, and marketplace listings.
Product risk is often visible in an image before it is reflected in a written description. A text-only review may miss new flavors, nicotine strengths, or products marketed under coded names.
5. Connect Digital Changes With Transaction Behavior
A product change becomes more meaningful when it coincides with new transaction geographies, sudden volume growth, descriptor changes, or rising refunds and chargebacks.
Bringing merchant, web, product, and payment signals together helps the risk team distinguish a routine catalog update from a material change in business activity.
Product Verification and Monitoring Workflow
What Payment Providers Should Do Now
The appropriate response is not to reject every vape merchant.
It is to recognize that the category requires enhanced due diligence and continuous oversight. Providers need to understand:
- What the merchant is selling. Products must be verified at the exact SKU level.
- Where and how products are sold. In-store sales, ecommerce, social commerce, wholesale distribution, and interstate fulfillment create different obligations.
- Whether customer controls work. Age and delivery requirements should be tested through the live purchase journey.
- Whether the merchant’s role has changed. Mixing, importing, modifying, or private labeling may create obligations that did not exist at onboarding.
- Whether the merchant still matches its approved profile. Inventory, suppliers, domains, sales channels, and transaction behavior must be monitored after approval.
The vape industry demonstrates why initial KYB is not enough for complex merchant categories. KYB establishes who the business is at the time of review. It does not continuously establish what the business is selling or how it is operating.
Ballerine helps acquirers, PSPs, PayFacs, and marketplaces bring merchant onboarding, policy fit, digital risk signals, and ongoing monitoring into one evidence-backed process. This allows teams to detect meaningful changes, investigate them in context, and maintain a clear decision trail across the merchant lifecycle.