Magento for CBD + hemp brands: payment, age-gate, and 50-state shipping done honestly

The honest answer: Stripe, PayPal, and Square all classify CBD as a restricted business. Stripe’s prohibited-products list explicitly names “CBD, hemp-derived cannabinoid products, and any product sold as legal cannabis.” PayPal is the same. Square has a narrow CBD program that requires preapproval and rejects ~70% of applicants. Even if you sneak in, their automated classifier flags “hemp” on your product page or invoice and freezes the account 30–90 days later — with 90 days of held funds.

The actual high-risk stack we wire:

• NMI gateway with a high-risk MID via Easy Pay Direct, Square 1 Payments, or Tasker Payment Gateways. Underwriting is slower (2–6 weeks) and rates are higher (3.5–5.5% vs Stripe’s 2.9%) but the accounts don’t freeze.
• Authorize.net with high-risk underwriting through the same MID providers.
• Aeropay — ACH cash-network purpose-built for cannabis-adjacent. Customer links bank, pays via bank-debit, lower fees (~1.5%).
• Plaid ACH for instant bank-debit fallback.
• BitPay / NOWPayments for crypto resilience — ~3% of CBD revenue routes through crypto when an MID gets shut down mid-quarter.

Magento handles all of this through the standard payment-method abstraction. No core changes — just configure the right gateway modules.

The legal landscape splits into three buckets:

• Delta-8 banned outright (15 states as of 2026): Alaska, Colorado, Connecticut, Delaware, Idaho, Iowa, Mississippi, Montana, New York, Oregon, Rhode Island, South Dakota, Utah, Vermont, Washington. Some of these still allow CBD; some restrict CBD too.
• CBD restricted: Idaho requires 0.0% THC (most CBD has trace amounts and is therefore illegal there). South Dakota has shifting rules.
• CBD + delta-8 both legal: most other states, but with packaging / labeling / age-gate / per-package THC limits that vary.

How we build it: a state × cannabinoid matrix stored as Magento source restrictions. The customer enters their ZIP at the cart step → matrix looks up “Idaho + delta-8 = blocked” → blocked items get removed from cart with a state-specific message (“Delta-8 cannot ship to Idaho. Here’s our CBD line that’s also Idaho-compliant”). Borderline cases flag for manual review rather than hard-reject. The matrix is reviewed quarterly because state legislatures change rules constantly — Texas, Tennessee, and California have all flipped their delta-8 stance multiple times since 2022.

Hyvä storefront makes this clean because the cart re-renders on state-change without a full page reload — customers see the filtered cart immediately.

Three vendors, three trade-offs:

• AgeChecker.net — CBD-industry default. Database-driven (matches name + DOB against credit-bureau and public records). ~$0.40 per check. Fastest checkout integration (one Magento extension). Lowest-friction but also lowest defensibility if an AG challenges you. Good fit for <$2M GMV.
• Veratad — broader database coverage (credit-bureau + DMV + utility records). ~$0.85 per check. API-based integration. Better defensibility. Good fit for $2M–$20M GMV.
• Yoti — photo-ID + selfie + liveness check. ~$1.50 per check. Most defensible (you have a photo of the ID and the buyer’s face). Higher friction at checkout (~30s extra) but the right call for delta-8 / delta-9 / high-THC products where an AG letter is a real risk. Magento integration via API.

Threshold by state: 21+ for any THC-containing product in CO, CA, WA, OR (matches adult-use cannabis rules in those states). 21+ for delta-8 / delta-9 / hemp-derived THC in most states regardless of CBD age limits. 18+ for CBD-only in most states. We wire the threshold into the matrix so it flips based on cart contents + ship-to state.

Every verification attempt logs to a compliance audit table (timestamp, customer ID, vendor used, result, IP, products in cart) — defensible if challenged.

FDA and state AGs both require lot-level traceability for hemp products. The pattern we ship:

• COA entity in Magento — one entry per lab batch. Stores lab name (typically InfiniteCAL, SC Labs, ProVerde, or ACS Laboratory), harvest date, batch ID, cannabinoid profile (CBD/THC/CBG/CBN ppm), pesticide screen, heavy-metal screen, microbial screen, residual-solvent screen, and the COA PDF itself.
• Public Magento URL per COA — pattern /coa/lot-2026-04-12-a. The page renders the COA summary + downloadable PDF. SEO-indexed (transparency is a trust signal).
• QR code printed on the bottle — encodes the COA URL. Customer scans → lands on the COA page → instant trust.
• Product → batch mapping — each product variant ships from a specific lot; we store the lot ID as a custom attribute on the order line. Lets us pull “every order that received lot 2026-04-12-a” in <15 minutes if a recall is needed.

The recall workflow: a state AG sends a letter about a lot → we query orders by lot ID → Klaviyo flow sends recall emails to affected customers → optional store-credit auto-issue. We’ve never had to fire this in anger but it’s the kind of thing where if you don’t have it, you find out you needed it the day you need it.

Under the 2018 Farm Bill, hemp (cannabis sativa L. with ≤0.3% delta-9 THC by dry weight) is federally legal. Each hemp grower needs a USDA-approved license (either directly from USDA or via an approved state hemp program — most states run their own). As a merchant selling finished products, you don’t need a grower license, but you need to maintain documentation that:

• Your hemp source has a current USDA-approved license (request a copy annually).
• Each lot tests ≤0.3% delta-9 THC by dry weight at an ISO-17025-accredited lab (this is the COA workflow above).
• You retain COAs for at least 3 years (some states want 5).

Sample test cadence: every batch. A “batch” is a single homogeneous production run — usually 1,000–10,000 units depending on product. Smaller brands often test once per quarter and pretend it covers everything; that’s the bet that loses if an AG audits. Real brands like Charlotte’s Web and Lazarus Naturals test every batch and publish the COA publicly.

Magento side: we capture USDA license number + state hemp program in store config, surface it in the footer, the privacy/terms page, and on every COA page. If a state inspector visits the site, the documentation trail is one click away.

The FDA hasn’t fully regulated CBD as a food / supplement / drug, which leaves merchants in a gray zone. Two rules to follow:

1. The FDA disclaimer. Required on every PDP and any health-related CMS page: “These statements have not been evaluated by the FDA. This product is not intended to diagnose, treat, cure, or prevent any disease.” We auto-inject this via a global block so a content editor can’t accidentally omit it.

2. DSHEA-compliant copy. The Dietary Supplement Health and Education Act lets you make structure-function claims (“supports calm”, “promotes restful sleep”, “may help with everyday stress”) but not disease claims (“treats anxiety”, “cures insomnia”, “heals chronic pain”). The FDA actively sends warning letters for disease claims — ~80–150 letters per year to CBD brands, publicly listed on the FDA enforcement page.

The banned-phrase list we scan for at content-publish time: cures, treats, heals, prevents, FDA-approved, anti-inflammatory, anti-anxiety, anti-cancer, opioid-replacement, addiction-treatment. Admin gets a soft block (“this looks like a disease claim — review before publishing”) rather than a hard block, because edge cases exist.

Real brands have lost millions in revenue and traffic to FDA letters — CBDistillery, Charlotte’s Web, and Curaleaf have all received letters for specific product pages. The guardrails are cheap insurance.

Subscriptions still work for CBD — they just don’t run on Stripe Billing or PayPal Subscriptions. The recurring engine moves into the high-risk gateway’s tokenized vault:

• NMI Customer Vault — tokenizes the card on first purchase, recurring charge fires on schedule. Same fee structure as one-time charges.
• Authorize.net CIM (Customer Information Manager) — same pattern, different gateway.
• Aeropay tokenized ACH — customer links bank once, recurring bank-debit charges fire on schedule. Lower fees (~1.5%) but slightly higher failure rate than card-based.

Magento side, two extension options that handle the recurring-charge orchestration:

• Aheadworks Subscriptions & Recurring Payments — the default for Magento + non-Stripe gateways. Supports prepaid plans, discount-on-renewal, skip-cycle, swap-product. ~$799 one-time + support.
• Mirasvit Subscriptions — cheaper (~$499), simpler UX, fewer features. Fine for under-2,000-subscriber brands.

The pattern Charlotte’s Web and Medterra use: 15% subscribe-and-save discount, monthly cadence, swap-product / skip-month / cancel buttons in the customer portal. Subscription LTV runs 3.2–4.8x the one-time-purchase LTV in CBD because daily-use customers don’t want to re-buy every 30 days.

This is one of the most under-built parts of most CBD stacks. Three pieces:

• Customer-segment-based catalog — wholesale buyers see trade pricing (typically 50–65% of MSRP), MOQs (case-pack quantities), and a hidden trade catalog with line-sheet PDF export. DTC visitors never see any of this. Built on Magento customer groups + hidden categories.
• Net-30 invoicing — wholesale buyers don’t pay at checkout; they get a PO confirmation + invoice with 30-day terms. Routed through Apruve, Resolve, or TreviPay — they underwrite the buyer’s credit, pay you on day 1, and collect from the buyer on day 30. CBD-friendly underwriting is harder than mainstream B2B but all three of these have working CBD programs.
• Tax-exempt resale certificate workflow — wholesale buyers upload a resale cert (per-state) at registration; we verify + store it + auto-suppress sales tax on their orders. Avalara or TaxJar for tax engine, both handle CBD multi-state nexus.

Real CBD wholesale buyers: dispensaries (medical or recreational, varies by state), smoke shops, vape stores, head shops, natural-health retailers, pet stores (CBD-for-pets is a real category), gym chains (CBD topicals for athletes). Each segment has slightly different MOQ + pricing tier + COA requirements (dispensaries want lot-level COAs with every shipment; smoke shops usually skip them).

Here’s where it gets dangerous. Hemp-derived delta-9 (≤0.3% by dry weight, but a 100g brownie at 0.3% is 300mg of THC — very much intoxicating) is technically federally legal under the 2018 Farm Bill. Several states have decided to treat it as adult-use cannabis anyway: California, Colorado, Connecticut, Minnesota, New York, Oregon, Vermont, Virginia, and Washington all have laws on the books that either ban hemp-derived delta-9 entirely or require it to be sold through licensed dispensaries.

If you hold a cannabis-dispensary license in a state, the state cannabis regulator typically requires your online store to also be license-compliant — which means it can’t carry hemp-derived delta-9 sold under the Farm Bill exemption. Mixing them on one storefront triggers an audit fast.

The architectural answer: separate stores under one Magento instance. Multi-store Magento lets you run brand.com (CBD-only, ships everywhere legal) and brand-dispensary.com (licensed cannabis, in-state delivery only) from one admin, one catalog source-of-truth, completely separate checkout + customer base + payment gateway. License-compliant for the dispensary side, Farm Bill-compliant for the CBD side, never mixed.

If you don’t hold a dispensary license: the safer call is to not carry hemp-derived delta-9 at all until federal regs settle. Stick to CBD + delta-8 (where legal) + CBN + CBG. The marginal revenue from delta-9 isn’t worth losing the rest of the business.

Amazon, Walmart, Target, and eBay all block CBD outright. Etsy allows topicals only, no ingestibles. The marketplace landscape for CBD is brutal — you’re mostly forced into DTC + a narrow set of CBD-friendly channels:

• Shop App by Shopify — technically allows CBD merchants but Shopify itself often deplatforms CBD brands for payment violations, so the channel inherits that risk.
• TikTok Shop — CBD topicals are case-by-case approved (mostly approved), ingestibles are mostly blocked. Apply, pray, accept the rejection ratio.
• Faire — wholesale marketplace for indie retailers. CBD is allowed in their hemp category. Strong channel for selling into smoke shops + natural-health retailers.
• Mantis Ad Network — cannabis-focused ad network. Not a marketplace but the main way to advertise CBD where Google / Meta restrictions apply.
• Leafly — cannabis directory + marketplace. CBD listings allowed.
• Direct-to-consumer email + SMS via Klaviyo — Klaviyo is the only mainstream ESP that reliably accepts CBD. We wire this as the default marketing engine. Some brands also use Postscript for SMS (CBD-friendly).

The pattern that works for CBD reach without marketplaces: Klaviyo email + SMS + organic SEO + affiliate (LTK doesn’t accept CBD but smaller networks do) + Faire for wholesale. Brands like Joy Organics built $50M+ DTC businesses this way without ever appearing on Amazon.

Realistic ranges for a CBD/hemp brand at $500k–$5M GMV migrating to or rebuilding on Magento:

• Compliance + payment audit (fixed-fee): $499 — ~20h at $25/hr. 5 business days. Covers processor stability, age-gate vendor pick, state matrix gaps, COA workflow, FDA/DSHEA copy scan. Written report + remediation roadmap.
• Magento + Hyvä build (fixed-fee): $4,999 — ~200h at $25/hr. 6 weeks. Catalog + Hyvä storefront + high-risk gateway (NMI / Aeropay / ACH) + Veratad ID verify + state matrix + COA download module + Klaviyo wiring.
• Custom enterprise (quoted): multi-brand house, B2B wholesale to dispensaries, in-state delivery integration, multi-MID redundancy, multi-state license overlap. Typically $25k–$120k depending on scope.
• Hosting: $400–$1,500/mo on Cloudways or dedicated. CBD doesn’t have the drop-traffic spikes fashion has, so over-provisioning isn’t as critical.
• Ongoing retainer: $1.5k–$5k/mo for monthly COA reconciliation, quarterly state-law update, MID health monitoring, FDA-letter monitoring.

Credentials: Adobe-Certified Magento + Hyvä developer. CBD high-risk builds shipped (the kind where Stripe deplatforms the client mid-migration and we re-wire to NMI + Easy Pay Direct in a week). I’m honest about the payment pain — no other vertical has it this bad, and pretending Stripe will work is how brands get 90-day fund holds.

The build varies dramatically by scale. Two opposite ends:

Single-SKU starter brand (e.g. just-launched 30mg CBD gummy, $50k–$300k first-year target). The right call is the $499 audit + $4,999 build. Hyvä-themed Magento, NMI + AgeChecker.net + state matrix for the 15 banned states + one COA workflow + Klaviyo + Aheadworks Subscriptions. Don’t over-build — the brand needs to validate product-market fit first, and a $50k custom build is wrong for the stage. Magento is still better than Shopify here because Shopify will deplatform you the moment they notice; the migration cost later is what makes the upfront Magento spend make sense.

Multi-state dispensary white-label brand (e.g. 200-SKU catalog across CBD + delta-8 + delta-9, $5M–$50M GMV, wholesale to 800 dispensaries + DTC + in-state delivery in 4 states). Custom enterprise quote. The complexity isn’t the catalog — it’s the multi-store Magento setup (one store per state with cannabis-license overlap, one store for federal CBD), the multi-MID redundancy (when one high-risk MID gets frozen, traffic routes to the second one automatically), the B2B layer (wholesale to dispensaries with per-state pricing + per-state COA delivery requirements), and the in-state delivery integration (Dutchie, Jane, or custom for the dispensary side). Builds in this tier run 4–8 months and $60k–$200k.

If you’re between these two — most CBD brands at $500k–$5M GMV — the $4,999 build gets you to defensible compliance + reliable payment + correct state shipping, and you upgrade pieces as you scale.