Payment strategy
Why checkout is pickup-first today and how online payment should be approached for this business.
Payment strategy
The safest first production checkout path is a pickup hold request.
That means the website lets a shopper build a cart, request a pickup hold, and let store staff confirm the order before final payment. This keeps the storefront useful without forcing the store into a payment processor setup that may not be approved for smoke shop ecommerce.
For the longer research history, including the Square, Stripe, NMI, PayKings, and crypto discussion, see Payment processor research.
Why this needs care
Smoke shop products can fall into age-restricted or otherwise high-risk categories. Payment processor approval is not only a technical question. It depends on the exact products sold, how they are described, where the business operates, how fulfillment works, and what rules the processor or merchant account applies.
The website should not assume that a payment processor used at the physical counter is automatically approved for online checkout.
Processor research
Stripe
Stripe is strong for normal ecommerce, subscriptions, and hosted checkout. It is not the recommended default for this storefront.
Stripe's restricted business policy lists regulated or age-restricted products, including tobacco and e-cigarettes, as restricted. Stripe also lists cannabis products as prohibited. A smoke shop may need review or approval, and some product categories may not be supported at all.
Square
Square is useful for brick-and-mortar retail and may already fit the in-store counter flow.
For online checkout, Square's payment terms are more restrictive for this use case. Square says its service may not be used for internet, mail, or telephone order sale of age-restricted products, including tobacco. That means in-store Square usage should not be treated as blanket approval for ecommerce.
NMI
NMI is a better direction for a payment gateway proof of concept.
NMI provides payment components for tokenizing customer payment details in the browser. The website can send a token to the API, and the API can attempt a transaction without the storefront directly handling raw card data.
The main reason NMI is attractive here is flexibility. The gateway direction can support a high-risk merchant account path, and the website can keep one checkout design while the backend merchant relationship is finalized or changed later.
Current prototype
The prototype supports two checkout modes:
- pickup hold request, which is the default
- NMI sandbox payment, which proves the payment handoff shape
In both modes, the API re-checks cart line items before creating the checkout result. That means the browser cannot quietly change a product price or invent a product and have the API accept it as trusted.
Recommended production path
Start with pickup hold requests.
Use online payment only after the store has an approved high-risk merchant account and written clarity on which products, fulfillment methods, and customer checks are allowed.
The production checkout plan should be:
- Launch the storefront with pickup hold requests.
- Use staff review at pickup for age and stock confirmation.
- Keep the NMI integration path available for approved online payment.
- Avoid building the production business around a processor that may close or freeze the account.
Client decisions
Before online payment goes live, decide:
- Which products can be sold online.
- Whether payment happens online, in store, or only after staff approval.
- Whether certain products should be quote-only or member-only.
- Which high-risk merchant account will underwrite the business.
- Whether pickup, delivery, or shipping is allowed.