Running an online tobacco or vape business today means dealing with considerably more than inventory and shipping.
Regulations around age-restricted products have tightened, especially online. Age verification, tax reporting, registration, shipping restrictions, recordkeeping – what used to be a relatively simple e-commerce operation now comes with a long list of obligations to manage every day.
For US-based sellers, the Prevent All Cigarette Trafficking (PACT) Act sits at the center of most of it. It’s been around for a while, but the scope has grown, and enforcement has gotten stricter.
Compliance gets a bad reputation that it doesn’t always deserve. The rules are detailed, and the penalties are real, but most businesses find that once they actually sit down with the requirements, it’s more manageable than it looked. Know what’s required, understand where things typically go wrong, and build processes that work – for the regulator and for your customers.
Who this is for – and what it’s not. For founders and operations leads at online tobacco and vape businesses – specifically those selling age-restricted products across state lines and trying to figure out what PACT Act compliance actually requires day to day.
Not a legal breakdown of the PACT Act’s statutory text or a state-by-state tax guide. For the age verification piece specifically, see Age Verification; this article is the operational overview – what to build, what trips people up, and why.
Why the PACT Act Matters
The PACT Act was originally introduced to crack down on illegal cigarette trafficking and make sure tobacco taxes were actually being collected. Over time, the scope expanded – most significantly when amendments brought Electronic Nicotine Delivery Systems (ENDS) under its requirements.
That change significantly impacted online vape sellers.
Products that once operated under a relatively different regulatory environment suddenly became subject to many of the same requirements as traditional tobacco products.
The result was a major shift for e-commerce businesses selling:
- E-cigarettes
- Vape devices
- E-liquids
- Nicotine cartridges
- Disposable vapes
- Certain related components and accessories
Today, online sellers must think beyond sales and marketing. Compliance has become a core business function.
Automate your KYC process
iDenfy verifies customers from 200+ countries in seconds. AI-powered, compliant, and trusted by 1,000+ companies.
Explore KYC SolutionUnderstanding the Main Compliance Requirements
The PACT Act feels complicated partly because it doesn’t focus on one thing – it bundles several obligations together and expects you to manage all of them.
Businesses generally need to address multiple areas simultaneously.
These include:
- Registration with federal authorities
- Registration with state tax administrators where required
- Collection and payment of applicable taxes
- Age verification procedures
- Delivery restrictions
- Report obligations
- Record retention requirements
Missing one piece can create compliance problems even if everything else is running fine. That’s why most sellers who get this right treat PACT Act compliance as an ongoing operational process rather than something you set up once and forget about.

Registering With the ATF Comes First
Before selling cigarettes, smokeless tobacco products, or covered ENDS products across state lines, businesses subject to the PACT Act must register with the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF). This requirement applies to many online sellers and is one of the first compliance steps businesses must take before accepting orders.
Registration is not simply a formality. It provides federal authorities with information about the business and helps support enforcement of tobacco tax and reporting requirements. Depending on where products are sold, businesses may also need to register with state tobacco tax administrators and comply with additional state-level obligations.
One mistake some sellers make is focusing heavily on age verification and shipping procedures while overlooking registration requirements. However, compliance starts long before the first package is shipped. Ensuring registrations are completed properly can help avoid regulatory issues and create a stronger foundation for the rest of a company’s compliance program.
Age Verification Is No Longer Optional
Perhaps the most visible requirement for online sellers is age verification.
Physical retail has one advantage online businesses don’t – staff can check ID in person. Remote age verification is harder, and regulators know it, but that doesn’t lower the bar.
A checkbox asking customers to confirm they’re over 21 won’t cut it. Regulators expect real steps to verify age before a sale goes through. The exact method can vary, but the standard is clear: you need to be able to show that you’re actively preventing underage purchases, not just asking people to self-certify.
This is where technology has become increasingly important.
Many online sellers now rely on an ID verification service that combines document validation, database checks, and identity verification to help confirm customer age before transactions are approved.
The goal is not only compliance. It is also reducing the risk of accidental sales to minors, which can lead to serious legal and reputational consequences.
Shipping Creates Additional Responsibilities
Selling age-restricted products online does not end when the order is placed.
Shipping introduces another layer of obligations.
The PACT Act sets specific requirements around delivery, particularly adult signature verification. Depending on the circumstances, packages may only be delivered to a verified adult – creating logistical challenges that most e-commerce businesses never have to consider.
Leaving a package on a doorstep is fine for most consumer goods. For regulated products, it’s not that simple. Businesses need to understand what carriers will and won’t do, which delivery options are available, and how those options line up with their compliance obligations.
Getting delivery verification wrong can undermine an otherwise solid compliance program – even if everything else is in order.
Tax Compliance Often Creates the Biggest Headache
When sellers first hear about the PACT Act, age verification usually gets the most attention.
In practice, tax compliance is often where businesses encounter the greatest operational complexity.
Different jurisdictions may impose different tax requirements. Reporting obligations can vary. Registration requirements can differ from one state to another. For businesses selling nationally, managing these obligations manually gets harder the more orders come in. The challenge is not necessarily understanding the rules. The challenge is keeping up with them consistently because tax requirements change. Regulatory guidance evolves, and businesses expand into new markets.
A compliance strategy that worked two years ago may require adjustments today.
Recordkeeping Is More Important Than Many Businesses Realize
Good compliance is not only about following the rules but also about demonstrating that you followed them.
If regulators request information, businesses should be able to show how age verification was performed, how taxes were handled, and how transactions were processed.
That means maintaining organized records.
Most businesses don’t think too hard about recordkeeping until they’re facing an audit. Good records make compliance easier to demonstrate and take a lot of the stress out of it when documentation gets requested.
Strong recordkeeping also makes internal reviews much easier, particularly as businesses scale.
Common Mistakes Online Sellers Make
Most compliance problems aren’t the result of deliberate misconduct. They happen because businesses underestimate how complex their obligations actually are.
Some common mistakes include:
- Treating age gates as sufficient verification
- Failing to update compliance procedures as regulations evolve
- Assuming shipping carriers handle all compliance responsibilities
- Neglecting state-specific requirements
- Maintaining incomplete records
- Waiting until after growth occurs to address compliance infrastructure
Most of these problems are preventable. The businesses that avoid them tend to treat compliance as something to get ahead of rather than react to.
Building Compliance Into the Customer Journey
Many sellers worry that tighter compliance will hurt conversion rates. It’s a fair concern – every extra step in the checkout process is another chance for a customer to drop off.
But modern verification tools have improved considerably, and customers have gotten more used to identity checks for regulated products. What makes the difference is whether the process feels clear and legitimate rather than like an obstacle.
Some best practices include:
- Explaining why verification is required
- Keeping instructions simple
- Using mobile-friendly verification workflows
- Minimizing unnecessary manual reviews
- Ensuring verification happens at logical points in the customer journey
Customers are generally more willing to complete verification when they understand the reason behind it.
Transparency helps reduce friction.
Compliance Is Becoming a Competitive Advantage
Historically, some businesses viewed compliance primarily as a cost center.
That mindset is changing.
Strong compliance programs reduce legal exposure and build credibility. Customers, payment providers, business partners, regulators – all of them place more trust in businesses that can demonstrate they operate responsibly.
In a regulated industry, that trust has real value. Businesses that invest in compliance infrastructure tend to be better positioned for long-term growth – not because they predicted every regulatory change, but because they’re not constantly reacting to them. The systems are already there.
Preparing for Future Changes
One thing the tobacco and vape industry has learned, more than once, is that regulations don’t stay still.
Rules evolve. Enforcement priorities shift. New technologies emerge.
Businesses that build flexible compliance programs adapt better than those that patch problems as they arise. Regular procedure reviews, tracking regulatory changes, reassessing risk as the business evolves – none of it is dramatic, but it’s what keeps things from breaking.
Compliance doesn’t have a finish line. It moves with the industry.
“There is a regulation not to be able to sell alcohol and tobacco to underage customers. So if there is a doubt from the retailer that the person who is trying to buy something is [underage], he should be able to spot verify the age by scanning one of the IDs that are presented to the retailer and make sure that it’s a valid ID and indeed that person is of age, of the right age to be able to buy it. And then store the data for any future compliance or regulatory.” – K-Hub (Commerce Hub)
Conclusion
PACT Act compliance feels complicated because it touches several parts of the business at once – age verification, shipping controls, tax obligations, reporting, recordkeeping. Taken together, it’s a lot. Broken down into individual components, it’s much more manageable.
The online tobacco and vape sellers that handle this best aren’t always the ones with the biggest compliance teams. They’re usually the ones that built compliance into how they operate from the start rather than treating it as something to retrofit later.
Good verification procedures, solid recordkeeping, a clear understanding of shipping obligations, and staying on top of regulatory changes – none of it is particularly complicated on its own. Put together, it reduces risk and keeps the business on solid ground.
In an industry this heavily regulated, compliance isn’t background noise anymore. It’s part of how a sustainable business gets built.