The 2026 rules for peptide commerce, decoded.

LegitScript is the third-party certification that the card networks now rely on to evidence that a peptide merchant is not selling unapproved drugs to consumers without a prescription. Without it, you cannot keep a U.S. card MID open for peptides in 2026 — the underwriting documents from every domestic acquirer require it as table stakes.

The application is not technically difficult, but it is procedurally hostile to founders without experience. Mis-tier yourself and you'll wait six weeks to be told you need to reapply. Miss a disclaimer on a single product page and your application stalls. Use the wrong category for a GLP-1 vs. a research peptide and the reviewer rejects without explaining which one was wrong.

What we do: we pre-screen your site against the LegitScript matrix before you submit, pay the $1,075 fee at cost (no markup), and walk you through the disclosure requirements. Approved merchants typically clear in 2–3 weeks instead of 6–8.

The Business Risk Assessment and Mitigation (BRAM) program is how Mastercard polices its acquirers' portfolios. In June 2025, Mastercard amended BRAM to explicitly include research peptides and unapproved injectables among the categories that trigger automatic fines and merchant-level review.

The practical effect: any acquirer that boards a peptide merchant without the right paperwork now risks a fine per merchant, per month. This is why generalist high-risk processors quietly stopped accepting peptide applications in late 2025 — even ones that previously advertised the category as a specialty.

What we do: our underwriting screen is built around the BRAM requirements, not retrofitted to them. Every MID we issue carries the documentation set the BRAM auditors look for, in the order they look for it.

The FDA does not regulate peptides per se — it regulates claims. The 80-plus warning letters issued across 2025 and 2026 to peptide and GLP-1 sellers were almost uniformly about copy: "research use only" disclaimers paired with consumer-facing dosing pages, comparative claims against approved drugs like Ozempic, and unsubstantiated claims about therapeutic effect.

A warning letter is not a fine. But it is a public-record document that acquirers monitor. One letter to your brand and your MID is at risk inside thirty days regardless of whether you change the copy.

What we do: we review your product copy before underwriting and flag anything an FDA reviewer would. We are not lawyers, but we have seen what triggers letters. We will not approve a merchant whose copy looks like the last three brands that got hit.

We decline RUO-only sellers making human-use claims. We decline merchants whose product pages compare their compound directly to FDA-approved drugs by name. We decline merchants without third-party CoA testing visible per batch. We decline merchants whose compounder is undisclosed.

This is not us being picky. These are the merchant categories that have collapsed every prior peptide processor's portfolio. Every approved PeptideRails merchant benefits from the ones we said no to.