Stripe & PayPal Prohibited and Restricted Businesses: Complete 2026 Guide
Understand prohibited vs. restricted business categories on Stripe and PayPal and assess your enforcement risk.
Before a payment platform freezes your account, it usually decides whether your business belongs in a prohibited, restricted, or "grey" category. This guide explains how Stripe and PayPal think about high-risk industries in 2026, what "prohibited" vs. "restricted" really means, and how to assess whether your business sits in an enforcement danger zone.
Disclaimer
Prohibited vs. Restricted: What's the Difference?
Payment platforms don't view all risk the same way. They use three broad buckets:
- Prohibited businesses -- Business types that platforms will not support at all. If discovered, they are subject to immediate closure or denial.
- Restricted businesses -- Business types allowed only under certain conditions (for example, additional underwriting, documentation, or specific geographies).
- Grey areas -- Models not explicitly listed but adjacent to higher-risk categories, often enforced through interpretation rather than hard lists.
Understanding which bucket you're closest to is essential for predicting enforcement risk.
Stripe: Prohibited Business Categories (High-Level Types)
Stripe maintains a detailed list of prohibited businesses. While the exact wording changes over time, common high-level types include:
-
Illegal or regulated goods and services
- Activities that are illegal in applicable jurisdictions.
- Unlicensed sale of heavily regulated items.
-
Certain financial services and high-risk schemes
- Unregistered investment products, high-yield schemes, or deceptive income opportunities.
- Some forms of debt relief, credit repair, and similar services.
-
Abuse-prone digital content and services
- Specific adult content or services that violate Stripe's standards.
- Certain types of digital piracy, hacking tools, or circumvention services.
-
Dangerous or harmful products
- Items associated with serious safety risks or clear policy bans.
If your core product clearly matches a Stripe-prohibited category, enforcement is usually strict and fast once detected.
Stripe: Restricted / Higher-Risk Categories
Stripe also has categories that are not outright banned but treated as higher risk:
- Certain subscription and membership models where deliverables are vague or primarily "support" for free content.
- Marketplaces and platforms moving funds between third parties, especially in sensitive industries.
- Fundraising, donations, and "support" flows with limited transparency on beneficiaries or use of funds.
These businesses may be allowed, but they are more likely to attract reviews, documentation requests, and enforcement if policies tighten.
PayPal: Prohibited Business Categories (High-Level Types)
PayPal takes a similar but not identical approach, with its own prohibited list. Common high-level types include:
-
Illegal activities and regulated goods
- Anything unlawful in any jurisdiction relevant to the transaction.
- Unlicensed sale of regulated products and services.
-
Certain financial and crypto-adjacent services
- Unapproved investment schemes, some financial intermediation, and other high-risk financial services.
-
Content and products PayPal explicitly bans
- Specific adult content, hate or violence-related items, or other banned material.
-
Deceptive or abusive business models
- Businesses built around misleading claims, hidden fees, or abusive billing practices.
Prohibited means PayPal may terminate the relationship, freeze funds, and restrict access with little or no notice once identified.
PayPal: Restricted and Special-Attention Categories
PayPal's restricted and close-watch categories often see more limitations and 180-day holds:
- Donations, fundraising, and "support" payments with unclear beneficiaries or use of funds.
- Digital goods and services where proof of delivery is harder to establish.
- High-risk verticals (for example, certain coaching, info products, or speculative programs) that PayPal has historically scrutinized.
These businesses may operate on PayPal, but they sit closer to enforcement lines and are more sensitive to policy updates.
Grey Areas: Where Enforcement Often Starts
Some of the most dangerous risk zones are not spelled out line-by-line in any public list. They live in how platforms interpret policies.
Common grey-zone examples:
- Creator monetization models -- Tips, memberships, and "support" flows layered on top of free content, especially when benefits are loosely defined.
- Communities and cohorts -- Paid access to groups where content or activity may drift into higher-risk topics over time.
- Hybrid business models -- Businesses that look like a mix of SaaS, marketplace, and fundraising, making classification ambiguous.
Grey areas are where early-warning alerts on policy changes matter most, because platforms tend to tighten definitions quietly before visible enforcement.
Stripe vs. PayPal: How Their Risk Lenses Differ
While both Stripe and PayPal use prohibited/restricted frameworks, they enforce differently:
| Aspect | Stripe | PayPal |
|---|---|---|
| Primary focus | Developer-first, product-driven risk controls | Consumer and marketplace protection at global scale |
| Typical enforcement | Freezes, fund holds, capability restrictions | Limitations, full freezes, 180-day holds |
| Category sensitivity | SaaS, subscriptions, creator/payment platforms | Donations, digital goods, community and global flows |
| Documentation expectations | Strong, especially for platforms and marketplaces | Strong, especially for high-risk regions and use cases |
Designing your risk posture once for both platforms is rarely enough -- you need to understand how each one sees your model.
Is My Business at Risk? Self-Assessment Checklist
Use this quick checklist to gauge where you might sit on the risk spectrum:
-
Category alignment
- Does your actual model match the category or MCC you selected?
- Could an external reviewer clearly understand what you do from your website and materials?
-
Proximity to prohibited categories
- Are you adjacent to industries commonly seen as high risk, even if not explicitly listed?
-
Clarity of deliverables
- Can you clearly explain what a customer, subscriber, or donor receives, and how you prove delivery?
-
Use of funds
- For donations, fundraising, or "support" payments, can you show where the money goes and why?
-
Documentation readiness
- If Stripe or PayPal asked for contracts, invoices, and proof of service tomorrow, could you respond quickly?
If you're unsure on several of these points, your enforcement risk is higher than it needs to be.
How Policy Changes Move Categories
Categories are not static. A business model that felt safe last year can sit closer to "restricted" after a quiet policy update.
Typical evolution looks like:
- Subtle language change in a prohibited/restricted list or acceptable use policy.
- Internal risk guidance update, often not publicly documented.
- Gradual increase in reviews, documentation requests, and micro-enforcement.
- Visible wave of freezes or holds in affected categories.
PlatformPolicy is designed to detect step 1 and step 2, not just step 4.
Using PlatformPolicy with Prohibited/Restricted Lists
Official Stripe and PayPal lists tell you where the lines are supposed to be. PlatformPolicy helps you see when those lines are moving closer to your business.
With enforcement-focused alerts, you can:
- Identify when your category or a neighboring one gains new restrictions or risk language.
- Adjust your positioning, flows, and documentation before enforcement spikes.
- Decide when it's time to diversify processors or reduce exposure to a single platform.
Instead of checking long policy pages manually, you get a focused signal that says, "This update matters for businesses like yours -- here's what changed and what to do next."
Stay Ahead of Category-Level Enforcement
If your business touches money, compliance risk is not optional -- but panic doesn't have to be your default mode.