If you operate in a regulated industry, telehealth, online pharmacy, nutraceuticals, supplements, or any health-adjacent eCommerce category. LegitScript is one of the most consequential compliance relationships your business has. It affects whether you can advertise on Google. It affects whether you can keep your payment processing account. And it runs in the background of your payment relationship whether you know it or not.
This guide covers the complete picture: what LegitScript is, the difference between certification and monitoring, who needs certification, the current 2026 fee structure, a step-by-step application walkthrough, what triggers a monitoring flag, and how ConvesioPay’s LegitScript infrastructure connects to your account.
Certification vs. Monitoring: The Critical Distinction
These two functions are frequently confused, but understanding the difference is fundamental to managing your compliance posture.
LegitScript Certification is a voluntary application process. You submit documentation, pass a compliance review against LegitScript’s 9 standards, and receive official certification. It is a point-in-time review — required by Visa and Mastercard for certain merchant categories and by Google and other ad platforms for healthcare advertising.
LegitScript Monitoring is a continuous automated scanning service that payment processors subscribe to. Your site is scanned on an ongoing basis against LegitScript’s risk intelligence database — regardless of whether you hold certification. You don’t apply for monitoring. It happens because your processor subscribes to it.
You can be monitored without being certified. You can be certified and still generate monitoring flags if your site changes after certification. These are separate programs.
Who Needs LegitScript Certification
Required by Visa and Mastercard
- Online pharmacies (MCC 5912)
- Drug and pharmaceutical stores (MCC 5122)
- Any card-not-present merchant whose business model falls within pharmacy or pharmaceutical supply MCC categories
Required for advertising on major platforms
- Telemedicine providers advertising on Google, Bing, Meta, or TikTok in the US, Canada, and expanding international markets
- Online pharmacies advertising on any major platform
- Healthcare merchants seeking to run paid media involving prescription or pharmacy-adjacent claims
Strongly recommended for payment processing stability
- Nutraceutical and supplement companies with health claims
- Peptide and research chemical companies
- Healthcare SaaS platforms processing patient-related payments
- Any merchant in a health-adjacent category whose processor requires it as a condition of onboarding
Why LegitScript Certification Matters for Your Payment Account
Visa and Mastercard require that acquirers maintain oversight of the merchants processed through their networks. For merchant categories involving healthcare and pharmaceuticals, the card networks have designated LegitScript as the recognized verification body.
Processing access. Payment processors serving high-risk healthcare merchants are required by their acquirers to verify that merchants meet compliance standards. LegitScript certification is the most widely accepted proof of that verification.
MCC fee savings. All merchants with MCCs 5122 and 5912 are automatically classified as high-risk, typically carrying an additional annual fee. LegitScript-certified merchants in these categories may be exempt from this fee, creating real annual savings on top of the compliance benefit.
Advertising access. Without LegitScript certification, healthcare merchants cannot run Google Ads, Meta Ads, Bing Ads, or TikTok Ads for pharmacy or telemedicine services.
Processing account protection. Certified merchants have a documented compliance posture that processors and acquirers can reference when evaluating account risk, substantially improving your position when compliance questions arise.
2026 LegitScript Fee Structure
| Fee | Amount (per website) |
| One-time application fee (non-refundable) | $975 |
| Annual certification fee (upon approval) | $2,150 |
| Expedited review (optional) | $608 additional |
The application fee is non-refundable regardless of outcome. The annual fee begins only upon successful certification. Each domain requires a separate application. The expedited review reduces the standard multi-month timeline to days or weeks, worth the investment for merchants in urgent situations.
The 9 LegitScript Certification Standards
LegitScript evaluates applications against 9 standards. Review your business against each before applying:
- 1. Legal and regulatory compliance – operates within laws in all jurisdictions served
- 2. Privacy and security – appropriate data privacy practices, including HIPAA where applicable
- 3. Transparency – business name, address, contact information, and ownership accurately disclosed
- 4. Patient safety – practices that protect patient safety, including appropriate prescribing standards
- 5. Prescription practices – for prescription-involved merchants, the prescription process is legitimate and documented
- 6. Controlled substances – handling consistent with legal requirements
- 7. Business affiliations – no affiliations with prohibited or non-compliant entities
- 8. Advertising and marketing – claims do not violate applicable regulations
- 9. Ongoing compliance – systems in place to maintain compliance post-certification
Most common application failures: Standard 3 (missing or unclear business information), Standard 5 (checkout flow ambiguity on prescription items), and Standard 8 (health claims exceeding FDA supplement guidelines).
Step-by-Step: How to Apply for LegitScript Certification
Step 1: Create your account. Go to certification.legitscript.com and create an account with your business contact information.
Step 2: Start a new certification application. Select your certification type, Healthcare Merchant Certification for pharmacies and telehealth and review documentation requirements before proceeding.
Step 3: Pay the application fee. $975 non-refundable fee required before completing the questionnaire.
Step 4: Complete the questionnaire. Covers your business model, products and services, prescription practices (if applicable), geographic service area, business registration, and compliance practices. Be accurate and specific — vague answers are a primary cause of delays and denial.
Step 5: Submit supporting documentation. Common requirements include: business registration/certificate of incorporation, state pharmacy or prescribing licenses, provider credentials and DEA registrations (where applicable), sample patient intake and consultation documentation, product descriptions and labeling, privacy policy and terms of service, HIPAA compliance evidence.
Step 6: Navigate review. LegitScript may request additional documentation or clarification — most applications require at least one follow-up exchange. Respond promptly and specifically.
Step 7: Maintain ongoing certification. $2,150/year per domain for renewal. Monitoring continues post-certification — maintain your practices in alignment with the standards you were certified against.
LegitScript Monitoring: What Happens Behind the Scenes
ConvesioPay operates its own LegitScript instance to monitor the merchants it serves. This is a requirement from Adyen, as ConvesioPay’s acquirer, Adyen requires sub-merchant portfolios in high-risk categories to be actively monitored for compliance. Adyen does not have direct visibility into ConvesioPay’s instance; alerts are reviewed internally and escalated only when warranted.
What monitoring scans for
- Prescription checkout flows that appear to allow purchase before documented provider review
- Health claims on products exceeding FDA supplement guidelines
- Controlled substance analog marketing with implied human use
- Missing or invalid contact information and business addresses
- Age verification gaps on products requiring it
- Advertising and marketing content violating applicable regulations
When a flag is generated
When LegitScript identifies a potential compliance issue, the monitoring platform generates an alert describing the specific URL, issue category, and observed content. At ConvesioPay, this alert is reviewed by the compliance team in the context of the merchant’s known business model before any action is taken. Not every flag results in merchant contact, some resolve on internal review. Flags that indicate a genuine compliance gap result in an inquiry requesting documentation or remediation.
The connection to Adyen compliance inquiries and BRAM
A LegitScript flag that requires follow-up can become a formal Adyen compliance inquiry, a specific format requiring a documented response. Unresolved flags in certain categories can escalate to BRAM violations, which carry fines up to $200,000. Understanding both of these downstream consequences is covered in the companion guides linked below.
Certification vs. Monitoring: Reference Summary
| LegitScript Certification | LegitScript Monitoring | |
| What it is | Voluntary compliance credential | Continuous automated site scanning |
| Who initiates it | Merchant applies | Processor subscribes |
| Cost to merchant | $975 app + $2,150/year | No direct cost |
| Timing | Point-in-time + annual renewal | Continuous |
| Required for advertising | Yes — Google, Meta, Bing, TikTok | No |
| Affects account if flagged? | If certification lapses or is revoked | Yes — can trigger inquiries or account action |
How ConvesioPay’s LegitScript Infrastructure Works for You
ConvesioPay can be specific about what most processors describe in general terms: we run LegitScript monitoring on behalf of Adyen, review alerts before escalating them, and treat monitoring flags as the starting point for a compliance conversation, not an automatic account action.
The merchants who maintain stable processing relationships are the ones who engage proactively: obtain LegitScript certification where it’s available for their category, respond promptly to monitoring-related inquiries, and treat compliance documentation as an ongoing operational practice rather than something they scramble for when a flag appears.
If you have questions about LegitScript certification for your specific business category, or if you’ve received a monitoring-related inquiry, reach out to the ConvesioPay team directly. This is exactly what our compliance infrastructure is built to support.