Threat model the entire decision chain
Prompt injection can arrive through merchant pages, tool output, support messages, files, or agent-to-agent communication. The attack succeeds financially only when untrusted content can influence authority, credentials, or transaction parameters without an independent deterministic check.
Treat the language model as a planner operating on untrusted inputs. It may propose actions and summarize evidence. It should not be the sole control that decides whether funds move.
- Compromised or malicious merchant content changes the agent’s goal.
- A tool swaps the destination, amount, asset, or checkout identifier.
- A captured request is replayed before its expiry.
- The agent signs the same economic action twice after a timeout.
- A legitimate agent credential is used outside its approved context.
- A settled payment is treated as fulfillment when no goods arrived.
Controls that remain deterministic
Policy evaluation, credential scope, signature verification, idempotency, replay windows, destination checks, sanctions screening, and reconciliation should be implemented as deterministic controls. Models may assist investigation but should not replace the evidence these controls produce.
| Failure mode | Preventive control | Detective / recovery control |
|---|---|---|
| Prompt injection | Tool isolation, typed schemas, policy outside model | Trace review, transaction explanation, kill switch |
| Credential theft | HSM or isolated signer, scoped tokens, no raw secrets | Rotation, revocation, anomaly monitoring |
| Replay | Nonce, expiry, request binding, idempotency | Duplicate detection and reconciliation |
| Merchant fraud | Identity checks, allowlists, reputation and limits | Fulfillment monitoring, dispute or compensating transfer |
| Policy drift | Versioned rules and test fixtures | Decision sampling and change review |
| Rail ambiguity | Verified server-side status | Polling, webhooks, ledger reconciliation |
Compliance scope follows the business model
Agentic payments do not create a regulatory exemption. Obligations depend on jurisdiction, custody, money movement, merchant role, asset, consumer relationship, and data handled. Card environments may bring PCI DSS scope; virtual-asset activity can bring sanctions, AML, and virtual-asset requirements; consumer purchases retain disclosure, refund, and dispute obligations.
Map legal roles before choosing architecture. A facilitator that verifies signed transactions is different from a custodian. A merchant accepting a token is different from an exchange. A platform choosing sellers or controlling funds may carry obligations that a neutral software provider does not. Obtain qualified legal and compliance review for the real flow.
This publication provides technical analysis, not legal advice.
Minimize the data that follows the agent
Agentic shopping can accumulate sensitive intent, location, preferences, identity, and payment metadata. Share only what the merchant or rail needs for the current step. Avoid embedding full conversational history inside payment messages or logs.
Separate operational evidence from model-training data. Define retention, access, deletion, and breach-handling rules for intent records and receipts. Tokenize payment credentials and redact secrets from traces by construction rather than relying on later cleanup.
Operate for anomalies and recourse
Monitor value, velocity, new counterparties, denial patterns, approval overrides, signer behavior, and reconciliation gaps. Give operators a single case view that joins policy evidence, order state, rail result, and fulfillment.
The principal needs clear recourse: cancel pending actions, revoke mandates, freeze credentials, request refunds, open disputes where the rail supports them, and export an explanation. A safe system is not one that never fails; it is one that contains failure and makes recovery intelligible.
Source discipline
Primary sources
Product status and protocol behavior are checked against maintainer documentation. Company sources establish what their organizations publish; they do not independently prove adoption or performance.
- AI Risk Management FrameworkNIST ↗
- Digital Identity GuidelinesNIST ↗
- Payment Card Industry Data Security StandardPCI Security Standards Council ↗
- Virtual assetsFinancial Action Task Force ↗
- HTTP Message SignaturesRFC Editor ↗
- Trusted Agent Protocol specificationsVisa Developer Center ↗
- x402 frequently asked questionsCoinbase Developer Platform ↗