01

Threat model the entire decision chain

Prompt injection can arrive through merchant pages, tool output, support messages, files, or agent-to-agent communication. The attack succeeds financially only when untrusted content can influence authority, credentials, or transaction parameters without an independent deterministic check.

Treat the language model as a planner operating on untrusted inputs. It may propose actions and summarize evidence. It should not be the sole control that decides whether funds move.

  • Compromised or malicious merchant content changes the agent’s goal.
  • A tool swaps the destination, amount, asset, or checkout identifier.
  • A captured request is replayed before its expiry.
  • The agent signs the same economic action twice after a timeout.
  • A legitimate agent credential is used outside its approved context.
  • A settled payment is treated as fulfillment when no goods arrived.
02

Controls that remain deterministic

Policy evaluation, credential scope, signature verification, idempotency, replay windows, destination checks, sanctions screening, and reconciliation should be implemented as deterministic controls. Models may assist investigation but should not replace the evidence these controls produce.

Control families mapped to failure modes
Failure modePreventive controlDetective / recovery control
Prompt injectionTool isolation, typed schemas, policy outside modelTrace review, transaction explanation, kill switch
Credential theftHSM or isolated signer, scoped tokens, no raw secretsRotation, revocation, anomaly monitoring
ReplayNonce, expiry, request binding, idempotencyDuplicate detection and reconciliation
Merchant fraudIdentity checks, allowlists, reputation and limitsFulfillment monitoring, dispute or compensating transfer
Policy driftVersioned rules and test fixturesDecision sampling and change review
Rail ambiguityVerified server-side statusPolling, webhooks, ledger reconciliation
03

Compliance scope follows the business model

Agentic payments do not create a regulatory exemption. Obligations depend on jurisdiction, custody, money movement, merchant role, asset, consumer relationship, and data handled. Card environments may bring PCI DSS scope; virtual-asset activity can bring sanctions, AML, and virtual-asset requirements; consumer purchases retain disclosure, refund, and dispute obligations.

Map legal roles before choosing architecture. A facilitator that verifies signed transactions is different from a custodian. A merchant accepting a token is different from an exchange. A platform choosing sellers or controlling funds may carry obligations that a neutral software provider does not. Obtain qualified legal and compliance review for the real flow.

This publication provides technical analysis, not legal advice.
04

Minimize the data that follows the agent

Agentic shopping can accumulate sensitive intent, location, preferences, identity, and payment metadata. Share only what the merchant or rail needs for the current step. Avoid embedding full conversational history inside payment messages or logs.

Separate operational evidence from model-training data. Define retention, access, deletion, and breach-handling rules for intent records and receipts. Tokenize payment credentials and redact secrets from traces by construction rather than relying on later cleanup.

05

Operate for anomalies and recourse

Monitor value, velocity, new counterparties, denial patterns, approval overrides, signer behavior, and reconciliation gaps. Give operators a single case view that joins policy evidence, order state, rail result, and fulfillment.

The principal needs clear recourse: cancel pending actions, revoke mandates, freeze credentials, request refunds, open disputes where the rail supports them, and export an explanation. A safe system is not one that never fails; it is one that contains failure and makes recovery intelligible.

Source discipline

Primary sources

Product status and protocol behavior are checked against maintainer documentation. Company sources establish what their organizations publish; they do not independently prove adoption or performance.

  1. AI Risk Management FrameworkNIST
  2. Digital Identity GuidelinesNIST
  3. Payment Card Industry Data Security StandardPCI Security Standards Council
  4. Virtual assetsFinancial Action Task Force
  5. HTTP Message SignaturesRFC Editor
  6. Trusted Agent Protocol specificationsVisa Developer Center
  7. x402 frequently asked questionsCoinbase Developer Platform