Security considerations for agentic payment systems

Security considerations for agentic payment systems | by Shishir Iyer - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Security considerations for agentic payment systems As agentic AI continues to gain prevalence, the major players in this space continue to develop new ways to use this emerging technology… Shishir Iyer Follow ~4 min read · March 25, 2026 (Updated: March 25, 2026) · Free: Yes As agentic AI continues to gain prevalence, the major players in this space continue to develop new ways to use this emerging technology. In September 2025, Google announced the development of AP2 — a protocol for AI agents to effectively and securely handle transactions. OpenAI announced a similar project for ChatGPT as well. The abilities of agentic AI are certainly suited to handling transactions; making purchases can involve a variety of complex decisions, and agents can combine information from multiple sources to make these decisions. However, with these increased capabilities come increased security risks. Like all LLMs, AI agents are susceptible to a number of threats such as prompt injection. These agents are also trusted with important tasks such as managing payments, and potentially many more if one chooses to integrate their payment agent with other services (such as their email or calendar). As a result, care must be taken when designing payment protocols. How agentic payment systems work A major goal of an agentic payment system is to ensure authenticity and integrity of the transaction, so any payment protocol must correctly handle this. Much of the information in this section is based on the publicly available demo build of AP2 on Github . Chat-GPT's proposed system seems to be closed source, but based on the description on their webpage it likely works similar to AP2. AP2 accomplishes the goals of security and authenticity using a system of mandates. These are objects that carry some sort of cryptographically signed proof of each party's intent in the transaction. There are three main types of mandates — intent mandates, cart mandates, and payment mandates. Intent mandates are provided by the user agent and approved by the user, and they serve as proof to the merchant that the requested purchase actually matches what the user wanted. Cart mandates are created and signed by the merchant and presented to the user for approval; they provide further confirmation that the user is in fact buying the right thing and for the right price. Finally, the merchant creates a payment mandate which helps verify the transaction to the payment network. Simplified agentic payment system workflow The mandates help not only ensure that the user actually buys the product they intended, but that the transaction can only take place with the user's explicit authorization. Additionally, the transaction remains faithful to the price that the user and merchant agree upon, and the use of a message authentication code ensures that the mandate contents weren't modified in transit. The mandate system also makes moving to an asynchronous model fairly simple. With the use of the intent mandate, users can pre-authorize a transaction and have the agent perform a purchase on their behalf. This would be useful if the user wanted a certain product that was out of stock at the time, or for a recurring payment like a subscription service. Potential mandate issues While mandates do a good job of providing security for the transaction as described above, they can themselves be used for prompt injection depending on how they're implemented. If mandate fields are not sanitized, for instance, a malicious merchant could craft a cart mandate containing a prompt injection. Alternatively, the merchant itself could be trustworthy but contain a malicious listing. Such an attack could have a variety of consequences depending on the capabilities of the user agent. A simple experiment I tried was crafting a cart mandate with an injected prompt convince the user agent to omit the shipping cost, which it was ultimately able to do. This is, of course, an impractical attack, but it does demonstrate this potential weakness. With this in mind, there are many steps that can be taken to secure this framework. The biggest and most important is to have some kind of validation of mandate fields, perhaps by some sort of central authority. This would mitigate the possibility of using the mandate for prompt injection. Because the user and merchant agents should only communicate using the mandates, this would make prompt injection in general significantly harder. These payment systems are designed to work with any agents that support the protocol, so they should provide a more robust level of protection for any agents that use them. Of course, despite the fact that the protocol should be more trustworthy, the agents themselves should also be more secure. While it is impossible to completely eliminate the possibility of prompt injection, these kinds of attacks are limited by the capability of the user agent. This further highlights the importance of the principle of least privilege. User agents should only be given the permissions needed to complete their task. Interfacing with an agentic payment system should be seen as a potential security risk like any other, and agents must be designed with this consideration. Conclusion Although agentic AI-driven payment systems are a big step towards further facilitating online commerce, careful thought must be given to properly protecting these agents against prompt injection attacks. As these payment protocols continue development, hopefully the issues mentioned here get addressed and allow for a secure and stress-free shopping experience. #ai #agentic-ai #online-business Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).