If you’re in Payments and/or Tech, you’ve probably seen one of those videos already — an AI agent browsing, selecting, and paying, all on its own. Armed with a disposable virtual card and email address, I set out to give it a try. I tasked a popular AI agent to order a pizza for pickup on the local Pizzeria’s website. As the x10 speed video shows, the AI Agent was successful. From start to finish, the process took about 20 minutes. More importantly, it raised several questions/concerns:

1. Was the merchant aware of the AI navigating their site and hitting ‘pay’?

2. Does the PSP, the card issuer & network see this as an ordinary transaction?

3. Can an AI agent take control of a Mobile device and do the same on an app?

4. What if the AI made a mistake and got me something different?

5. Can I claim I didn’t authorise this transaction?

6. How safe are the card details with the AI provider?

7. How does a merchant tell a good AI agent/bot from a bad one?

Visa, Mastercard, PayPal, Google, Stripe, and others have announced solutions that address several of these concerns, enabling smooth and trusted commerce and payments within Agentic Commerce contexts. They include mechanisms that verify and store human-intention; introduce safeguards and offer APIs & SDKs for merchants and other payment ecosystem players to plug into.

These will inevitably power AI-native commerce use-cases and flows with merchant, acquirer, network and/or PSP level awareness that an AI shopper is at play. Awareness might be inferred from something as simple as a virtual PAN or token attributes specific to Agentic Commerce; or even through bespoke Agentic Commerce specific integrations such as MCP endpoint exposure to AI platforms.

And with this awareness, intent/mandate and other key transaction information — different players in the payments value-chain can process such AI-initiated/AI-assisted transactions with adequate controls, clearer liability frameworks and dispute resolution mechanisms.

While these ‘agent-declared‘ flows, frameworks and protocols are a positive and much needed development, adoption will take time and will be fragmented across the competing options. As merchants, regulators and ecosystem players wait and see how things pan out ... Agentic commerce/payments continue to happen today, right now on merchant websites as demonstrated, maybe even on Mobile apps without Agentic commerce protocols, frameworks or MCP integrations.

On the Mobile Apps front, there’s already published research, automation providers and consumer apps proving that similarly capable Mobile AI agents exist. You could soon be able to ask an app-based AI assistant to purchase a flight ticket on a 3rd party Airline’s app in the same way my Pizza was ordered. (i.e. without the Airline knowing an AI Agent is performing the action). An agent-declared equivalent of this is OS level assistants Siri/GoogleA leveraging App Intents/Actions exposed to them by apps to purchase on behalf of users. But these are restricted flows, you cannot yet ask Siri/GoogleA to search, compare and purchase on apps that haven’t exposed these intents/actions to the OS.

Now to be fair, I am hardly the average consumer. I have the wherewithal to correctly prompt/instruct the AI agent to do this for me with safeguards (disposable card & email; low risk & value purchase). It could be years before the average consumer can do similar with the same degree of confidence. In fact, there’s even some interesting arguments that cast Agentic Commerce as misplaced hype. Still, what’s possible for me today will be trivial for the average consumer tomorrow. And that’s where the real risk begins.

Regardless, commerce/payments of this pizza example and other ‘agent-undeclared‘ payment flows are possible and are happening today, even if just a fraction of overall e-commerce payment volume. In these cases, most e-commerce merchants today are unable to detect or react to these AI agents. They are effectively ‘agent-blind’!

Why is this important? The AI Agent in this video asked me for a final confirmation before hitting pay and assured me that it does not store my sensitive information. However, the technology to build similar browser & other software controlling AI agents is out there. Anyone can offer AI agent tools to the masses, may not be as scrupulous and could for example use shopping experiences to capture sensitive credentials to make unauthorised purchases. They could also be leveraged to test stolen cards at agent-blind merchants at scale. Genuine AI agents might make wrong purchases for customers who might then initiate chargebacks. The point is that real-world implications exist.

Merchants should audit how their channels interact with the available AI agent tools/platforms in the market and build policies & strategies on how to detect and distinguish such intents from the other 51% of internet traffic now generated by non-human users — bots, scripts, automated agents. From this eCommerce agent-awareness, they can then manage these use cases within acceptable risk parameters.

To be clear, many Agentic Commerce use cases are of great value to customers who are knowledgeable and comfortable with the risks, even in agent-undeclared flows. Merchants and their providers must weigh the upside against the risk in determining whether and how to support or block the use cases as applicable for their industry.

An example would be a merchant, recognising the use of an AI agent from a known platform requiring 2FA on payment execution as final check to ensure there’s a human in the final step (to the extent that this can’t also be delegated away) and shift liability away from themselves. Payment methods with 2FA offer a safeguard against the risk agent-undeclared flows present. However, if my intention is not to be present when the purchase is executed, I’m unlikely to ask the AI to use such a payment method. I could have the AI agent purchase elsewhere.

Naturally, deep-pocketed merchants will have the resources to invest in these measures. It’s another thing for merchants without dedicated payments or security teams to worry about. But an opportunity for PSPs, eCommerce Platforms, Risk and Security providers to step in and offer guidance & solutions to this challenge. If you’re interested in the nuts and bolts of detection, here’s a sales pitch with some free insights that I found educational. I am not affiliated with this provider.

Amazon appears to have made the decision to block such traffic. I wasn’t able to get the AI Agent to open their website. From their perspective, it makes sense that they wouldn’t want to cede discovery to AI platforms. But as search behaviour moves to AI powered, chat-based answer engines, can a small, eager to be found merchant afford such a policy? - Well, that’s the topic for another day. Next time, I might just let the AI decide where to order from. Let’s see which merchants are ready to notice.

Let me know what you think, do you agree? Drop a comment, share your thoughts, strategies and counter arguments. I’m eager listen to and learn from different perspectives.

Until the next one.

Paul