ChatGPT is quickly becoming the first choice for product research, and it might soon be handling the payments as well, if Google doesn’t get there first.
But for merchants, this means potential risks to business models as they lose control of the customer experience, might see their brands damaged by malfunctioning agents, and face mostly unknown security and financial risks.
“This moment feels a lot like the early days of ecommerce,” says Mike Edmonds, VP of agentic commerce at PayPal.
A Boston Consulting Group survey released in January, shows that 43% of consumers are already using gen AI tools to research brands or products, or get shopping recommendations. And Adobe found that gen AI traffic to retail sites grew 769% last November compared to the previous year. Also, AI traffic conversions were 31% higher than other sources, with customers spending 45% more time on the retailer’s website. And out of 1,000 consumers surveyed about their shopping habits, 47% said they trusted AI.
Traffic from ChatGPT and Perplexity doubled compared to last year, and these shoppers converted at a rate nine times higher than those coming through social media referrals, research showed.
But that’s last year’s AI. In those days, the chatbot simply provided recommendations and links, leaving it up to the customers to actually visit the retailer’s site and make purchases. That’s all changing.
Picking up the pace
Several major retailers rolled out agentic shopping capabilities or pilots last year, and the pace of announcements accelerated toward the end of 2025 — and then it accelerated again in January after Google announced that Chrome, with more than 70% market share, now has built-in support for agentic payments. “Chrome will support Google’s Universal Commerce Protocol (UCP), a new open standard for agentic commerce co-developed with industry leaders,” said Google’s VP for Chrome, Parisa Tabriz, in the announcement. “This new open standard ensures that AI agents can take actions on a user’s behalf seamlessly in Chrome.”
To ensure security, she added, Google’s Gemini AI agent will pause and explicitly ask for confirmation, or prompt the user to complete some tasks, like making a purchase. But in the post’s example graphic, the browser has paused on Expedia’s payment page so the customer can authorize the transaction. For retailers, there are major problems with this. First, the website visit was all but handled by the AI agent as the customer never browsed the site, say, to see better offers. The only page seen is the final payment step. Also, the agent asks for confirmation right away, but how many consumers looking to save time will eventually allow the AI to skip this step as well, and then blame the retailer if something goes wrong?
These are the kinds of questions that worry Nik Sathe, chief product and technology officer at Blackhawk Network, a gift card company that processes $28 billion annually in transactions. The company already has a few stealth agentic payment capabilities, he says, and is expecting a multi-stage rollout in the first half of this year. “We’ll need to adapt to whatever the frontier AI labs are doing,” he says. “That’s the analysis we’re going through now.”
Blackhawk has already announced support for Google’s AP2 protocol, which Sathe finds particularly interesting because it handles all aspects of a transaction. The consumer needs to authorize a payment credential for this particular purpose, and then there’s the relationships between the consumer and the merchant, the merchant and the acquirer, and the acquirer and the issuer.
“All four legs of that transaction are very well documented,” he says. “Now we have to see more concrete instantiations.”
Another decision merchants need to make is whether to allow AI agents to use their websites like a human would, or to require them to carry out transactions on a machine-to-machine level, such as by using MCP and other protocols.
Blackhawk plans to use the latter. There are a lot of unintended consequences with AI pretending they’re a human,” he says. “The screen-scraping mechanism is rife with a lot of issues. Moving to standards as quickly as we can is the best option.”
However, agentic commerce does remove some of the signals that a merchant would typically look at to identify fraud, such as the customer’s IP address.
“Now all we have is the consumer giving the agent approval,” he adds. “If it works, we won’t be upset, from a risk perspective.”
But there are other types of risk. For example, gift cards can be used for money laundering. Just because an AI agent is properly authorized doesn’t mean a transaction is fully legitimate. “For that, we still need to do our own processing,” Sathe says.
But the elephant in the room is disintermediation, and that’s going to be a big challenge for every company that decides to allow AI payments.
“In general, ecommerce vendors have spent a lot of time building value-added capabilities that prevent products from becoming a commodity,” he says. “If the agent becomes the primary interface, how do we prevent pure commodification based on price and convenience?” For example, a merchant’s website can offer recommendations and personalization, and understand a consumer’s preferences. But now, it’s the AI agent that understands all that.
“I think this is the dilemma many large ecommerce merchants are struggling with,” Sathe says. It’s not so much a security risk, but it’ll hamper adoption if merchants can’t figure out a way forward, though there might be a business advantage to AI agents making the recommendations since people only go to a gift card website after they’ve decided they want to buy a gift card.
“I think that gives us an additional opportunity to get more exposure for the products we sell and the thousands of brands on our platform,” says Sathe.
Trial and error
Ayal Karmi, CEO at Nekuda, an agentic commerce consultancy, says there are several obstacles AI payments will need to overcome before they’re widely adopted by merchants and consumers, including ease of use, discoverability, and reliability.
“You can do AI payments on ChatGPT right now,” he says. “There’s Target and Instacart apps, and you can buy things from Etsy and Walmart. It technically works, but is it delightful? They’re working on it, but it’s for testing and super users, not the general public yet.”
Discoverability is the next challenge. “You have to make your catalog of products easier to see,” he says. That might include updating product descriptions by making them more specific and detailed so they’re a better fit for AI agents. “Humans wouldn’t read all those paragraphs, but an LLM would,” he adds.
Next is the problem of making the process reliable, which requires support for the protocols and back-end integrations with catalogs and fulfillment systems.
“You can’t mask behind a nice website anymore,” Karmi says. “If your system is from the 90s, it’s not going to work well.”
Shopify merchants have a head start on this since it already supports agentic integrations. But many retailers aren’t set up to have their payment, tax, and logistics systems talk to something that isn’t their own website or mobile app.
That’ll require a big change, he says, and that’s why AI commerce isn’t exploding in meaningful volumes because it doesn’t work well yet.
End of an era
This past holiday season was a turning point, according to Visa, with millions of consumers poised to use AI agents to do this year’s holiday shopping. “We expect 2026 to be the year for mainstream adoption,” says Rubail Birwadker, Visa’s SVP and head of growth products and partnerships. So by next holiday season, millions of consumers will use AI agents for payments. In fact, the company has already processed hundreds of AI-initiated transactions. “Secure autonomous payments are not theoretical,” he adds. “They’re working in the real world today.”
But he admits there are risks due to the agents themselves. But to reduce potential hazards, Visa treats AI agents as extensions of the cardholder, not separate entities. It’s also building agent identity verification mechanisms, granular spending permissions, and AI-specific fraud protections.
“Businesses that prepare early will have a significant conversion advantage,” Birwadker says.
Visa isn’t the only major financial player jumping into agentic payments. Fiserv, with more than 10,000 financial institutions as clients serving more than six million merchant locations, is another one, handling up to 25,000 transactions per second. Agentic commerce is real, says Sanjay Saraf, the company’s SVP and global chief product officer for merchant solutions. “Invoice payment is very primed for agentic commerce,” he says.
One major challenge is distinguishing between AI agents that want to make legitimate purchases and bad bots. “It’s difficult for current systems to distinguish between good and fraud bots,” he says.
In addition to being able to recognize a trustworthy AI agent, it’s also critical to ensure that the payment mechanism itself isn’t compromised, which is where the standards backed by Visa and Mastercard come in.
“We’re heavily engaged with LLMs, but we wanted to get aligned with Visa and Mastercard,” Saraf says. “They’ll still send transactions to merchants, which is us, but we want to make sure our systems recognize them and can adapt.”
All these links have become formalized over the past six months, and the risks associated with payments are being addressed.
“The protocols are quite strong,” he says. “If you go through the details of what Visa and Mastercard have put out there, agentic commerce brings a lot more security about how stolen cards will be managed. So that risk is a little lower.”
Overall, he adds, agentic payments don’t dramatically increase the risks associated with the financial transactions themselves. Those come from other parts of the shopping experience, such as whether an AI agent fully understands what the buyer is looking for. Another risk is that the AI might not recommend a particular product at all. “For merchants, how the product is discovered is the big shift,” Saraf says. “The merchants have to adapt.”
After the fact
Another problem is what happens following the purchase, or if a transaction needs to be cancelled. For some merchants, that can be a big problem. “If the customer isn’t happy, will the agentic system trigger agent-oriented support,” asks Saraf. “Merchants are trying to figure out how to preserve the experience the customer is getting from the brand.” And avoiding the issue isn’t an option as boards and senior execs have been on a steep learning curve because if they don’t act, AI shopping is going to disrupt them. Some major retailers have already made announcements.
In addition to Amazon’s AI assistant Rufus, which can make payments on behalf of customers at both Amazon and third-party merchant websites, Home Depot also announced it’ll participate in new, agentic shopping experiences across AI mode in Google Search and the Gemini app. Other brands signing up with Google include Petco, e.l.f. Cosmetics, Samsonite, and Rugs USA. And eBay recently updated its policies, forbidding “buy-for-me agents” and “LLM-driven bots” to access its platform for any purpose, unless they have prior permission despite its partnership with OpenAI that includes shopping.
Leap of faith
PayPal’s Edmonds says that ultimately, trust is paramount when it comes to developing AI-powered commerce. “We’re not in a world yet where agents are autonomously making purchases with no human in the loop,” he says. “What you’re seeing today is still assisted and very intentionally constrained.”
PayPal launched its own agentic commerce services last October, allowing merchants to accept AI payments and share their product data with AI channels. In January, PayPal also announced it now supports Google’s UCP standard, and will soon be a payment option within Google’s new checkout feature.
So the underlying payments technology is proven and in place, Edmonds says, but issues persist. The consequences of unchecked AI agents making purchases for customers, and making mistakes, are still all too real. Rufus, for example, not only makes recommendations, but has a “buy for me” button that will automatically buy Amazon products, and a “shop direct” button that takes customers to other sites.
But in some cases, Rufus will actually make purchases on that external site, which is creating problems for those merchants.
“Amazon is testing a beta program that pulls products from small business websites without consent, uses AI images that aren’t ours, and routes customers to us while breaking pricing, fulfillment, and customer trust,” says Angie Chua, CEO and creative director at Bobo Design Studio. “We didn’t opt in and we can’t opt out. We can’t even tell which orders came from Amazon. Small businesses are now dealing with incorrect orders and customer complaints for something Amazon set up without permission.”
According to the nonprofit Institute for Local Self-Reliance, unauthorized AI agents that scrape merchant websites can damage customer relationships, and some wholesale suppliers prohibit retailers from selling on Amazon, so listings can also damage supplier relationships. And when the AI agent makes a mistake, Amazon denies responsibility for incorrect orders, leaving the business owner responsible, said ILSR senior researcher Kennedy Smith.
But Amazon’s Rufus isn’t the only AI agent scraping ecommerce sites as 99% of transactions today are performed by agents going directly to a website and acting like a human being, says Amir Sarhangi, founder and CEO at Skyfire, an AI agent authentication company that vets AI agents and issues a “know your agent” token so anti-bot security systems let agents through.
In the future, Sarhangi says, AI agents will interact with merchants via APIs, MCP, and all the agentic payment protocols. But today, agents need to be able to go in through the front door and use the website.
Skyfire is partnered with anti-bot security companies that allow authorized agents to bypass security controls — relationships that currently cover about 70% of the internet, he says, and the he’s working on getting that up to 90%.
All the merchant has to do, he says, is tell their security firm they want to accept the traffic, and they don’t have to do any major new integrations. There’s no additional cost for the merchant, he says, and they can choose what AI agents to allow in. “Right now it’s free,” he says. “In the future, if we’re doing additional value add, we’ll charge for it.”
According to Adam Davies, director of AI strategy at Forter, an ecommerce security firm that serves over 400,000 online businesses, it’s vital to be able to distinguish good agents from bad, since AI has supercharged fraud. “AI agents operate at computer speed, not human speed, and they don’t sleep,” he says.
AI agents also obfuscate many of the signals that merchants traditionally use to identify fraud, such as IP addresses. Meanwhile, the payments industry is still trying to come to a consensus on what the most secure standard is. “If you’re a business, you need to be aware of, and be able to interact with, all the agentic protocols being utilized,” Davies says. That includes Forter’s own Trusted Agentic Commerce Protocol, not to be confused with the Trusted Agent Protocol, the Agentic Commerce Protocol, or the Agents Payment Protocol.
Despite protocol fragmentation, the payments infrastructure itself is ready, says PayPal’s Edmonds. PayPal itself offers the same buyer and seller protections with AI payments as what they get when they use PayPal the usual way, he says. And AI transactions run through PayPal’s core system, with the same payment rails, fraud detection, and identity checks. The big issue the industry’s working on now, though, is whose responsibility it is when things go wrong.
Customers won’t tolerate ambiguity, says Edmonds, because they want to know there’s a clear, trusted path to resolution. That will take time, though.
“It’s going to be a gradual shift where AI shows up first in discovery, then assistance, then increasingly in automating transactions,” he says. “And one day people will look back and realize it’s just how some shopping works now.”