Major Tech Giants Rush to Secure AI Shopping Before Fraud Explodes

2026-04-29 data

Mountain View, Wednesday, 29 April 2026.
The FIDO Alliance has launched an urgent initiative with Google and Mastercard to create security standards for AI agents making autonomous purchases. With analysts projecting AI commerce could reach $5 trillion globally by 2030, the partnership aims to prevent potential fraud through cryptographic protocols that verify user intent before agents complete transactions. The collaboration introduces Google’s Agent Payments Protocol and Mastercard’s Verifiable Intent framework as open-source tools, addressing growing industry concerns about AI systems having unsupervised access to payment methods.

Industry Leaders Form Technical Working Groups

On April 28, 2026, the FIDO Alliance announced the formation of two critical technical working groups designed to tackle the security challenges of AI-driven commerce [2]. The Agentic Authentication Technical Working Group, chaired by members from CVS Health, Google, and OpenAI, with co-chairs from Amazon, Google, and Okta, will focus on developing open, phishing-resistant standards for AI agent authentication [2][3]. Simultaneously, the Payments Technical Working Group, chaired by members from Visa and Mastercard, will develop specifications for agent-initiated transactions [2][3]. Andrew Shikiar, executive director and CEO of FIDO Alliance, emphasized the urgency: “AI agents are quickly becoming part of how people get things done online – from making purchases to managing everyday tasks. To scale this safely, people need to trust that these actions are secure, authorized and truly reflect their intent” [2].

Technical Architecture for Secure Agent Transactions

Google’s contribution centers on the Agent Payments Protocol (AP2), which provides cryptographic verification that users actually intended agent-initiated transactions [1][7]. The protocol was donated to the FIDO Alliance on April 27, 2026, to ensure it remains “open, platform-agnostic, and community-led” according to Stavan Parikh, Google’s vice president and general manager of payments [2][7]. Mastercard’s Verifiable Intent framework, co-developed with Google, creates a tamper-resistant cryptographic record bundling three critical pieces of information: the consumer’s verified identity, the specific instructions given to their AI agent, and the resulting transaction [4]. The framework requires consumers to establish verifiable intent through a biometric step before AI agents can complete purchases, creating a cryptographic link between human authorization and autonomous action [4]. Parikh explained the privacy-preserving approach: “We want to provide cryptographic proof that a transaction was authorized by the user themself, but keep it private so there is built-in selective disclosure” [1].

Real-World Application and Use Cases

The practical implications become clear through specific use cases outlined by the initiative. Consider a consumer instructing an AI agent to autonomously purchase sneakers if they return in stock and cost ≤ $100 [1]. The authentication and transparency mechanisms ensure the consumer receives exactly what they intended to purchase. Pablo Fourez, Mastercard’s chief digital officer, highlighted the compressed timeline for developing these standards: “This tech is evolving very, very fast, so it compresses standards timelines that in the past might have taken two or three years” [1]. The selective disclosure mechanism ensures that each party in a transaction – whether a merchant verifying authorization, an issuer checking for fraud patterns, or a dispute resolution system – receives only the minimum data needed, with no single participant seeing the full record [4]. On April 28, 2026, Google also released AP2 version 0.2 on GitHub, introducing “Human Not Present” payments that allow agents to execute payments autonomously for time-sensitive purchases like limited-run tickets [7].

Industry Stakes and Future Timeline

The financial implications driving this rapid standardization effort are substantial. Analysts at McKinsey & Company project that agentic commerce could reach $5 trillion globally by 2030 [2][3]. Rakan Khalid, head of identity product at PayPal, emphasized the transformational potential: “Agentic commerce will reshape how people transact online — but only if users and merchants can trust that an AI agent is acting precisely within the authority granted to it” [2]. The initiative builds on FIDO’s previous success with passkeys, which are now available on “virtually every modern computing device” and increasingly serve as the default authentication method [3]. However, as Shikiar noted, “existing internet trust and authentication assumed a human at the keyboard; AI agents break that assumption, creating a trust gap” [3]. The working groups must accelerate beyond typical multi-year standardization processes, with decisions made in the coming months expected to “shape the trust architecture of the internet for the next decade” [3]. Multiple industry leaders, including Dashlane, Egis Technology, LastPass, OneSpan, PayPal, Prove Identity, Thales, and Visa, have committed contributions to the initiative [2].

Bronnen

AI agents payment security