As of November 2025
ChatGPT can buy things for you now, and your fraud systems were architected for a world where a human clicks buy on a trusted surface. Agents break that assumption.
This is a hard break, not a gradual evolution. The rails are already fast enough - RTP and FedNow settle in real time. The gap is in fraud prevention, which was built around human behavior and a present buyer.
The protocols arrived in a cluster. On September 16, 2025, Google announced its Agent Payments Protocol, backed by 60-plus payments and technology partners including Mastercard, American Express, and PayPal. On September 29, Stripe and OpenAI launched the Agentic Commerce Protocol, letting ChatGPT’s more than 800 million weekly users complete a purchase without leaving the conversation. On October 28, PayPal formalized its support for ChatGPT checkout on top of its earlier AP2 involvement. Two rival approaches, both open source, both moving fast.

Stripe + OpenAI
Sep 29
the Agentic Commerce Protocol launches, letting users buy inside ChatGPT (2025).
AP2
the Agent Payments Protocol, announced Sept 16, with 60+ payments and technology partners.
Auth budget
<100ms
the window agent purchases need - legacy rule-based fraud checks were not built for it.
What the protocols add
Stripe’s Agentic Commerce Protocol uses Shared Payment Tokens scoped to a specific merchant and amount. Google’s AP2 uses cryptographically signed mandates that chain intent to cart to payment, leaving a tamper-evident audit trail.
What the fraud stack has to relearn
The assumptions underneath the old controls no longer hold. Multi-factor authentication means little when the customer has genuinely authorized an agent to transact. Behavioral analytics trained on human browsing find nothing familiar in an agent’s purchasing pattern. Risk scoring built on session analysis has to adapt to delegated purchases where the buyer is not present at the moment of the transaction. The protocols give you scoped tokens and signed mandates to work with, but the fraud models, the risk scoring, and the authorization flow all need re-architecting around agent behavior.




