# The CTO's Guide to Agentic Commerce: Protocols, Architecture, and Implementation
*Last updated: March 2026*
Five protocols. Four transports. Three payment layers. Two competing alliance blocs. And one question your board will ask before the year is out: can customers buy from us through an AI agent?
This guide provides the technical decision framework for engineering leaders evaluating agentic commerce. It covers protocol selection, architecture design, security requirements, and a phased implementation roadmap -- grounded in the official specifications released between September 2025 and March 2026.
---
## The Architecture You Need to Build
Agentic commerce introduces a new distribution surface alongside your existing web and mobile storefronts. Instead of rendering HTML for browsers, you expose structured APIs that AI agents -- ChatGPT, Gemini, Perplexity, Copilot, and custom enterprise agents -- consume programmatically to search products, build carts, and complete purchases on behalf of consumers.
The reference architecture has four layers:
```
+------------------------------------------------------------------+
| Layer 4: Agent Surfaces |
| ChatGPT Instant Checkout | Google AI Mode | Gemini | Custom |
+------------------------------------------------------------------+
| Layer 3: Commerce Protocols |
| UCP (Google/Shopify) | ACP (OpenAI/Stripe) | A2A (Google) |
+------------------------------------------------------------------+
| Layer 2: Transport & Tooling |
| MCP (Anthropic) | REST | gRPC | MCP-UI (Shopify) |
+------------------------------------------------------------------+
| Layer 1: Commerce Infrastructure |
| Product Catalog | Inventory | Pricing | Payments | Fulfillment |
+------------------------------------------------------------------+
```
Layer 1 is your existing commerce backend. Layers 2 and 3 are the new integration surfaces. Layer 4 represents the AI platforms where consumers interact with agents. Your engineering investment concentrates on Layers 2 and 3.
---
## Protocol Selection Matrix
Two open standards dominate the landscape. Both are Apache 2.0 licensed and vendor-neutral in principle. In practice, each is tightly coupled to its steward's AI ecosystem.
| Dimension | UCP (Google + Shopify) | ACP (OpenAI + Stripe) |
|-----------|------------------------|------------------------|
| Primary use case | Search-to-buy (Google AI Mode, open web) | Chat-to-buy (ChatGPT Instant Checkout) |
| Transport options | REST, MCP, A2A, gRPC | REST, MCP |
| Discovery mechanism | `/.well-known/ucp` JSON manifest | Product feed submission (CSV/JSON) |
| Payment infrastructure | PSP-agnostic; Agent Payments Protocol (AP2) | Stripe-native; SharedPaymentToken (SPT) |
| Checkout model | Session state machine with escalation protocol | 5-endpoint REST API |
| Capability negotiation | Dynamic (agent + merchant publish, intersection computed) | Static (merchant declares, agent consumes) |
| Partners | Shopify, Etsy, Walmart, Target, Wayfair | Stripe (founding); growing merchant base |
| Status (March 2026) | Waitlist / rolling access | Live since September 2025 |
| Transaction fee | Not yet disclosed | 4% per transaction (on top of PSP fees) |
**Decision framework:**
- **Implement ACP first** if your primary goal is ChatGPT's 900M+ weekly active users and you already use Stripe.
- **Implement UCP first** if your priority is Google Search AI Mode discovery and you need PSP flexibility.
- **Implement both** if you are a mid-market or enterprise brand. The integration surfaces share enough infrastructure (product data, inventory APIs, checkout logic) that the marginal cost of the second protocol is significantly lower than the first.
The protocols are complementary, not mutually exclusive. Both support MCP as a transport layer, which means a single MCP server can serve as the foundation for both.
---
## MCP Server: The Highest-Leverage Investment
The Model Context Protocol, originally developed by Anthropic in late 2024, has become the de facto standard for connecting AI agents to external systems. Both UCP and ACP support MCP as a transport. Shopify ships MCP endpoints on every store by default at `/api/mcp`. Payment providers including PayPal, Visa, Marqeta, and Worldpay have launched MCP servers. Enterprise platforms like commercetools and Salesforce B2C Commerce provide MCP services.
Building an MCP server for your commerce platform is the single highest-leverage investment because it creates a universal integration point. Any MCP-compatible agent -- Claude, ChatGPT, Gemini, Cursor, custom enterprise agents -- can interact with your catalog and checkout without protocol-specific adapters.
**Core MCP tools to implement:**
| Tool | Purpose | Protocol Coverage |
|------|---------|-------------------|
| `search_catalog` | Product discovery with semantic context | UCP, ACP, standalone |
| `get_product_details` | Variant-level product information | UCP, ACP, standalone |
| `create_cart` / `update_cart` | Cart management | UCP, ACP, standalone |
| `get_checkout_session` | Session state retrieval | UCP, ACP |
| `complete_checkout` | Payment processing | UCP, ACP |
**Transport:** JSON-RPC 2.0 over HTTP SSE (server-sent events) for production deployments. stdio for local development and testing.
**Reference implementation:** Shopify's Storefront MCP Server (`https://{shop}.myshopify.com/api/mcp`) requires no authentication for public storefront data and supports `search_shop_catalog`, `get_cart`, `update_cart`, and `search_shop_policies_and_faqs`. Study this implementation as the canonical pattern.
---
## UCP Implementation: Discovery, Capabilities, and Checkout
UCP follows a TCP/IP-inspired layered architecture. Layer 1 is the Shopping Service (checkout sessions, line items, totals). Layer 2 defines Capabilities (Checkout, Orders, Catalog). Layer 3 contains Extensions (domain-specific schemas like loyalty or fulfillment).
### Step 1: Publish the Discovery Manifest
Host a JSON document at `https://yourdomain.com/.well-known/ucp`:
```json
{
"version": "1.0",
"serviceEndpoints": {
"checkout": "https://api.yourdomain.com/ucp/checkout",
"orderWebhook": "https://api.yourdomain.com/ucp/orders/webhook"
},
"capabilities": [
"dev.ucp.shopping.checkout",
"dev.ucp.shopping.discount",
"dev.ucp.shopping.fulfillment",
"dev.ucp.identity.linking"
],
"paymentHandlers": ["googlePay", "stripe", "payPal"],
"publicKey": "<signature-verification-key>"
}
```
CORS headers are required: `Access-Control-Allow-Origin: *`, `Access-Control-Allow-Methods: GET, OPTIONS`. Serve with `Content-Type: application/json`. Cache aggressively at the CDN layer.
### Step 2: Implement Three Core Endpoints
| Endpoint | Method | Purpose |
|----------|--------|---------|
| `/checkout-sessions` | POST | Create session with line items, buyer info, currency, payment handler |
| `/checkout-sessions/{id}` | PUT | Update session (apply discount, change fulfillment, update buyer info) |
| `/checkout-sessions/{id}/complete` | POST | Finalize with AP2 cryptographic payment proof |
Every response must return the full current checkout state. Use `idempotency-key` headers on all mutation endpoints. Sign webhook payloads with HMAC-SHA256.
### Step 3: Identity Linking (Optional but Recommended)
Implement OAuth 2.0 authorization to enable returning customer experiences -- saved addresses, payment methods, loyalty points. Authorization codes must expire within 5 minutes. Validate redirect URIs strictly.
### Latency Requirements
Product discovery responses must complete in under 200ms. Agents deprioritize or skip merchants with slow APIs. Checkout completion must stay under 500ms. These are not aspirational targets; they are table stakes for agent visibility.
---
## ACP Implementation: Five Endpoints and SharedPaymentToken
ACP defines a focused checkout API. Where UCP is a broad capabilities framework, ACP is deliberately narrow: get products into a cart and get the cart paid for.
### The Five Endpoints
| Endpoint | Method | Purpose |
|----------|--------|---------|
| `/checkouts` | POST | Create checkout session with items, buyer info, fulfillment address |
| `/checkouts/{id}` | GET | Retrieve current session state |
| `/checkouts/{id}` | PUT | Update items, shipping method, buyer information |
| `/checkouts/{id}/complete` | POST | Process payment via SharedPaymentToken |
| `/checkouts/{id}/cancel` | POST | Release inventory, update status |
Session states follow a linear progression: `not_ready_for_payment` to `ready_for_payment` to `completed` (or `canceled`). All monetary amounts are in integer cents. Currency codes use ISO 4217 lowercase format.
### SharedPaymentToken Integration
Stripe's SharedPaymentToken (SPT) is the first ACP-compliant payment method. The token is provisioned by the agentic application (ChatGPT), scoped to a specific amount and seller, single-use, and time-bound.
The complete checkout request passes the SPT in the payment data:
```json
POST /checkouts/{id}/complete
{
"payment_data": {
"token": "spt_abc123",
"provider": "stripe",
"billing_address": { ... }
}
}
```
You process this token through your existing Stripe integration. PCI DSS Level 1 merchants can alternatively use proprietary vaults. The merchant remains the merchant of record in all cases -- OpenAI never processes the payment.
### Product Feed Integration
Merchants supply structured product data via CSV or JSON feeds. Feeds include product IDs, descriptions, pricing, inventory status, media URLs, and fulfillment options. Feed accuracy directly determines whether your products appear in ChatGPT recommendations.
### Certification
ACP requires a certification process with OpenAI. You must pass conformance checks covering product feed accuracy, all four checkout endpoints, SPT payment processing, webhook delivery reliability, and order lifecycle management. Shopify and Etsy merchants have pre-existing eligibility and can bypass several steps.
---
## Security Architecture
### The Zero-Signal Crisis
When an AI agent executes a purchase, every traditional fraud detection signal disappears simultaneously. Device fingerprints, browser behavior patterns, session duration, geolocation, typing patterns -- all absent. A legitimate agent purchase is indistinguishable from bot fraud using conventional detection methods.
This is not a theoretical concern. Visa's Payment Ecosystem Risk and Control (PERC) team identified a greater than 450% increase in dark web community posts mentioning "AI Agent" over six months. Friendly fraud already accounts for approximately 75% of all chargebacks, costing merchants an estimated $132 billion annually. Agentic commerce amplifies this exposure.
### The Layered Trust Architecture
```
Layer 4: Consumer Intent Verifiable Intent (Mastercard + Google), user authorization proofs
Layer 3: Agent Identity Visa TAP signatures, Mastercard Agentic Tokens, DIDs
Layer 2: Transaction Security PCI DSS compliance, vault tokenization, 3D Secure
Layer 1: Network Security TLS 1.2+, API authentication, rate limiting, HMAC signatures
```
### Verifiable Digital Credentials
Mastercard and Google announced Verifiable Intent on March 5, 2026 -- the most significant development in agentic commerce trust. The protocol captures three elements: the cardholder authorizing the agent, the consumer's specific instructions (intent scope), and the interaction between agent and merchant resulting in a purchase. It creates a tamper-resistant audit trail for dispute resolution, built on standards from FIDO Alliance, EMVCo, IETF, and W3C.
### PCI DSS for AI Agents
The PCI Security Standards Council has published AI principles for payment environments. Key requirements include:
- **Least privilege (Requirement 7):** Agents must never access the full card vault. Use scoped tokens, not raw PANs.
- **Audit logging (Requirement 10):** Every agent-initiated transaction must have a traceable chain from user authorization to payment execution, including prompt inputs and reasoning.
- **Documentation and oversight:** Organizations must document agent privileges, validate AI outputs, and maintain human oversight mechanisms.
### Practical Security Checklist
1. Vault-first architecture: agents handle tokenized aliases only (VGS, Stripe tokens, network tokens).
2. Scoped delegation tokens: time-limited, amount-limited, category-limited.
3. Cryptographic intent chains: signed records from user authorization through agent action to payment execution.
4. Agent behavior profiling: baseline purchase frequency, amounts, and categories; flag deviations.
5. Per-agent and per-user transaction velocity limits.
6. HMAC-SHA256 signature verification on all webhook deliveries.
7. Replay attack protection: 5-minute timestamp windows on signed requests.
8. Human-in-the-loop escalation for transactions exceeding defined thresholds.
---
## Infrastructure Requirements
### Performance Targets
| Metric | Target | Consequence of Missing |
|--------|--------|------------------------|
| Product discovery response | <200ms | Agents deprioritize or skip your merchant |
| Checkout completion | <500ms | Cart abandonment by agent |
| Error rate | <1% | Trust score penalties from platforms |
| Uptime | 99.9%+ | Delisted from agent recommendations |
| Agent discovery rate | 95%+ | Reduced visibility in AI surfaces |
### Recommended Stack
| Component | Recommendation |
|-----------|----------------|
| Compute | Edge functions (Cloudflare Workers, Vercel Edge, Lambda@Edge) |
| Product cache | Redis with webhook-based invalidation on inventory changes |
| Order database | PostgreSQL |
| CDN | Required for `/.well-known/ucp` manifest and product data |
| Monitoring | APM with sub-200ms alert thresholds on agent-facing endpoints |
| Rate limiting | Token bucket with burst allowances; separate limits for agent vs. human traffic |
### Caching Strategy
Product discovery endpoints benefit from aggressive edge caching. Invalidate on `inventory_levels/update` webhooks. Checkout endpoints must not be cached. The `/.well-known/ucp` manifest should be cached at the CDN with a TTL of 5-15 minutes.
---
## Team and Skills Needed
| Role | Responsibility | Allocation |
|------|---------------|------------|
| Backend engineer (senior) | MCP server, checkout endpoints, payment integration | 1 FTE for 8-12 weeks |
| Infrastructure / DevOps | Edge deployment, caching, monitoring, rate limiting | 0.5 FTE for 4-6 weeks |
| Product data engineer | Catalog normalization, feed generation, data quality | 0.5 FTE ongoing |
| Security engineer | PCI compliance review, tokenization, webhook signing | 0.25 FTE for 4 weeks |
| QA engineer | Conformance testing, edge case validation, load testing | 0.5 FTE for 4-6 weeks |
For Shopify-native merchants using the Universal Commerce Agent app, the team requirement drops to a product data engineer (1-2 weeks) and a QA engineer (2-3 days).
---
## Build vs. Buy Decisions
| Component | Build | Buy / Use Platform |
|-----------|-------|---------------------|
| MCP server | Custom (if headless or custom platform) | Shopify Storefront MCP (free, every store) |
| UCP endpoints | Custom (2-4 weeks) | Shopify Universal Commerce Agent app (<48 hours) |
| ACP endpoints | Custom (2-4 weeks) | Stripe Agentic Commerce Suite (hosted ACP endpoint) |
| Product feed management | Custom ETL pipeline | Shopify Global Catalog; Google Merchant Center |
| Payment tokenization | VGS, custom vault | Stripe SPT (ACP-native); Google Pay tokens (UCP) |
| Agent analytics | Custom dashboards | Platform dashboards (Shopify admin, OpenAI merchant dashboard) |
| Fraud detection | Extend existing ML models with agent signals | Visa TAP, Mastercard Verifiable Intent (emerging) |
**General guidance:** If you are on Shopify, buy everything you can. The platform handles infrastructure, MCP endpoints, UCP compliance, and ACP eligibility. Your investment is data quality and catalog normalization. If you run a custom commerce platform, build the MCP server and protocol endpoints in-house -- the specifications are well-documented and the surface area is manageable.
---
## Six-Month Implementation Roadmap
### Month 1: Foundation
- Audit product catalog: structured titles (Brand + Model + Size + Color), standardized attributes, unique SKUs on every variant, real-time inventory accuracy.
- Deploy MCP server with `search_catalog` and `get_product_details` tools.
- Implement edge caching for product discovery endpoints with sub-200ms response times.
- Set up monitoring and alerting on agent-facing endpoints.
### Month 2: First Protocol
- Implement ACP (5 checkout endpoints) if Stripe-based, or UCP (3 endpoints + manifest) if Google/PSP-agnostic.
- Integrate SharedPaymentToken processing (ACP) or AP2 token handling (UCP).
- Implement webhook delivery with HMAC-SHA256 signing and retry logic.
- Begin certification process with OpenAI (ACP) or join UCP waitlist (Google).
### Month 3: Second Protocol + Security
- Implement the second protocol, reusing checkout infrastructure from month 2.
- Deploy vault-first payment architecture if not already in place.
- Add agent behavior profiling and per-agent rate limiting.
- Implement idempotency handling on all mutation endpoints.
### Month 4: Identity and Trust
- Implement OAuth 2.0 identity linking (UCP) for returning customer experiences.
- Integrate Visa TAP or Mastercard Agentic Tokens for agent identity verification.
- Build cryptographic intent chain logging for dispute resolution.
- Add human-in-the-loop escalation for high-value agent transactions.
### Month 5: Optimization
- Analyze agent traffic patterns; optimize caching and rate limiting.
- A/B test product data formatting for agent discovery rates.
- Implement cross-protocol analytics dashboard.
- Load test for agent traffic spikes (agent traffic is bursty by nature).
### Month 6: Scale and Measure
- Full production deployment across all agent surfaces.
- Establish baseline metrics: agent discovery rate, conversion rate, AOV comparison.
- Revenue attribution analysis: agentic channel vs. traditional channels.
- Publish agent-specific return and dispute policies.
---
## Frequently Asked Questions
**Do I need to implement both UCP and ACP?**
For maximum reach, yes. ACP gives you ChatGPT's 900M+ weekly users. UCP gives you Google Search AI Mode and the Gemini ecosystem. The protocols share enough infrastructure -- product data, inventory APIs, checkout logic -- that the marginal cost of the second implementation is 30-40% of the first.
**What is the real cost of ChatGPT Instant Checkout?**
4% per transaction on top of standard Stripe processing fees (2.9% + $0.30 in the US). Total take rate approaches 7%. This is significant but comparable to marketplace fees. Evaluate against the customer acquisition cost of reaching ChatGPT's user base through traditional marketing.
**How do I prevent agents from exploiting discount codes?**
Implement strict discount stacking rules enforced server-side, not client-side. Add agent-specific rate limits on discount redemption. Consider agent-specific promotional codes that you can control and revoke independently. Both UCP and ACP pass discount codes through the checkout session -- validation is your responsibility.
**What happens if my API is slow?**
Agents skip slow merchants. This is documented in platform guidelines and confirmed by early merchant experience. A product discovery endpoint that takes 800ms instead of 150ms may never surface your products in agent recommendations. Invest in edge caching and monitor latency obsessively.
**How do I handle chargebacks on agent-initiated transactions?**
The merchant remains liable under current card network rules. However, Verifiable Intent records (Mastercard + Google, March 2026) create a tamper-resistant audit trail that can weaken fraudulent chargeback claims. Log delegation proofs alongside transaction data. Set agent-specific transaction limits. Require out-of-band consumer confirmation for high-value purchases.
**Should I use Shopify's built-in MCP or build my own?**
If you are on Shopify, use the built-in Storefront MCP Server (`/api/mcp`) -- it is free, live on every store, and maintained by Shopify. Build a custom MCP server only if you run a headless or custom commerce platform, or if you need tools beyond what Shopify exposes (custom search ranking, dynamic pricing, B2B-specific logic).
**What PCI compliance changes does agentic commerce require?**
No new PCI DSS version is required, but the existing requirements apply with renewed emphasis. Requirement 7 (least privilege) means agents must never access raw card data -- tokenized aliases only. Requirement 10 (audit logging) means you must log the complete chain from user authorization through agent reasoning to payment execution. Document agent privileges and maintain human oversight mechanisms.
---
*The protocols are shipping. The payment networks are deploying trust infrastructure. The AI platforms are onboarding merchants. The engineering decisions you make in the next two quarters will determine whether your commerce platform is visible to the next generation of buyers -- or invisible.*
---
**References:**
- UCP Specification: [ucp.dev](https://ucp.dev/)
- ACP Specification: [agenticcommerce.dev](https://www.agenticcommerce.dev/)
- Stripe ACP Documentation: [docs.stripe.com/agentic-commerce/protocol/specification](https://docs.stripe.com/agentic-commerce/protocol/specification)
- Google UCP Developer Guide: [developers.google.com/merchant/ucp](https://developers.google.com/merchant/ucp)
- Shopify Agentic Commerce: [shopify.dev/docs/agents](https://shopify.dev/docs/agents)
- MCP Specification: [modelcontextprotocol.io](https://modelcontextprotocol.io)
- Mastercard Verifiable Intent: [mastercard.com/us/en/news-and-trends/stories/2026/verifiable-intent](https://www.mastercard.com/us/en/news-and-trends/stories/2026/verifiable-intent.html)
- Visa Trusted Agent Protocol: [corporate.visa.com](https://corporate.visa.com/en/sites/visa-perspectives/security-trust/the-threats-landscape-of-agentic-commerce.html)
- PCI SSC AI Principles: [blog.pcisecuritystandards.org/ai-principles](https://blog.pcisecuritystandards.org/ai-principles-securing-the-use-of-ai-in-payment-environments)
- NIST AI Agent Standards Initiative: [nist.gov](https://www.nist.gov/news-events/news/2026/02/announcing-ai-agent-standards-initiative-interoperable-and-secure)
- CSA Agentic Trust Framework: [cloudsecurityalliance.org](https://cloudsecurityalliance.org/blog/2026/02/02/the-agentic-trust-framework-zero-trust-governance-for-ai-agents)