Visa just gave your AI agent a credit card

Sponsored by

Stop switching apps. Your browser can do it all.

Every tab you open, every copy-paste into ChatGPT, every lost train of thought — that's your browser failing you. Norton Neo fixes it. Built-in AI works directly inside your session. Hover to preview. Search everything from one bar. VPN and ad blocking included, free.

Try Norton Neo Free

Gladly Connect Live '26. May 4–6 in Atlanta.

The room you want to be in. This is where CX leaders are tackling the hard AI questions and sharing what's actually working. For CX and ecommerce leaders. Atlanta, May 4–6. Space is limited — secure your spot now.

Register now

Making Hydraulics Obsolete

Every excavator, forklift, and crane on the planet runs on hydraulic fluid. It leaks. It fails. It burns through 60% of the energy you put into it. That's been true for a hundred years.

RISE Robotics built Beltdraulics™ to fix all of that. Their patented actuator swaps out hydraulic cylinders for a fluid-free electric system that runs up to 3X faster and cuts operating costs by 50%. No oil. Full digital control. Built-in sensors that hydraulic systems can't touch.

The U.S. military is already a customer. MIT-founded. $9.3M in revenue. 20+ patents protecting the core technology. Dylan Jovine of ‘Behind the Markets’ said RISE “has all the little ingredients to be one of those really big winners.” His readers have been backing it ever since.

You can invest today through the community round on Wefunder.

The Ingredients of a Blockbuster Winner

Last December, while everyone was arguing about whether AI agents were “really useful yet,” Visa quietly walked into the room with a credit card and handed it to one. The card had your name on it.

The product is called Intelligent Commerce Connect, and on April 8 Visa confirmed it’s going mainstream in 2026. It lets an AI agent — the kind that lives in your browser, your phone, or your inbox — initiate a real purchase, tokenize the card, enforce the spend limit you set, and authenticate the payment without you ever touching a checkout page. Visa rolled it out with AWS, then signed Akamai onto something called the Trusted Agent Protocol so merchants can tell a legitimate consumer agent from the millions of malicious bots already pounding their checkout pages.

If you blinked, you missed it. So let’s talk about what just happened.

The cool part

Imagine you forgot your sister’s birthday — again. You message your assistant: “She liked that ceramics studio in Lisbon. Send her a gift card before midnight.” Your agent finds the studio, picks the right amount, applies your saved shipping note, runs it past your spend cap, completes the purchase, and emails you the receipt. You did not open a tab. You did not type a card number. The whole thing took the time it takes to read this paragraph.

That’s the demo. The reality is being stress-tested right now by ADP (which is letting agents help run payroll), by Microsoft (which open-sourced a governance framework for agentic spending the same week), and by every shopping app that doesn’t want to be the last one without a “let your agent pay” button.

It is, depending on your mood, either delightful or terrifying.

What could possibly go wrong

Here’s the thing nobody puts on the launch slide: the same week Visa announced agents could spend money, Microsoft published research on something called AI Recommendation Poisoning. They found 31 companies hiding instructions inside “Summarize with AI” buttons — instructions your agent reads, remembers, and then quietly follows in your next conversation. The attack doesn’t show up on your screen. It shows up in your agent’s memory.

A few weeks earlier, Cisco researchers showed they could slip a single line into an npm post-install hook and rewrite Claude Code’s memory.md file. The first 200 lines of that file get loaded into the system prompt. So every project, every session, the assistant is now reading the attacker’s notes. The user thinks they’re working with their tool. They are not.

These aren’t lab toys. The same class of attack — memory poisoning — has been demonstrated against ChatGPT, Gemini, Claude, Perplexity Comet, and ChatGPT Atlas. A poisoned page on Tuesday triggers a malicious action on Friday, on a totally different site. Permission popups don’t catch it, because the user already gave permission, just for something else.

Now hand that agent a credit card.

The OWASP working group has been screaming about this for months. Their Top 10 for Agentic Applications, peer-reviewed by 100+ researchers and published in December 2025, ranks Goal Hijacking as risk number one — “an attacker manipulates an agent’s objectives through poisoned inputs like emails, documents, or web content.” Risk number six is Memory Poisoning. Risk number two is Tool Misuse, which is exactly what an attacker wants to do with card.charge().

If your stomach just dropped a little, that’s the appropriate reaction.

The boring fix that actually works

The good news: people who design these systems for a living have done the homework, and the answer is not “don’t use agents.” The answer is the same answer security has always been: layered, boring, and unsexy.

Two things to know about, both free.

MAESTRO, from the Cloud Security Alliance, is a threat-modeling framework built specifically for agentic systems. It splits an agent into seven layers — foundation model, data ops, agent framework, deployment, observability, security/compliance, and the wider ecosystem — and walks you through what can go wrong at each. The point isn’t that you’ll memorize the layers. The point is that the bug nobody catches is the bug at the seam between two layers, and MAESTRO is the only mainstream framework that makes you look at the seams.

The OWASP Top 10 for Agentic Applications is the closest thing the field has to a checklist. If you’re building an agent that touches money, you read it on page one of the project. If you’re a user, you ask the vendor whether they did.

For the rest of us — the people letting an agent buy gift cards, not the people building Visa’s payment rail — the practical version is shorter:

• Set a hard spend cap inside the agent platform, not just inside the merchant.

• Watch the agent’s memory the way you watch your bank statement. If your assistant suddenly “remembers” a preference you don’t recognize, treat it like a charge you don’t recognize.

• Don’t summarize untrusted pages with your agent unless you’re prepared for the page to summarize itself back into your agent.

• Use vendors that publish their threat model. If they can’t tell you which OWASP risks they’ve mitigated, that’s the answer.

The takeaway

The moment money flows through agents at scale — and it will, before the end of this year — every weakness in the agent stack becomes a weakness in your wallet. Visa’s launch is genuinely cool. So is the fact that someone, somewhere, just used an agent to buy their sister a perfect, on-time birthday gift while sitting in traffic.

But the same call that completes the purchase can be redirected by a sentence hidden in a webpage three days ago. The defenders know this. The attackers know this. Now you know this too.

Set the cap. Read your agent’s memory. And the next time a vendor tells you their agentic feature is “completely safe,” ask them which OWASP risks they’ve mapped.

— itscybernews

If this was useful, hit reply with the agentic feature you’re most nervous about — I read every one. And if a friend would like the calmer-than-the-news version of this stuff, send them this post.