Google has released the first draft of its Universal Commerce Protocol (UCP), an open standard designed to make it easier for AI assistants to order and pay for products and services online. The goal is to create a common language that enables shopping bots to work smoothly across different platforms. Google co-developed UCP with major industry players, including Shopify, Etsy, Wayfair, Target, and Walmart. It also has backing from payment providers like Adyen, American Express, Mastercard, Stripe, and Visa, along with retailers such as Best Buy, Flipkart, Macy’s, The Home Depot, and Zalando.

This move has been highly anticipated by the retail world. Retail technology consultant Miya Knights explains that stores are eager to start experimenting with agent-driven commerce, where AI platforms like ChatGPT, Gemini, and Perplexity can directly sell to consumers. Retailers want to understand how to appear in consumer searches and convert those interactions into sales, making the shopping experience more seamless and direct.

Security Challenges for Retailers and CIOs

However, implementing UCP introduces new security challenges that CIOs will need to address. Since retailers will expose REST endpoints—interfaces used for creating, updating, or completing checkout sessions—they face an expanded attack surface. This means that beyond traditional web or app checkouts, there are new vulnerabilities to guard against.

Experts highlight that API gateways, web application firewalls, bot mitigation tools, and rate limiting become essential parts of securing the checkout process. CIOs will need to adopt new architectures and runtime controls, along with updated privacy, consent, and contractual protocols. Integrating these security layers is critical to prevent malicious actors from exploiting the system during high-value transactions like payments and checkout processes.

Julie Geller, principal research director at Info-Tech Research Group, emphasizes that this shift requires a different security mindset. Instead of just detecting bots, IT teams must focus on controlling who can act through agent gateways, defining clear permissions, and monitoring transaction scope. The real concern isn’t just bot traffic but the risk of non-human actors executing valuable actions, which demands more sophisticated security strategies.

Implications for Retail Operations and Governance

The introduction of UCP is expected to make AI integration into retail systems much smoother. But Geller points out that it could also lead to governance issues. Because the process is so seamless, problems may arise if small configuration errors lead to revenue, pricing, or customer experience issues—often almost immediately.

She notes that this rapid execution shifts responsibility for IT teams. Instead of asking whether integration is possible, they now need to focus on managing variances and maintaining accountability when actions happen outside the retailer’s direct control. Many existing retail IT architectures weren’t designed for this level of delegated autonomy, making governance and oversight more complex.

Overall, UCP promises to streamline AI-powered shopping but also challenges retailers to rethink security protocols and operational governance. As AI continues to evolve, companies will need to adapt quickly to stay secure and maintain control over their digital storefronts.

Inspired by

• https://www.infoworld.com/article/4116087/googles-universal-commerce-protocol-aims-to-simplify-life-for-shopping-bots-and-devs.html

Sources

• ucp.dev
• agenticcommerce.dev