Image generated with ChatGPT. I have been reading about the Universal Commerce Protocol for weeks, and until today, I haven’t been able to shape all the ideas I have in my head about this supposed revolution.
It turns out that Google, along with industry partners like Shopify, has taken a new approach to Merchant1, and beyond having a product feed, it will ask for a bit more. In return, it will significantly reduce store traffic. It sounds harsh, I know, but it’s part of the design. Whether it will work or not, only time will tell, but I have no doubt that this is Alphabet’s ideal scenario.
Until the news broke, an ecommerce site, for most people, was a digital store: a more or less navigable catalog and a payment gateway. Now, suddenly, that idea begins to blur due to this new protocol.
The promise is that we will shop without leaving the chat, and over time, they want it to become a voice that will accompany us, advise us, and take care of the heavier parts of shopping.
Note: If you make it to the end, you’ll find very valuable content.
🕒 Summary for busy people
Estimated reading time for the full article: 8 minutes.
The Universal Commerce Protocol (UCP) points to an uncomfortable change: that shopping stops happening in your store and becomes mediated by assistants and agents (Google and partners). That reduces friction, yes, but it also dilutes brand, experience, and control. The user compares products “from the outside,” in an interface that is not yours, and you compete more bare than ever (features and price).
The cost will not only be a commission. The real blow may be the loss of observability. If there are no clicks or visits, classic metrics break down, and competing without knowing why you succeed (or not) becomes an act of faith. Moreover, the “open protocol” may clash with closed catalogs: if players like Amazon lock down their inventory, conversational commerce risks becoming a series of walled gardens negotiating access.
UCP proposes serious safeguards (manifests, pauses, signatures, tokenization, KYA), but the article insists that the devil is in the human aspect: hallucinations that now cost money, prompt injection, disputes where the black box complicates responsibility, and a possible centralization if only a few can “certify” agents.
My conclusion is hybrid and pragmatic: UCP is an accelerator, not a destination. It will be a threat to those who only sell catalog/price and an opportunity for those who sell criteria, trust, and relationships. The chat will solve the obvious; the web (and the human aspect) will have to retain what is important.
What is the Universal Commerce Protocol?
This is how Google defines it:
[…] a new open standard for agent-based commerce and artificial intelligence tools to help retailers connect with high-intent buyers and drive sales.
And it adds:
[…] a new open standard for agent commerce that works throughout the buying journey, from discovery and purchase to post-purchase support.
That is, the online store stops directly controlling the flow of sales, which becomes partially mediated by third parties.
Here, some may argue that this is similar to Google Merchant but with AI behind it. After all, we are talking about exposing a product feed to appear in a sales channel that we do not control. But there is a substantial difference, which is that those channels could be measured and audited, while the responses of an LLM are a black box, and we have no way, as of today, to know how we are positioned in its data scheme.
Returning to how UCP works, we are presented with a narrative in which our customers will discover our products by chatting with a virtual assistant, compare them with the competition with unprecedented ease, and purchase them without stepping foot in our store.
And while this sounds great in terms of reducing shopping friction, it becomes a bit strange when we translate it to the physical world. The example would be walking through a shopping mall, saying out loud that you want some pants, and having salespeople from some clothing stores (not all and not the ones you choose, which is crucial) bring out pant models for you to compare in the lounge area. The customer experience, brand, packaging, and message are diluted. We are left with the product, its features, and its price. Distinguishing oneself this way will be quite complicated.
If you are currently thinking about setting up an online store or migrating your code to a new version or another platform, you may be wondering whether it makes sense to proceed or not. If you want to know the definitive answer, it’s better to look elsewhere because I have, above all, doubts. But they are well-founded doubts.
How much will UCP cost us?
As popular wisdom says: “Nobody gives hard cash for real money,” or if we update it, “nobody gives euros for cents.” Google expects that the chatbot channel will generate sales and wants its share of the pie. Leading the initiative, it tries to position itself as the de facto owner of GEO (Generative Engine Optimization), that is, the optimization to appear in responses generated by language models.
Just as SEO ended up contaminated by commercial incentives, it is reasonable to ask how long it will take for this new channel to follow the same path. And how long it will take for relevance to be confused with the ability to pay.
Although the protocol itself does not impose a commission per sale, it is logical to think that those who implement it will not put their infrastructure at our service for the love of art. For many businesses, this will pose a complex dilemma: Do we stay out of agent-based commerce, or do we try to absorb a commission that, in certain businesses, could eat up almost all the profit margin?
The advantage of it being an open protocol is that, since any company can implement it, there will be competition, and we may see maneuvers to capture transaction volume at lower prices.
But the cost of UCP will not only be an explicit commission. There will also be a less visible and possibly more difficult cost to bear: the loss of control over measurement.
If you do not drive traffic, how do you measure your impact? When the purchase occurs outside your site, traditional metrics—visits, engagement, pages viewed, conversion rates—lose meaning. Competing without observability is complicated: you do not know what works; you only notice if traffic goes up or down. The challenge will be to develop attribution metrics that work beyond the click, and that will force us to rethink web analytics from the ground up.
What if the problem is not the protocol but access to the catalog?
And here comes the less open part of the story: access. There is a recent movement that, in my opinion, says more about the future of agent-based commerce than any technical document: Amazon has restricted its catalog tocrawlersof LLMs.
For years, Amazon has understood its catalog as an indexable public asset: visible to search engines, comparators, and affiliates.
But in a world where agents can read, compare, and recommend products without going through the original interface, that catalog stops being a showcase and becomes capital.
Closing access is a way of saying: if there is going to be mediation, I prefer to control it myself.
This introduces an uncomfortable consequence: conversational commerce will not necessarily be open or neutral. We will see catalogs accessible to agents and locked catalogs. Products that assistants can recommend and others that simply do not exist for them.
Paradoxically, this may benefit many small niches. Specialized catalogs, with high semantic density and expert criteria, are easier to expose and less costly to protect than generalist giants. For them, opening up to agent-based commerce can be a real competitive advantage.
Amazon is playing a different game. It does not need to be recommended by an external agent if it can become the agent.
And that move leaves a question in the air: Will the future of conversational commerce be an open protocol or a collection of walled gardens negotiating with each other?
When a hallucination costs money
A hallucination occurs when an LLM generates a plausible but incorrect response. In a conversation, the damage is usually limited.
The problem arises when that same logic is applied to agents capable of executing transactions. There, the error stops being cognitive and becomes economic. And when money is involved, we need exceptional guarantees.
UCP proposes a series of interesting security measures that will need to prove their effectiveness in the real world:
- Capability Profiles (Manifests): The commerce publishes an exact technical “menu.” The AI cannot guess: it must consult actual availability and price through calls to the commerce’s system.
- Pause and Escalate: The protocol includes states like
requires_escalation. If there is ambiguity (for example, the AI does not know which size to choose or the price changes at the last second), the protocol forces the control to return to the user for manual confirmation. - Cryptographic Proof: Each transaction requires user consent backed by cryptographic signatures, preventing an agent from accidentally purchasing something without an explicit and verified order.
However, it will be the companies that offer payments through agents that will need to provide additional guarantees, such as refunds in case of agent error and similar. And we, as customers, must demand them.
If the assistant knows everything about us, where does privacy stand?
In a traditional web, there are mechanisms to protect user privacy, such as cookie management, privacy pages, GDPR clauses, etc.
An LLM knows many things about us. Just ask it. Even when the protocol describes a series of privacy protection measures, how can we be sure that companies like OpenAI, Anthropic, or Google will not use all this data to influence our purchasing decisions?
The protocol describes some aspects related to privacy:
- Data Sovereignty: Even though the agent facilitates the purchase, you maintain ownership of the customer data. When the sale is closed, shipping and billing data go directly to your database; they do not get “trapped” in the AI.
- Tokenization (AP2): It uses the Agent Payments Protocol (AP2), which tokenizes payment information. The AI never sees the actual card data; it only manages authorized payment mandates.
- Terms and Conditions (T&C): The protocol requires showing and having the user accept the specific T&C of your store before finalizing the payment.
Despite all this, none of these aspects ensure that the information that the LLM already has cannot be used to modify our opinion. We also do not know what data they will sell to segment advertising. Data that will pale, due to its volume, level of detail, and context, compared to what companies like Meta or Google handle today.
Can an agent be responsible for a purchase?
The essential question when we talk about payments is security. Are language models safe for processing payments? The protocol proposes ambitious strategies in this regard:
1. The “triple handshake” (cryptographic verification)
Unlike a human clicking “Buy,” UCP uses Verifiable Digital Credentials (VDCs). The process follows these steps to ensure that no one manipulates the order:
- Merchant Signature: The seller digitally signs the final terms (price, stock, and delivery date).
- User Mandate (AP2): The user grants a cryptographically signed “mandate” that authorizes the AI to execute that specific purchase for that amount.
- Consent Proof: The transaction is only processed if both signatures match. This prevents an AI from “hallucinating” a purchase or a third party from intercepting and modifying the price.
2. Tokenization and payment privacy
As we mentioned, the AI never sees the actual card data because it operates with one-time payment tokens, valid only for that merchant and that amount.
Identity and credentials remain in the hands of specialized providers (Google Pay, Apple Pay, Visa), while processors settle the money. The AI acts as an authenticated intermediary, not as a custodian of the payment.
3. “Know Your Agent” (KYA) and fraud prevention
Traditional security systems are designed to detect humans. UCP presents the concept KYA (Know Your Agent):
- Agent Identity: Merchants can verify whether the agent attempting to purchase is a legitimate bot (e.g., Gemini or the Shopify agent) or a malicious script.
- Non-Human Behavior Analysis: AI models are used to detect machine-specific fraud patterns, such as bursts of transactions in milliseconds or attempts to exhaust stock.
4. “Embedded” mode (security in iframe)
For transactions that the protocol considers high-risk or that require extra validation, UCP allows the Embedded Checkout Protocol (ECP).
In this case, the AI opens a secure window (iframe) directly connected to the merchant’s server. This ensures that sensitive data is entered in an environment controlled by the seller, strictly complying with PCI DSS regulations.
All this sounds solid on paper. Too solid, even. As always happens with security, we can find objections:
1. The “intention hijacking” (prompt injection)
Although the protocol is cryptographically secure, the input remains natural language. Therefore, an attacker could use jailbreaking or prompt injection techniques to deceive the agent. If the agent is persuaded that “the user wants to buy product X” when in reality the user was just asking about it, the cryptographic signature will be generated based on a false intention.
Cryptography ensures that the message does not change along the way, but it cannot guarantee that the user truly understood what the AI was asking them to sign.
2. The fallacy of the “blind AI” (data footprints)
It is often argued that the AI does not “see” the user’s sensitive data directly, and that these are protected through tokenization and separation of responsibilities.
Although the AI does not see it directly, the agent system needs it to function smoothly, personalize the experience, and execute purchases with minimal friction.
For the purchase to be truly smooth, the system must operate on a persistent digital identity profile. That profile may not be clearly exposed to the model, but it exists and is critical. This creates a single point of failure: if someone compromises your agent identity (your Google or Apple account managing the protocol), they have the keys to buy at any connected store without you having to enter a single additional password.
3. The black box problem in disputes
In traditional commerce, if there is an error, the record is clear: “the user clicked here.”
In UCP, the record is: “Agent A interpreted User B’s instruction and negotiated with Merchant C.” If the product arrives wrong or the price is incorrect, who is legally responsible?
The merchant will blame the agent’s algorithm, the agent’s developer will blame the merchant’s API, and the user will be caught in a legal void where the cryptographic proof does not explain the why of the error, only the what.
This is compounded by still unclear issues: who legally assumes responsibility for the agent, how the right of withdrawal is exercised when the purchase does not go through the store, and what level of traceability will be required to resolve conflicts.
4. Barriers to entry and centralization (KYA)
The Know Your Agent mechanism sounds good for preventing malicious bots, but it is a double-edged sword.
Who decides which agents are “legitimate”? If only Google, OpenAI, and Apple can certify agents, we are creating an oligopoly.
A small developer with an innovative shopping AI could be blocked by large merchants simply because they do not have the scale to be “validated” by the official security protocol, eliminating the “open” nature of the protocol.
5. Latency vs. security (the “race condition”)
UCP promises real-time validation of stock and price. During high traffic periods (like Black Friday), the overload of verifying cryptographic signatures at every step of the purchase “conversation” can cause latency.
To improve the user experience, developers might be tempted to relax the checks or use pre-authorizations that open windows of opportunity for man-in-the-middle2 attacks or last-second price changes.
Nothing new under the sun. Use will expose real problems, and we will have to work constantly to ensure that security is high enough to generate trust.
How will UCP affect e-commerce?
Image generated with NotebookLM. I am not a good futurist, but my profession requires me to foresee how technology will evolve. Even when I am wrong, it helps me understand and anticipate problems that do not yet exist.
Given my limitations, I usually employ a strategy that works reasonably well: I propose two opposing and extreme scenarios and settle on a middle ground.
Let’s propose a first scenario where nothing changes and online stores remain exactly the same. Here, UCP has no effect.
The opposing scenario is that purchases through AI agents grow so much that websites cease to make sense. Catalogs become files for machine consumption, and interfaces are 100% conversational.
A reasonable intermediate scenario foresees that UCP accumulates a significant market share, but not enough to retire websites. However, the concept of a reactive web is transformed. Websites begin to offer a user experience that adapts to the origin of users, taking into account their purchase and visit history to create hyper-personalized visits, and of course, offer tailored assistance and personalization services: product-related experiences, expert-led training, home installation…
Many of these functions already exist and are used, but the level of adoption is low in many cases. My bet is that agent-based commerce will accelerate the adoption of these features and will tend to reduce global friction in the purchasing process. The user will visit the store before buying, possibly purchase through the agent, and return for a post-sale service that will often be critical.
We also cannot lose sight of the fact that there will always be less enthusiastic users who will continue to prefer a more traditional experience, just as there are still those who prefer to visit physical stores, as is the case with my neighborhood shops.
That little time on Saturday mornings shopping at the fruit shop or the butcher, where they know me and know what I like as soon as they see me, is irreplaceable.
This reinforces my belief in a hybrid future where e-commerce agents and online stores focused on a fully personalized experience coexist.
On the other hand, some departments will gain greater importance:
- Sourcing: Having the most differentiated catalog or the most competitive prices, depending on the touch, is currently a competitive advantage, but it is about to become essential. And it will not be enough to have data: it will need to be normalized, cleaned, and made comparable so that agents can interpret it correctly.
- Content: Content will not only be key for being discovered and valued by LLMs but also for captivating store visitors and helping them decide.
- Customer Service: Pre-sale and post-sale service will acquire a new dimension because it will be the most human way to differentiate from the competition. Overusing AI agents in this field will be counterproductive in most cases because customers arriving here will have very complex needs.
Threat or opportunity?
After much thought, I still do not have a clear answer. The Universal Commerce Protocol is neither good nor bad in itself. It is an accelerator. And like all accelerators, it amplifies what already exists.
For those who compete solely on price and catalog, this looks quite like an existential threat. If the product is interchangeable and the margin is minimal, leaving the decision in the hands of an agent does not play in your favor.
For those who sell criteria, trust, and relationships, it can be just the opposite: a historic opportunity.
Websites that merely describe products will become increasingly dispensable. Those that help decide will remain essential. The chat will solve the obvious, and the web will retain what is important.
And for those who do nothing, for those who continue to build stores designed to be visited and not to help the buyer, there will probably not be a great catastrophe. Rather, it will be a silent disappearance: less traffic, less relevance, and fewer reasons to return.
The future does not have to be a dilemma between conversational or web. Perhaps the key lies in the level of demand. With whom intermediates, with whom decides, and with whom assumes the consequences when something goes wrong. When buying ceases to require effort, the only thing that still matters is who you trust.
And that trust will no longer be earned with more traffic.
For those who want to go a step further
If this text has generated more questions than answers for you, that’s normal. I am preparing a practical guide on the Universal Commerce Protocol, focused on real decisions:
What really changes, where control is lost, and what it is advisable to start doing now (and what not).
It is not a public document or a technical introduction. And I will share it only with people subscribed to this newsletter.
If you are interested, subscribe, message me in the private chat, and I will send it to you when it is ready. 1 It is not a direct evolution of Merchant, but rather a change of scale based on the same premise. 2 Interception and possible alteration of a private communication between two parties by a third party acting as an invisible intermediary.