Giving an AI agent access to money is a fundamentally different security problem than giving a human access. Humans have judgment. Agents have instructions. And instructions can be wrong, manipulated, or misinterpreted.
We think about this every day. Here's how we approach the security model for agent payments — and why virtual cards are the safest option available right now.
The threat model
When an AI agent has payment access, you're exposed to several risks:
Overspending
The agent spends more than intended. We've seen an agent misinterpret "buy a small pizza" and order ten. We've seen retry loops after failed purchases rack up duplicate charges. And agents have zero concept of "that's too expensive" unless you enforce it structurally.
Prompt injection
A malicious website or document injects instructions that override the agent's original intent. The agent was supposed to "buy the cheapest option" but a prompt injection says "buy the most expensive one." The agent complies. This isn't theoretical — prompt injection attacks are real and getting more sophisticated.
Credential leakage
The agent accidentally dumps card details into logs, screenshots, or API calls. If those details belong to your primary credit card? Catastrophic. If they belong to a $25 prepaid card? Annoying, but the blast radius is tiny.
Recurring charges
The agent signs up for a service with a free trial that requires a card. It doesn't cancel. Now you're paying $99/month for something nobody uses. We hear about this one a lot.
Why virtual cards minimize every risk
| Threat | Credit card risk | Virtual card risk | |---|---|---| | Overspending | Entire credit limit | Card balance only | | Prompt injection | Unlimited damage | Capped at balance | | Credential leak | High exposure | Low exposure | | Recurring charges | Bills indefinitely | Declined after balance depleted | | Fraud | Complex dispute process | Limited loss, easy to freeze |
Hard spending cap
$25 card = $25 max. Period. The payment network enforces this, not our code. No bug, hallucination, or prompt injection can override Visa's transaction processing.
Blast radius containment
If a virtual card is compromised, the maximum loss is whatever balance remains on the card. Compare this to a credit card with a $10,000 limit or a corporate card with no preset spending limit.
No recurring billing
Virtual cards with fixed balances can't sustain recurring charges. Once the balance is depleted, subsequent charge attempts are declined. No forgotten subscriptions, no surprise bills months later.
Instant revocation
You can freeze or revoke a virtual card immediately from the command line. The card becomes unusable the moment you freeze it — no waiting for the bank, no phone calls, no disputes.
Security best practices for agent payments
1. Use one card per task
We can't stress this enough. One card per task. It isolates spending and makes auditing trivial.
2. Load the minimum amount
Don't load $200 when you need $15. Just don't. Start with the minimum and top up only if the task actually requires it.
3. Freeze cards after use
Task done? Freeze the card. Takes two seconds. There's zero reason to leave an unused card active.
4. Monitor balances
Check card balances regularly using agentcard balance <card-id>. Unexpected balance changes indicate unauthorized usage.
5. Refund unused balances
After a task completes, refund any remaining balance back to your payment method:
agentcard refund <card-id> --amount <n>
How AgentCard handles security
We're built by Alchemy, one of the largest blockchain infrastructure companies. Security isn't an afterthought for us — here's how we handle card data:
- AES-256-GCM encryption — card details (PAN, CVV) are encrypted at rest
- HTTPS-only tokens — all authentication uses encrypted session tokens
- No data selling — we never share or sell your data to third parties
- Instant freeze — cards can be frozen from the CLI in seconds
The future: network-native agent security
The payment networks are investing heavily here. Visa Intelligent Commerce uses tokenized credentials scoped to specific merchants and transaction types — the agent's credentials literally can't be used outside their intended context. Over 100 partners are building on this already, and Visa expects millions of agent-initiated transactions by late 2026.
MasterCard Agent Pay takes a similar approach, enabling AI agents to transact within regulated banking frameworks. In March 2026, MasterCard and Santander completed Europe's first live end-to-end AI agent payment.
We're integrating both as they become broadly available. Merchant-scoped tokenization and network-level permission controls, layered on top of the spending limits we already offer. The security story for agent payments is about to get much better.
The bottom line
Don't give AI agents your credit card. Don't give them a corporate card. Just don't.
Use virtual cards. Set the budget. Let the agent work. Freeze the card when it's done. That's the model we built AgentCard around — and with Visa and MasterCard building native agent support, it's only going to get stronger.