Why architecture matters here

The cost asymmetry of payment fraud is brutal in both directions. Approve a fraudulent transaction and you eat the chargeback, the fee, and — repeated at scale — the card networks' monitoring programs that can end your ability to process payments at all. Decline a legitimate one and you lose the sale, train the user's agent to route around you, and erode the trust that makes autonomous commerce usable. A risk system is not a classifier; it is a business policy engine balancing those costs per transaction, and its architecture determines which trade-offs are even expressible.

Agent traffic sharpens the problem in three ways. Speed: a compromised agent can attempt hundreds of purchases in the time a human fraudster attempts one — detection windows measured in minutes are already too slow, so velocity features and counters must update in seconds. Ambiguity: retry loops, A/B-testing agents, and legitimate high-frequency delegation look statistically similar to attacks; naive volume rules slaughter false positives. New primitives: the mandate chain is both an attack surface (scope creep, replay, stale mandates) and the richest defensive signal available — a transaction that exceeds its mandate's ceiling is not 'suspicious', it is invalid, and the architecture must treat cryptographic verification and statistical scoring as different layers with different guarantees.

Latency welds it all together. The scoring call sits inside the authorization path with a budget of tens of milliseconds; anything that cannot be answered from memory or a single online-store read does not exist at decision time. That single constraint dictates the split that defines every serious fraud platform: heavyweight computation happens ahead of time (feature pipelines, graph analysis, model training), and decision time is a fast, dumb assembly of precomputed intelligence.

Advertisement

The architecture: every piece explained

Top row of the diagram: intake. The payment request arrives carrying the cart, the mandate chain, and the agent's identity credentials. Signal enrichment does the deterministic work first: verify every signature in the mandate chain, check expiry and revocation, confirm the cart hash matches what was signed, and resolve the durable identifiers — user, agent, merchant, payment instrument — that key everything downstream. Cryptographic failures end the request here with a hard decline; no model gets a vote. The feature store then supplies the online view: for each resolved entity, precomputed features (chargeback history, account age, typical basket embedding, merchant category norms) served at single-digit-millisecond latency from a key-value store fed by streaming pipelines. Velocity counters — sliding windows implemented in Redis or specialized counting services — answer the 'how many, how fast' questions: transactions per agent per hour, spend per mandate per day, distinct merchants per instrument per week.

Middle row: judgment. The rules engine evaluates the human-legible tier — sanctions and deny-lists, mandate-ceiling enforcement, hard velocity caps, allow-lists for trusted pairs — expressed in a DSL that risk analysts (not engineers) deploy, version, and roll back, because rule agility is the response speed to novel attacks. Everything that survives flows to the ML scorer: typically gradient-boosted trees or a compact neural model over a few hundred features, emitting a calibrated risk score plus feature attributions. The decision service merges rule verdicts and score against per-merchant-category thresholds into one of three outcomes with machine-readable reason codes: allow, deny, or — the agentic innovation — step-up.

Bottom rows: the loop. Step-up pushes an out-of-band confirmation to the human principal ('Your agent wants to spend $340 at a merchant you haven't used — approve?'), converting a would-be false positive into both a completed sale and a perfect label. Case management queues gray-zone patterns for investigators whose verdicts become labels too. The outcome log records every decision, challenge result, and — weeks later — chargeback, feeding the label and training pipeline that retrains challenger models against the champion, while monitoring watches score distributions, approval rates, and precision proxies for silent rot.

Fraud and risk scoring for agent payments — decide in 100ms, learn forevermandate-aware signals + real-time features + rules and ML + graded decisionsPayment requestcart + mandate chain + agent identitySignal enrichmentverify signatures, resolve historyFeature storeonline: counters, embeddingsVelocity counterssliding windows per keyRules enginehard blocks, allow-lists, limitsML scorergradient-boosted / neural risk modelDecision serviceallow / step-up / deny + reason codesStep-up challengehuman confirmation out-of-bandCase managementreview queues, investigator toolsOutcome logdecisions, challenges, chargebacksLabel + training pipelinedelayed labels, champion/challengerMonitoringscore drift, approval rate, precision proxieslookupreadfactspassscoremid-riskrecordoutcomelabelsmetricsnew model
Agent-payment risk pipeline: every request is enriched with mandate and history signals, features are read from online stores and velocity counters, rules and an ML scorer feed a graded decision — allow, step-up to a human, or deny — and every outcome flows back as training labels.
Advertisement

End-to-end flow

Walk a single transaction. A grocery-replenishment agent, holding a mandate scoped to 'household goods, $500/month, merchants in categories 5411/5499', submits a $47 order. Enrichment verifies the mandate chain's signatures against the issuing wallet's keys, confirms the mandate is live and unrevoked, checks the signed cart hash, and resolves identities: this agent has transacted 214 times over six months, this user's account is three years old, this merchant sees the agent weekly. Elapsed: 8ms.

Feature assembly fans out in parallel: the feature store returns the agent's basket-size distribution, the user's chargeback count (zero), the merchant's fraud base rate; velocity counters report 3 transactions this week against a norm of 4, $86 of the $500 monthly ceiling consumed. The rules engine finds no deny-list hits, ceiling respected, category in scope — pass. The ML scorer consumes ~300 features and returns 0.04, with attributions dominated by tenure and pattern-consistency. The decision service compares against the grocery-category threshold (deny above 0.85, step-up above 0.45) and returns allow with reason codes. Total: 41ms inside the authorization flow. The outcome log records everything; the counters increment.

Now the contrast case. The same agent — its host application compromised by a prompt-injection that hijacks its tool calls — submits $480 of gift cards from an unfamiliar electronics merchant at 3 a.m. Enrichment passes: the mandate is genuine and gift cards at merchant category 5732 may technically squeak into scope. But the features scream: basket embedding distance from this agent's history is extreme, the merchant is new to this user, gift-card SKUs carry a high fraud prior, and velocity shows three similar attempts in ten minutes. Score: 0.71 — mid-risk, not certain. Decision: step-up. The user's phone shows the confirmation request; they decline; the mandate is auto-suspended pending review; the declined challenge lands in the training set as a high-quality positive label; a case opens with the full feature vector attached. The attack cost the attacker one burned technique and cost the user one push notification.