A (13:28)

AI agents are really transforming a lot of things about everyone's life, and shopping is certainly one of those. But you know, the introduction of generative AI, the ability to create content, is something that a lot of people use on a daily basis. And it's really changed, especially from the commerce lens. A lot of the ways people think about product discovery, you know, what is it that they want to buy? What's the right fit for them? And I think people have really attached themselves to the idea that they have, you know, a personalized, conversational way that they can discover, you know, the things they want to buy, the places they want to travel, the hotels they want to stay at, all those kind of things.

B (14:10)

You know, I can imagine myself using a tool like this to do exactly what you describe. You know, figure out what flight I want to take or hotel I want to stay in or what product I want to buy. I feel like it's an extra leap to give it the ability to spend money on my behalf. Is that a common hesitation that folks have?

A (14:31)

I mean, it's interesting. I think some people definitely do. But really, you know, what we want to optimize for is, is the intentional shopping experience where it's not go off, buy a bunch of things for me and then tell me later and I wait until it shows up at my door. What we've built at Shopify is really the protocol that allows merchant stores to communicate with agents. And so it doesn't just cover, you know, put my credit card into a checkout and then a purchase appears. It's the whole product catalog, the product discovery, the authentication that's layered into that and also the post purchase experience. So any kind of returns or you know, subscriptions and things like this that you may be taking on. And so commerce is inherently a two way relationship of trust. This is not just something where merchants open their doors and they want anyone who shows up online with a credit card to be able to buy from them. They want confidence that the purchaser is authentic as well. And so I think what we've aimed to do is really establish trust on the buyer side as well as trust on the merchant side so that they know that the customers that they're interacting with are authentic people on the other side of the agent and that the buyers have the same degree of confidence that the merchants that they're shopping from are accurately representing the pricing. And you know, there's no hidden fees and things like this built in as dark patterns into the commerce experience.

B (15:52)

Now is this the universal commerce protocol that you're referring to, this, this open standard you and your colleagues have developed?

A (15:59)

Yes, that's right. So last month we launched the universal commerce protocol. It was something that we built alongside Google and really what we want wanted to do was identify all of the aspects of commerce that needed to be made in a way that can work with agents. A lot of great work has been done on the payments side of things. So tokenization and authentication of a specific payment. But really what we found is what merchants want and what buyers want is not just a one time, you know, securely figure out a way to pass credit card details from one spot to another. This is something where we want that end to end commerce experience. And so this is what we've launched as this open protocol. And it's become a significant area of interest for us and all of the people that are adopting it.

B (16:46)

What were some of the particularly interesting problems that you all had to solve here?

A (16:52)

So I think one of the things that is very challenging is we are dealing with an intermediated space. And so a typical online store, you Know, it is built on top of HTTP and you know, the idea is that on one end is a person with a credit card, on the other end is a merchant. Here, neither the merchant or the customer are really directly talking to each other. They're working through this intermediary and in a very real time way. And so one of the biggest challenges that we have is ensuring that merchants are able to structure their product data, any of the kind of offers or you know, buy one, get one free coupons, things like this in a way that represents like a true shopping experience as opposed to this something just being kind of a form that you would enter, enter into. And so the ability for merchants to have that set up and the ability for buyers to interact with it and interrogate that is something that was very challenging. But it, it allows to, it unlocks so much and it's, it's very exciting the fact that that is now in place and can be used, you know, to support many, many commerce experiences.

B (18:03)

Why was it important for you all to make this an open standard?

A (18:08)

Well, we always want to take the path that leads to more entrepreneurs. And so whether or not people are building on Shopify, we prefer the open Internet. And we always take decisions that lead to proliferation of the open Internet. It leads to choice on behalf of businesses. And we feel like we are experts in this field. You know, we run millions of online stores and retail experiences and so we wanted to take everything that we've learned, embed that into a protocol, and then make that available and open. I think a lot of, lot of naivety can be brought into potentially thinking about shopping online. Is it just take their credit card and figure out how to insert it into a form. But really that end to end is something that we thought we were uniquely positioned to build. And what we want are people to be able to build apps, build experiences, embed this protocol so that all of the kind of things that we've learned get used to the benefit of everyone that's out there in the market.

B (19:10)

Can you tell us about some of the security considerations here? What are some of the challenges there?

A (19:18)

So the traditional checkout experience, it's an unauthenticated experience, which is kind of weird. The fact that you are buying from a website, it's layering the idea of just using a form, typing in a credit card number and you know, a name and address is sufficient to identify yourself and then make a purchase. But you know, clearly that has limitations. There is no true authentication of the person on the other side. We're not Going to go around and layer in HTTP basic auth in front of every website on the Internet in order to know who people are. And a lot of things have been done to try to make proliferation of OpenID and different open identity standards available. But those things are challenging if they're not done in a global way. And so what we really wanted to lean into was the idea that we can have people authenticate themselves into this agentic experience.

B (20:18)

How do you go about future proofing something like this to make sure that, you know, it's, it's adaptable to what is yet to come?

A (20:27)

Yeah, we've, we've partnered with some, you know, very mature teams that build open source protocols. Obviously, Google is no stranger to doing this in many different ways. Our company participates in lots of different industry working groups and we're moving a lot of standards forward at the same time. But it is, for us, it's a collaboration that needs to involve as many parties as possible. And so what we love about establishing a protocol is any, anyone who's interested in this has a place to have their voice heard, have their specific commerce concerns addressed. And we can evolve it in a way where it can become the thing that is existing today and be ready to launch. But every time there's a new version, every time there's a new thought of here's a good way to enhance security, we can just embed that into the protocol and then everyone can benefit. I think there's a lot of evolution that has already happened, but what we're certainly seeing is a maturation around the concept of building a cart. This is something that when you buy online, you may not even think about it of, you know, I'm putting items into my cart and eventually I will check out. But for a lot of merchants, that act of generating that cart, storing that, allowing people to interact with that, interrogating that have, you know, discounting rules or other logic applied to that, that is kind of an entire protocol on and of itself that, you know, we now need to layer into the way that we think about universal commerce protocol. And so we really support this open mindset and the open nature of collaborating in these types of open source initiatives. Because again, it just traces back to our fundamental belief of creating, you know, more entrepreneurship, more openness and everything that we do as a company is designed to make that happen.

B (22:18)

Is this something that's designed to operate quietly behind the scenes or, or is it something that, for example, merchants would use as a stamp of approval for,

A (22:29)

for consumer confidence so people are already shopping this way. And so that reality is there whether people want to face it or not. And so what we are really trying to do is make sure that our merchants are prepared for how they show up and you know, what those discoverable surfaces look like. So for a merchant, they're not necessarily needing to be so focused on the details of how the protocol works, but we do want to make sure that the important product details that they may need to be disclosing the things that are important for them to make themselves most discoverable. Things like sizing and genders and product variants and all the kinds of attributes of their products do have to be structured in a way that can be consumed by an LLM. And so we really have done a lot to try to optimize the data entry and the ability for merchants to provide that level of customization so that they show up in the way that they want to show up. People aren't, you know, getting disappointed that they misunderstood, you know, what certain words might mean when they were trying to buy something. And so the, the work really becomes on the curation of your catalog and making sure that you understand how you show up in all of these surfaces. But we make that as easy as possible for people to do it, for merchants to do so that they are, it's not that different than just merchandising they may do on their own online store. And a lot of our merchants, it's their omnichannel to begin with. So they may be concurrently selling through different marketplaces and through their online store, they may have physical retail. Our shop app is a big source of discovery on its own. So the ability and the need for merchants to be always on when it comes to customizing and being aware of how their products are described is something that is really important for them. But the idea is that the rest of that we take care of.

B (24:24)

That's Andrew Dunbar from Shopify. No, it's not your imagination. Risk and regulation really are ramping up and customers expect proof of security before they'll sign that deal. That's where Vanta comes in. VANTA automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. Whether you're preparing for SoC2 or managing an enterprise governance risk and compliance program, VANTA helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That's not just faster compliance, that's more time for growth. Take it from me, if you're thinking about compliance take the time to check out Vanta. Get started@vanta.com cyber.

A (25:34)

This episode is brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed Sponsored Jobs to find the right people with the right skills fast. It's a simple way to make sure your listing is the first candidate. C According to Indeed data, Sponsored Jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit at Indeed.com podcast terms and conditions appreciate and

B (26:08)

finally, if you watched the super bowl, you may have seen Ring's heartstring tugging ad for its new search party feature, where the neighborhood doorbells band together to find a missing dog. The idea is simple. AI scans nearby camera footage to track down Fido, which is sweet kind of Viewers quickly pointed out that if cameras can identify a lost Labrador, they can probably identify you. Social media lit up with privacy concerns, Reddit rants, and even a few dramatic device smashings. Enter the Fulu foundation, which is now offering a $10,000 bounty to anyone who can make Ring cameras run locally, keeping footage off Amazon's cloud. The debate lands awkwardly in light of Ring's prior privacy problems, including a 2023 Federal Trade Commission case over employee access to customer videos. A lingering question when you buy the camera, who really owns the footage? And that's the CyberWire4Link stall of today's stories. Check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders, tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.