Blog \ Building Otto technical posts

Otto pays for trips without ever seeing your credit card

Otto can execute payments autonomously without ever seeing your card number. This post breaks down the architecture that makes that possible, and why tokenized agents are fundamentally safer than stored-card systems.

By

Chundong "CD" Wang

March 15, 2026

Most AI agents shouldn’t be trusted with money. Not because they’re unreliable, but because giving an autonomous system raw payment credentials is a fundamentally bad architecture.

Otto solves this with a simple principle:

The safest credential is the one the agent never sees.

The Core Design

When a traveler adds a payment method, the data flow is not:

User → Otto → Storage → Pay at the supplier

It is:

User → Vault → Token → Otto → Vault → Pay at the supplier

Otto never receives the actual card number, CCV, etc. Instead, it gets a random token that has no mathematical or logical relationship to the original data. That token is all Otto ever stores, uses, or transmits.

What Happens During Payment

When Otto books a flight or hotel or any other trip component:

  1. Otto sends the token
  2. The vault maps token → real card -> API to transact
  3. Payment completes on the supplier side
  4. Otto never sees the card

Sensitive data never lives inside Otto’s memory or storage or logs at any time. 

Why This Matters for AI Agents

Traditional software storing cards is risky. Agentic software storing cards is dangerous.

An AI agent:

  • reasons
  • executes actions
  • calls tools

If that agent had raw payment data, a prompt injection or jailbreak could theoretically exfiltrate it. Tokenization removes that entire class of risk. Even if Otto were compromised, an attacker would only obtain meaningless tokens. 

No card numbers.
No CVVs.
No identity data.

Hard Problems You Still Have to Solve

Removing raw payment credentials from an AI agent’s boundary is necessary, but it’s not sufficient. Once you decide the agent must never see the card, you inherit a new class of architectural challenges. These are the problems most teams only discover after implementing tokenization.

Below are the real ones Otto had to solve, and how they’re handled without ever exposing sensitive data.

1. Fraud Detection Without the Card Number

Fraud engines typically expect raw PAN data or at least BIN ranges.

But Otto never receives the card number. By design, a tokenization vault intercepts it and replaces it with a token. So how does fraud detection work? Fraud detection systems can leverage vault-side enrichment. Instead of Otto inspecting card data, the vault exposes safe derivatives:

  • BIN metadata
  • issuer country
  • card brand
  • other risk indicators (geo, trip details, etc)

The key is exposing only the minimum fields required for the agent to operate.

2. Deduping Multiple Payment Methods

Users frequently add the same card multiple times across devices or sessions. Normally you'd hash the PAN and compare. But Otto never has the PAN.

Otto solves this with vault-level identity resolution. Since the vault holds the real card data, deduplication can happen inside the vault. Otto simply compares aliases or requests equality checks from the vault.

3. Expiration + Automatic Card Updates

Cards expire. Numbers rotate. Reissues happen. If your system stores cards, you must maintain network account updater integrations. At Otto, lifecycle management is handled by the vault layer.

Vault providers integrate with network updater services so underlying cards can be refreshed automatically without changing the token reference.

4. Optimizing Rewards Without Knowing the Card

Otto’s job is not just to pay, it’s to pay intelligently. For example,

Should the system use Amex Platinum or Sapphire Reserve for this flight?

But again, Otto doesn’t have the card number. Instead it queries vault-safe descriptors:

  • network
  • funding type
  • issuer
  • product tier

Vaults expose these attributes as non-sensitive card metadata, enabling decision logic without exposing PAN data.

The Architectural Principle

Traditional systems ask:

How do we protect sensitive data?

Agent-native systems must ask:

How do we operate without sensitive data?

That's also part of the tool calling that's rarely talked about today. We want the agent to complete the task for us. But a task won't be completed if the agent gives us a link to complete the transaction ourselves.

Otto follows this rule strictly:

  • real sensitive data lives in the vault
  • tokens live in Otto
  • decisions run on metadata

Try Otto free for 1 year

$10/mo. Free – no credit card required. No contracts, no agent-assist fees, no minimum spend

Other technical posts

CL-Bench Says Frontier Models Struggle With Context Learning

If LLMs can’t reliably learn from in-context learning, agents must do more to deal with the weakness. This post explains how Otto structures reasoning and verification to make AI agents work in the real world.

Read more
How to Make AI Own Its Code: Teach It to Debug

AI code generation is the easiest part of engineering. Real ownership begins when an agent can debug, reason, and evolve the systems it builds.

Read more
Dimensions for LLMs That Improve Agentic Task Execution

What actually improves agent performance in LLMs? This post breaks it into eight measurable dimensions—training signals, alignment, context use, tool calling, planning, self-critique, and system architecture - mapped to benchmarks you can track.

Read more
Company
AboutBlogMedia kitPress
Product
AI travel agentServices
Security
PrivacyTerms of service
Copyright © 2025 Otto the Agent  •  support@ottotheagent.com