I just noticed some user can see other payments (even if they doesn't have that permission). I found this problem in payment_access function:
return user_access('payment.payment.' . $operation . '.any', $account) || $payment && user_access('payment.payment.' . $operation . '.own', $account) && $account->uid = $payment->uid;
$account->uid == $payment->uid should be the correct sintaxis.
This cause some session exchange between my users, so I think this is critical.