The premise of agentic commerce is straightforward: AI systems acting autonomously on behalf of users — searching, selecting, pricing, and completing purchases without real-time human confirmation. The commercial and regulatory implications are not straightforward at all.

What the Schemes Are Building

Visa's Trusted Agent Protocol, published in late 2025, establishes a credentialling framework for AI agents. A verified agent receives a scheme-issued identifier that travels with each authorisation request, allowing issuers to distinguish agent-initiated transactions from human-initiated ones and apply different authentication and liability rules accordingly. Mastercard's Agent Pay framework takes a similar approach, with the addition of spending controls that consumers can configure — hard limits by merchant category, geography, or transaction amount — which the agent must honour.

Stripe and OpenAI launched the Machine Payments Protocol (MPayP) in March 2026, an open standard that extends the OAuth 2.0 delegation model to define how agents request, hold, and exercise payment permissions. Google's AP2 standard is positioned as a competing open protocol, backed by a consortium of merchant and PSP signatories. These competing standards mean the near term will see fragmentation before consolidation — a familiar pattern in payments infrastructure.

The Authorisation Problem

Current authorisation infrastructure was designed for human-initiated transactions. A cardholder presents credentials; the issuer confirms identity and approves or declines. Strong Customer Authentication under PSD2 and PSD3 requires two independent factors — knowledge, possession, or inherence — from a human who can supply them.

An AI agent cannot present a fingerprint. It cannot respond to a one-time passcode sent to a mobile number. The existing SCA framework does not accommodate agent-initiated payments without exemptions, and the available exemptions — merchant-initiated transactions, trusted beneficiaries, low-value thresholds — were not designed for the scale or variability of agent commerce.

The emerging resolution under PSD3 is a delegated authority model: the consumer authenticates once to establish the agent's mandate, setting the parameters within which the agent may act. Subsequent transactions within that mandate are treated as authorised and do not require fresh SCA. The issuer retains the right to step down — to require fresh authentication — if the transaction falls outside the mandate's parameters or triggers a fraud signal.

Fraud and Liability: Who Pays When It Goes Wrong

Current liability frameworks allocate chargeback responsibility based on whether SCA was applied and by whom. A correctly authenticated 3DS transaction shifts fraud liability from the merchant to the issuer. An agent-initiated transaction that bypasses SCA under a delegated authority framework sits in less defined territory.

Visa's Trusted Agent Protocol assigns liability to the agent operator — the platform that deployed the agent — when the agent acts outside its authorised parameters. Mastercard's framework places liability at the point where control was lost: if the consumer set the mandate correctly and the agent acted within it, the transaction is treated as authorised. If the agent exceeded its parameters, liability follows the agent operator.

For processors and acquirers, the commercial question is how chargeback monitoring programmes respond to volumes that may look anomalous — high frequency, small value, concentrated merchant categories — without the human behavioural signals that current fraud models are calibrated against.

What Issuers Need to Change

  • Authorisation logic must be updated to handle agent identifiers in the transaction data stream and route them to different decisioning models than human-initiated transactions.
  • Fraud models need retraining or supplementation with agent-specific behavioural baselines. An agent purchasing 200 SaaS subscriptions in an hour is not fraud — but current velocity models will flag it.
  • Mandate management infrastructure must be built or licensed: the consumer-facing interface through which agent permissions are granted, scoped, and revoked.
  • Customer service processes need to handle disputes arising from agent-initiated transactions, including the question of whether a consumer who delegated authority to an agent can dispute a transaction that the agent executed within that authority.

What Merchants and Acquirers Need to Change

Merchants serving consumers via AI agents need to accept agent-presented credentials in their checkout flows and return structured product and pricing data in formats agents can process reliably. Acquirers need to support agent transaction identifiers in authorisation messaging and update their fraud monitoring to avoid systematically declining legitimate agent-initiated volumes.

The firms that will be best positioned in this shift are those that treat it as an infrastructure problem now rather than a product question later. The scheme programmes are live. The standards are being written. The liability frameworks are being drafted. Waiting until agent commerce volumes become material before adapting authorisation and fraud infrastructure is the same mistake some firms made with contactless and with 3DS — except the compounding effects will arrive faster.