Agentic Commerce in 2026: What Merchants, Banks, and Card Networks Need to Know

The AI Agent Is Now a Customer

Six months ago, agentic payments were a whiteboard concept at card network innovation labs. Today, AI agents are completing purchases on behalf of consumers across thousands of merchants, processing real transactions with real money, and generating real chargebacks. The shift from concept to production happened faster than almost anyone in payment operations predicted.

Here's where things stand in early 2026: Visa has 100+ partners in its Intelligent Commerce program. Mastercard's Agent Pay has been enabled for all U.S. cardholders since November 2025. PayPal is processing agentic transactions across 5,000+ merchants. Amazon's "Buy for Me" feature lets agents purchase from third-party brand sites on behalf of consumers — while those merchants bear full liability for transactions they never directly controlled.

If you're running payment operations at a mid-market merchant, this isn't something to monitor from a distance. Agentic transactions are already flowing through your payment stack. The question isn't whether to engage — it's whether you're equipped to identify, score, and manage these transactions before they become a fraud and dispute problem.

This article breaks down the infrastructure, the protocols, the risk, and the specific operational steps merchants need to take right now.

The Card Network Response: Visa and Mastercard

The two dominant card networks have taken meaningfully different approaches to agentic commerce, but both are moving at an unusual pace.

Visa Intelligent Commerce and Agentic Ready

Visa's Intelligent Commerce (VIC) initiative has assembled over 100 partners across the payment ecosystem. The more consequential development is Visa Agentic Ready, launched in March 2026 with 21 European bank partners including Barclays, HSBC, Santander, and Revolut.

The core mechanism: tokenized credentials scoped to specific agents, merchants, and timeframes. Instead of giving an AI agent broad access to a card, Visa's approach generates a token that's constrained — it can only be used by a named agent, at a named merchant, within a defined time window. If any parameter falls outside scope, the authorization fails.

For payment ops teams, this is significant because it creates a verifiable boundary around what an agent is permitted to do. It also means that if a transaction falls outside the token scope, you have clear evidence for dispute defense.

Mastercard Agent Pay

Mastercard moved first, launching Agent Pay in April 2025. The technical foundation rests on two components:

• Agentic Tokens: Dynamic cryptographic credentials generated per-agent, per-transaction. These are not static card-on-file tokens — they're purpose-built for agent interactions.
• Verifiable Intent: A framework that captures the user's mandate (what they authorized the agent to do) alongside the agent's interaction record (what the agent actually did). This creates an auditable chain from consumer intent to completed purchase.

All U.S. Mastercard cardholders were enabled for Agent Pay by November 2025. Fiserv has integrated the Agent Pay Acceptance Framework into its acquiring infrastructure, which means mid-market merchants on Fiserv are already technically capable of processing these transactions — whether they know it or not.

The practical difference between the two networks: Visa's approach constrains the token itself. Mastercard's approach constrains the token and creates a parallel intent record. For dispute defense, Mastercard's Verifiable Intent framework could prove more valuable — but only if merchants are capturing and storing those intent records correctly.

The PSP Infrastructure Layer: Stripe, PayPal, JPMorgan

The payment service providers aren't waiting for merchants to figure this out. They're building the plumbing.

Stripe

Stripe launched its Agentic Commerce Suite in December 2025, anchored by Shared Payment Tokens (SPTs). SPTs allow a consumer to authorize a payment credential once and have it available across multiple agent interactions without re-authentication each time.

Early adopters include URBN, Etsy, Ashley Furniture, Coach, Kate Spade, and Revolve. Stripe also reported that over 700 AI agent startups were building on its platform in 2024 — a number that has certainly grown since.

PayPal

PayPal launched Agentic Commerce Services on October 28, 2025, with 5,000+ merchants accessible through Perplexity's shopping agent. Since then, PayPal has integrated with OpenAI's ChatGPT and added support for Google's Universal Commerce Protocol (UCP) in January 2026.

The PayPal.ai developer platform includes an MCP Server (Anthropic's Model Context Protocol), giving agent developers a standardized way to connect to PayPal's transaction infrastructure. For merchants already on PayPal, this means agentic transactions may be arriving through your existing PayPal integration — often indistinguishable from standard PayPal checkout unless you're specifically looking for agent identifiers.

JPMorgan

JPMorgan is investing $20 billion in technology spend in 2026, with a significant allocation toward agentic commerce. The bank's partnership with Mirakl Nexus targets B2B agentic procurement — AI agents managing purchasing workflows for businesses. This was showcased at NRF 2026.

For enterprise merchants with B2B revenue streams, JPMorgan's approach signals that agentic payments aren't just a consumer story. Procurement agents executing purchase orders on behalf of corporate buyers introduce an entirely new set of reconciliation and compliance challenges.

Where AI Agents Are Shopping Right Now

Theory is over. Agents are transacting. Here's where:

Amazon Buy for Me (launched April 2025): Agents can purchase from over 500,000 items on third-party brand sites while the consumer never leaves the Amazon app. The agent navigates the external site, completes checkout, and handles payment. The merchant fulfills the order.

OpenAI Operator with Instant Checkout: OpenAI's agent browses the web, finds products, and completes purchases. The fee structure: a 4% platform fee on top of Stripe's standard 2.9% + $0.30. On a $100 order, that's approximately $7.20 in total processing costs — a meaningful margin hit for merchants who didn't budget for a 7%+ take rate.

Perplexity: PayPal-powered agentic shopping expanded to free-tier users in November 2025, dramatically increasing the volume of agent-initiated transactions hitting merchant checkout flows.

For payment ops teams, the critical insight is this: you may not know these transactions are agent-initiated. Amazon's Buy for Me completes checkout on your site through standard web interactions. Unless you're actively identifying agent traffic patterns, these orders look like any other e-commerce transaction — until they don't.

How Agentic Payments Actually Work

Strip away the marketing language and here's the mechanical flow:

1. Consumer issues a mandate: "Buy me running shoes under $150 from a reputable brand, deliver by Friday."
2. Agent interprets the mandate: The AI agent searches inventory across merchants, compares prices, checks delivery windows, and selects a product.
3. Agent requests a scoped credential: Through Visa's tokenized approach, Mastercard's Agentic Token, or a PSP token like Stripe's SPT, the agent obtains a payment credential limited to the specific transaction parameters.
4. Agent completes checkout: The agent interacts with the merchant's checkout — either through an API (ideal) or by navigating the web interface (common today, problematic for fraud detection).
5. Authorization and settlement: The transaction processes through standard card network rails. The issuer sees the token, validates it against the scope, and approves or declines.
6. Intent record stored: In Mastercard's framework, the Verifiable Intent data — the consumer's original mandate, the agent's actions, and the final purchase details — is logged for potential dispute resolution.

The gap between steps 3 and 4 is where most of the current risk lives. When an agent navigates a merchant's web checkout like a human browser, the merchant's fraud stack sees a session that doesn't behave like a human. Cloud-based IP addresses. No mouse movements. No device fingerprint history. Every fraud signal you've tuned over the past decade becomes unreliable.

The Protocol Wars: AP2 vs UCP vs ACP vs MCP

Five competing protocols are fighting to become the standard infrastructure for agentic commerce. None has won. All are being adopted simultaneously, which means merchants will need to support multiple protocols for the foreseeable future.

AP2 — Agent Payments Protocol (Google)

Focused specifically on payment authorization mandates. Over 60 partners including American Express, Adyen, Mastercard, and PayPal. AP2 defines how an agent requests, receives, and uses payment authorization from a consumer. It's narrow by design — payments only, not the full purchase lifecycle.

UCP — Universal Commerce Protocol (Google)

Broader than AP2: covers the full purchase lifecycle from product discovery through post-purchase support. Over 20 partners including Walmart, Target, Shopify, Adyen, Stripe, Visa, and Mastercard. UCP and AP2 are complementary — UCP handles commerce, AP2 handles payment within that commerce.

ACP — Agentic Commerce Protocol (OpenAI + Stripe)

An agent-ready checkout protocol that standardizes how AI agents interact with merchant checkout flows. ACP is tightly integrated with Stripe's infrastructure, which gives it immediate distribution but also ties it to Stripe's ecosystem.

MCP — Model Context Protocol (Anthropic)

Not a payments protocol. MCP standardizes how AI agents connect to external tools and data sources. PayPal's MCP Server integration means agents built on Anthropic's framework can access PayPal's transaction capabilities natively. MCP is the plumbing beneath the commerce layer.

x402

An HTTP-native micropayment protocol that enables agents to pay for API calls, data access, and digital services using standard web requests. Less relevant for physical goods merchants, but critical for anyone selling digital services or API access.

What this means operationally: Don't pick one protocol. Instrument your payment stack to identify which protocol initiated a given transaction. The protocol used affects your dispute evidence, your fraud scoring approach, and your liability position.

The Fraud Problem Nobody Is Talking About

Traditional fraud prevention breaks catastrophically when the buyer is an AI agent.

Geo-signal collapse: Agents run on cloud infrastructure. The IP address resolves to an AWS data center in Virginia, not to your customer's home in Chicago. IP-based geolocation — a foundational fraud signal — becomes meaningless.

Device fingerprinting failure: Agents don't have devices. They run in headless browsers or API environments. There's no screen resolution, no installed fonts, no browser plugin list. Every device fingerprint looks identical or randomly generated.

Behavioral biometrics inapplicable: No mouse movements. No typing cadence. No scroll patterns. The behavioral signals that distinguish legitimate shoppers from fraudsters don't exist when the shopper is software.

Velocity at machine speed: An agent can attempt hundreds of purchases per minute. Traditional velocity checks tuned for human shopping behavior — "flag if more than 5 orders in an hour" — are either tripped immediately (blocking legitimate agent purchases) or irrelevant (if recalibrated too loosely).

Visa CE 3.0 will fail for agent transactions: Compelling Evidence 3.0 relies on matching prior device fingerprints and IP geolocation history to prove a cardholder made a previous legitimate purchase from the same device. Agent transactions have no such history. Your CE 3.0 evidence package — which may be your primary chargeback defense tool — has a blind spot.

The cost of getting this wrong: industry data shows $4.61 in total cost for every $1 of fraud in 2025, accounting for the fraud loss itself, chargeback fees, operational costs, and lost merchandise. Agentic fraud at scale could push that multiplier higher.

If your organization uses tools like Cellix for dispute intelligence and payment monitoring, now is the time to ensure your detection models account for agent-originated transaction patterns — before the volume makes retroactive fixes impossible.

Chargeback Liability When an Agent Buys

Here's the scenario that should keep payment ops managers up at night:

A consumer tells an AI agent: "Buy me a nice gift for my partner, budget $200." The agent selects a $180 cashmere sweater from your store and completes the purchase. The consumer sees the charge, decides the agent made a bad choice, and files a chargeback claiming the transaction was unauthorized.

Under current card network rules, this likely classifies as an unauthorized transaction. The consumer didn't explicitly approve the specific purchase — they gave the agent a broad mandate. The agent made a purchasing decision. If the consumer disputes it, the merchant bears liability.

This is the fundamental gap in agentic payments today: the liability framework was designed for a world where a human approves each transaction. When an agent makes discretionary purchasing decisions within a broad mandate, the line between "authorized" and "unauthorized" becomes ambiguous — and the ambiguity falls on the merchant.

The Amazon Problem

Amazon's Buy for Me feature makes this worse. Amazon's agent controls the entire checkout flow on your site. The consumer never interacts with your brand directly. But when the chargeback arrives, you're the merchant of record. You retain full liability for a transaction you didn't control, initiated by an agent you didn't authorize, on behalf of a consumer you never interacted with.

Mastercard's Verifiable Intent framework is the most promising solution — if the intent record clearly shows the consumer authorized the agent to buy "a cashmere sweater under $200 from [your store]," you have evidence that the transaction matched the mandate. But this only works if:

1. The intent data is actually captured and stored
2. Your dispute response process knows how to surface it
3. The issuer accepts it as valid evidence

None of these three conditions are guaranteed today.

7 Things Merchants Should Do Right Now

This isn't a wait-and-see situation. Agentic transactions are already hitting merchant payment stacks. Here's what to do:

1. Tag and Isolate Agent-Initiated Transactions

Build detection logic to identify agent-initiated transactions and flag them in your payment data. Look for cloud-provider IP ranges, headless browser signatures, API-based checkout patterns, and the absence of behavioral signals. Route these transactions to a separate fraud scoring model — your human-tuned rules will produce false positives and false negatives at unacceptable rates.

2. Use Agent-Scoped Tokens

Never let an AI agent transact against stored PANs or broadly-scoped card-on-file tokens. Require agent-scoped tokens from Visa's Agentic Ready program, Mastercard's Agentic Tokens, or Stripe's SPTs. If an agent presents a standard card-on-file token, treat it as elevated risk.

3. Define Spend Limits, Category Restrictions, and Expiry in Token Mandates

Scoped tokens should have explicit parameters: maximum transaction amount, permitted merchant category codes (MCCs), and an expiration timestamp. A token that allows unlimited spending with no expiry is barely better than a raw PAN.

4. Build Authorization Audit Trails

For every agent-initiated transaction, log the agent ID, consumer mandate, declared intent, action taken, and timestamp. This data is your dispute defense. If Mastercard's Verifiable Intent data is available, store it alongside your transaction records. If it's not, build your own equivalent.

5. Update Return and Dispute Policies for Agent Purchases

Your current return policy probably doesn't address what happens when an AI agent — not the consumer — selected the product. Decide now: Do you accept returns on agent-selected items under the same terms? Different terms? Make this explicit in your terms of service before the first wave of "the agent bought the wrong thing" disputes arrives.

6. Develop Alternative CE 3.0 Evidence Strategies

Since Visa CE 3.0's device fingerprint and IP geolocation matching will fail for agent transactions, identify alternative compelling evidence. Agent-scoped token match, Verifiable Intent records, delivery confirmation to the cardholder's known address, and agent authorization logs may serve as substitute evidence — but you need to build the case now, not when the chargeback hits. Platforms like Cellix that specialize in dispute intelligence can help structure this evidence programmatically.

7. Sandbox AP2 and ACP Integrations Now

Don't wait for protocol consolidation. Stand up sandbox environments for both Google's AP2 and OpenAI/Stripe's ACP. Test how agent-initiated transactions appear in your payment data, what metadata is available, and how your existing fraud and dispute workflows handle them. The merchants who instrument first will have months of data advantage when volumes scale.

Key Takeaways

• Agentic payments are live and scaling — Visa, Mastercard, Stripe, and PayPal have all shipped production infrastructure, and agents are transacting across thousands of merchants today. If you haven't identified agent traffic in your payment data, it's not because it's not there.

• Your fraud stack is blind to agents — cloud IPs,