AI Agents Are Coming for Payments

Within eighteen months, a meaningful share of your online revenue will arrive from transactions where no human touched a checkout button. No browser was opened. No CAPTCHA was solved. No 3DS challenge was rendered. An autonomous AI agent — acting on a cardholder's standing instructions — will select a product, submit a tokenized payment credential, and expect an authorization response in under two seconds.

If your payment stack treats that session the same way it treats a bot attack, you will decline it. And you will keep declining legitimate, high-intent purchases at scale until you redesign your authorization logic, fraud models, and dispute workflows for a world where the buyer is software.

We broke down the basics of this shift in our recent carousel — here's the full picture.

What Is Agentic Commerce?

Agentic commerce refers to transactions initiated, negotiated, and completed by autonomous AI agents acting on behalf of human consumers. These aren't chatbots answering FAQs. They are decision-making systems that browse merchant sites, compare prices, select products, apply stored payment credentials, and finalize purchases without requiring the human to be present at checkout.

The players driving this shift are already in market or in advanced pilot:

AI Purchase Agents: OpenAI's Operator, Google's Project Mariner, and Amazon's rumored autonomous shopping agent all demonstrate the same capability — receiving a natural-language instruction ("reorder my usual office supplies, keep it under $500") and executing an end-to-end purchase. Juniper Research projects AI-initiated transactions will handle over $50 billion in transaction volume by 2028.
Payment Gateways: Stripe, Adyen, and Checkout.com are the first infrastructure layer these agents hit. Today, their fraud-screening stacks rely heavily on browser fingerprinting, device reputation, and 3DS challenge flows. An LLM running in a headless browser session has no device fingerprint, no cookies, and no ability to complete a 3DS redirect. Gateways must create a new session classification — "agent-initiated" — with its own risk-scoring pipeline.
Issuing Banks: Chase, Citi, Barclays, and other major issuers have spent a decade building behavioral biometric models: how fast a cardholder types, where they typically transact, what device they use. An AI agent presenting a tokenized card blows up every one of those signals. Issuers need a new trust anchor — one that verifies the agent is authorized to act on behalf of the cardholder, not that the cardholder is personally present.
Card Networks: Both Visa and Mastercard recognize that the four-party model needs an update. Visa is piloting an "AI Commerce Credential" — a distinct credential type that binds an agent to a cardholder's account with pre-set spending constraints. Mastercard's "Agent Token" takes a similar approach, creating a cryptographic link between the AI agent's identity and the cardholder's permission set. Both are targeting production-ready specs by late 2025 or early 2026.

This isn't theoretical. The infrastructure is being built right now. The question is whether your payment operations team is preparing for it or will be caught reacting.

The Stat That Should Change Your Roadmap

Gartner estimates that 25% of e-commerce searches and purchases will be initiated or completed by AI agents by 2026. Not 2030. Not "someday." Twenty-four months from now.

Put that in revenue terms. If your merchant business processes $50 million in annual online volume, $12.5 million of that could be flowing through AI-agent sessions within two years. If your fraud rules are rejecting agent-initiated transactions at the same rate they reject bot traffic — and early data from merchants in pilot programs suggests false decline rates of 15–30% on agent sessions — you are looking at $1.8M to $3.7M in lost legitimate revenue annually.

That number compounds. AI agents learn from failed transactions. If your site consistently declines an agent, the agent routes future purchases to a competitor that approves them. You don't just lose one sale. You lose the customer's entire AI-mediated spend permanently — because the human never sees the decline. They just see their agent deliver products from someone else.

For payment ops teams, this Gartner projection translates into three concrete workstreams that need to start now:

Authorization logic must accommodate sessions with no device fingerprint, no human behavioral signals, and no 3DS capability.
Fraud rules must distinguish between malicious bots and authorized AI agents — two categories that look nearly identical under today's detection models.
Dispute workflows must handle a new class of chargebacks: "I authorized my agent, but it bought the wrong thing" versus "I never authorized an agent to use my card."

How an AI Agent Pays: The Four-Step Flow

Understanding the transaction lifecycle for an agent-initiated purchase is critical for identifying where your current stack will break. Here's the flow, step by step, with the specific operational implications at each stage.

Step 1: The AI Agent Selects and Submits

A cardholder has configured an AI agent — say, OpenAI's Operator — with a standing instruction: "Reorder office supplies from our preferred vendor when inventory is low. Keep individual orders under $500."

The agent identifies that toner and paper are needed, browses the merchant's site (or hits its API directly), adds items totaling $487.30 to the cart, and submits a payment request using the cardholder's stored tokenized credential. The entire process takes under 8 seconds from initiation to payment submission.

What breaks here: Most merchant checkout flows assume a human is navigating pages. CAPTCHA challenges, "Are you a robot?" interstitials, and session-timeout logic all create friction that an AI agent either cannot pass or will fail unpredictably. Merchants need to decide: do you create an API-first checkout path for verified agents, or do you let agents navigate your human-designed flow and risk abandonment?

Step 2: The Payment Gateway Evaluates

The gateway — Adyen, in this example — receives the $487.30 authorization request. Immediately, its risk engine encounters a problem. There is no browser fingerprint. There is no device ID. The session was initiated from a cloud-hosted AI runtime, not from a consumer's phone or laptop.

Under current configurations, this transaction looks identical to a credential-stuffing attack. The gateway's ML model, trained on years of human browsing patterns, assigns a high risk score. Without intervention, it either blocks the transaction outright or routes it to a manual review queue.

The target-state architecture requires gateways to:

Accept a new session flag — "agent-initiated" — in the authorization message
Apply a separate ML risk model trained on agent behavioral patterns (API call cadence, token credential validation, request metadata)
Route to the acquirer within 200ms to meet agent-commerce latency expectations (agents will timeout and retry or abandon far faster than humans)

Step 3: The Card Network Validates

Visa or Mastercard receives the authorization request from the acquirer. In the current spec, there is no standard field to indicate this transaction was initiated by an AI agent. The network's fraud-screening models treat it as a card-not-present transaction from an unknown device — another red flag.

The coming changes are significant. Visa's specification v3.4 (expected in 2025–2026) is anticipated to include a new "agent commerce" indicator field. This field will tell the issuer: this transaction was initiated by a registered AI agent, operating under a bound credential, with a verified link to the cardholder.

Mastercard's Agent Token approach goes further, embedding the agent's identity and permission scope directly into the token payload. This lets the network validate not just that an agent is authorized, but what the agent is authorized to do — transaction limits, merchant categories, frequency caps.

What this means for merchants: You will need to pass agent-identification metadata upstream in your authorization messages. If your gateway integration doesn't support the new indicator fields when they launch, your agent-initiated transactions will continue to be scored as high-risk, card-not-present purchases with no device verification.

Step 4: The Issuer Decides

Chase — the issuing bank in this example — receives the authorization request with the agent commerce indicator and the bound agent token. Instead of checking behavioral biometrics (which don't exist for this session), the issuer evaluates:

Agent token binding: Is this agent cryptographically linked to this cardholder's account?
Pre-set spending limits: The cardholder authorized a $500/transaction cap and a $2,000/month ceiling for this agent. The $487.30 request is within bounds.
Merchant category and velocity: Does this purchase fit the agent's authorized scope (office supplies, preferred vendor list)?

The issuer returns an approval in 1–2 seconds.

The critical emerging question is dispute liability. Under today's rules, if a cardholder disputes a card-not-present transaction, the liability typically sits with the merchant (absent successful 3DS authentication). Agent-initiated transactions create a gray zone. If the cardholder authorized the agent but disagrees with the agent's purchasing decision, who bears the loss?

Both Visa and Mastercard are developing agent-commerce liability frameworks targeting a 2026 rollout. Early indications suggest liability will depend on whether the merchant accepted a valid agent token — similar to how liability shifts with 3DS. Merchants who integrate agent-token validation may gain a liability shield they don't have today for standard CNP transactions.

Today's Stack vs. an AI-Agent-Ready Stack

The gap between where most merchants are today and where they need to be is not subtle. It spans fraud detection, dispute management, and authorization architecture.

Fraud Detection

Today: Rule-based fraud filters — velocity checks, device fingerprinting, geo-IP matching — flag 15–30% of legitimate agent transactions as bot traffic. Every false decline is lost revenue from a high-intent buyer.

Agent-ready (2026): ML models trained specifically on agent behavioral patterns (API call signatures, token credential usage patterns, session metadata) achieve 95%+ approval rates for verified AI-initiated transactions while maintaining or improving true-fraud catch rates. The key distinction: these models score the agent's reputation and authorization status, not the absent human's device behavior.

What to do now: Start segmenting your transaction data to identify sessions that may already be agent-initiated. Look for transactions with no device fingerprint, unusually fast checkout times (under 10 seconds), and API-style interaction patterns. Understanding the baseline will let you train models before agent volume ramps.

Dispute Management

Today: Dispute teams manually review chargebacks at $25–40 per case (LexisNexis True Cost of Fraud data). When a cardholder says "I didn't authorize this," there is no way to distinguish between "I never set up an AI agent" (true fraud) and "my AI agent bought something I didn't specifically want" (buyer's remorse, or what the industry calls friendly fraud).

Agent-ready (2026): Agent audit trails with cryptographic proof of user intent — signed records showing the cardholder authorized the agent, set spending limits, and the agent operated within those limits — reduce friendly fraud disputes by up to 50% and enable automated representment. When a cardholder disputes, the merchant can submit a signed authorization chain proving the cardholder configured the agent, the agent acted within its constraints, and the purchase matched the cardholder's standing instructions.

What to do now: Begin building your representment evidence package for agent-initiated transactions. Work with your gateway provider to ensure agent-session metadata (token binding, authorization scope, timestamp of cardholder configuration) is captured and stored in a format that can be submitted in dispute responses.

Authorization Architecture

Today: Static authorization rules — velocity checks, geo-matching, device-cardholder binding — reject agent purchases that don't match the cardholder's known device or location. An agent running from a cloud data center in Virginia will fail a geo-match for a cardholder in Seattle every time.

Agent-ready (2026): Token-bound agent credentials with pre-authorized spending limits ($500/transaction, $2,000/month) let issuers approve confidently without relying on device-based signals. The trust anchor moves from "is this the cardholder's device?" to "is this a verified agent operating within the cardholder's explicit permission set?"

What to do now: If you maintain custom authorization rules or work with a payments orchestration layer, start building a whitelist framework for agent-identified sessions. Platforms like Cellix that provide transaction-level visibility and rule customization can help you test agent-specific authorization paths before network-level standards are finalized.

The Operational Playbook: What to Prioritize in the Next 12 Months

Not everything needs to happen at once. Here is a sequenced approach for payment operations teams:

Q3–Q4 2025: Instrument and Observe

Add session-type tagging in your analytics to identify probable agent-initiated transactions
Measure false decline rates on sessions with no device fingerprint
Quantify the revenue at risk from agent transaction blocks
Brief your fraud and dispute teams on the agentic commerce trend

Q1 2026: Adapt Fraud Models

Work with your gateway provider to implement "agent-initiated" session flags
Begin training or procuring ML models that score agent sessions separately from human sessions
Update velocity and geo-matching rules to accommodate cloud-origin agent sessions

Q2–Q3 2026: Integrate Network Standards

Implement Visa's agent commerce indicator field and/or Mastercard's Agent Token validation as specs are finalized
Update dispute workflows to capture and submit agent authorization evidence
Negotiate with your acquirer on agent-commerce interchange treatment (expect new interchange categories)

Ongoing: Monitor Liability Framework Evolution

Track Visa and Mastercard agent-commerce liability rules as they are published
Assess whether agent-token acceptance qualifies for a liability shift analogous to 3DS
Update your chargeback representment playbooks accordingly

Key Takeaways

The 25% threshold is near. Gartner projects a quarter of e-commerce activity will involve AI agents by 2026. If your payment stack treats agent sessions like bot attacks, you will decline legitimate revenue at scale — potentially 15–30% of a rapidly growing transaction segment.
Authorization must decouple from device identity. Browser fingerprints, device IDs, and 3DS challenges are irrelevant when the buyer is software running in a cloud environment. The new trust model centers on token-bound agent credentials with cryptographic proof of cardholder authorization.
Disputes will bifurcate into a new category. "Cardholder didn't authorize the agent" (true fraud) and "cardholder's agent made an unwanted purchase" (friendly fraud) require different evidence and different response strategies. Building agent audit trails now will cut dispute costs and win rates significantly.
Card network specs are arriving in 2025–2026, not later. Visa's AI Commerce Credential and Mastercard's Agent Token are in active pilot. Merchants who wait for general availability to start planning will be 12–18 months behind competitors who instrument their stacks now.
Start with measurement. You cannot prepare for agent commerce if you cannot identify agent-initiated transactions in your current data. Tag sessions, measure decline rates, and quantify the revenue impact — that data is what funds every subsequent investment.