Visa Just Gave AI Agents a Credit Card — and Nobody Ask…

Six weeks ago, we wrote that AI agents are not hitting a model wall — they are hitting a permissions wall. The most capable AI systems ever built were being gated by authorization infrastructure designed for a world where humans, not algorithms, made the decisions. That article ended with a prediction: the companies that solve permissioned autonomy will win the agentic AI race, not the ones with the highest MMLU scores.

This week, Visa made that prediction more concrete. The company officially opened its payment rails to AI agents acting on behalf of consumers, settling transactions initiated by software rather than humans. The product name is Visa Intelligent Commerce. The plumbing underneath is the Trusted Agent Protocol (TAP), a cryptographic handshake between verified agents, merchants, and the card network. Mastercard announced an almost identical framework — Mastercard Agent Pay — back in April 2025.

The press coverage has been breathless. The trade press has been cautious. The risk and compliance community has been, with a few exceptions, mostly silent. The silence is the story.

What Visa Actually Did

Strip the marketing away and three things changed at once.

First, agents can now initiate and complete a card transaction without a human pressing "buy." That is the headline, and it deserves a moment of stillness. Card networks have spent sixty years treating the cardholder's affirmative action as the foundational invariant of payment authorization. The dispute frameworks, the chargeback rules, the 3-D Secure protocols — all of them assume there is a human at the keyboard, the human can be asked to confirm, and the human can be held responsible. TAP relocates that human into a pre-authorization step (the consumer grants the agent a scoped mandate) and treats every subsequent transaction as legitimate by construction.

Second, agent identity is now a first-class network primitive. TAP issues cryptographically signed credentials to agents, so merchants and the network can verify not just that a payment is being attempted but which specific agent is attempting it, on whose behalf, under what scope. This is structurally similar to the OAuth model that reshaped web APIs twenty years ago — except the bearer is autonomous software that can chain actions across thousands of merchants in a session.

Third, the dispute model has not been updated to match. And this is the part the press releases skip. When a human makes a bad purchase, the consumer has clear recourse: contact the bank, dispute the charge, get the money back under Regulation Z or its international equivalents. When an agent makes a bad purchase on the consumer's behalf — the kind of confidently-wrong mistake that every agent vendor has documented in their evals — the dispute model has no clean answer. The agent had authority. The credential was valid. The transaction was authorized. Who pays?

The PSD2 Parallel Is the Wrong One

The natural comparison is PSD2 — Europe's 2018 directive that forced banks to open their APIs to third-party payment initiators. PSD2 was a controlled experiment in third-party payment initiation with strong customer authentication, regulatory sandboxes, and a multi-year transition window. The agent economy is getting none of that.

The differences matter:

PSD2 had a regulator in the driver's seat. The European Banking Authority wrote the technical standards. The FCA and BaFin supervised implementation. When things broke, there was a body to escalate to and a rulebook to update.
Agent payments have no equivalent regulator. The card networks wrote their own protocols. The agents are issued credentials by the network itself. The dispute resolution lives inside the same closed loop. There is no outside actor with the authority — or the technical literacy — to audit whether a given agent's permission scope was appropriate, whether the decision trace was captured, or whether the consumer meaningfully understood what they were authorizing.
PSD2 had geography. It applied to European Economic Area transactions and gave national regulators a clear remit. Agent payments are global on day one. A consumer in Berlin can authorize an agent that buys from a merchant in Singapore via a card network that processes in the United States. The dispute ends up in whichever jurisdiction's law is most permissive — which is to say, none.
PSD2 was slow. The technical standards were published in 2017. The enforcement deadlines rolled. The strong customer authentication requirement (SCA) only became mandatory in 2021. Agent payments are being rolled into production with a 2026 holiday-season target, on timelines dictated by the networks' commercial calendars, not by risk committees.

In other words: PSD2 is the example to reach for, but the agent economy is getting the inverse of PSD2 — closed governance, no external regulator, no geographic containment, and a release calendar set by quarterly earnings calls.

The Hard Problem: "Who Pays When They Go Rogue" Is a Different Question

The headline on this article is a question, not a rhetorical one. The honest answer is that the current system does not know.

Consider a realistic failure mode. A consumer authorizes a shopping agent with a $200 monthly budget for groceries. The agent, using a perfectly valid TAP credential, encounters a site where a product it thinks is "organic olive oil, 500ml, under $15" is actually a $180 bottle of infused truffle oil with a near-identical product description. The agent, optimizing for the consumer's stated preferences, buys it. The merchant shipped. The card network authorized. The credential was in scope.

The consumer disputes the charge. Under the existing framework, the card network will probably side with the consumer — the cardholder dispute system is biased toward cardholders, and the merchant is the easiest party to make whole from. But the merchant had no way to know the agent was misinterpreting the product. The agent vendor will say the credential was valid and the transaction was in scope. The card network will say it followed the protocol. The money will get clawed back from the merchant, who will quietly raise prices on the next hundred consumers to compensate.

Multiply that by millions of transactions and the dynamics get ugly fast. The merchants will demand liability shift. The network will demand richer verification. The agent vendors will demand the right to refuse low-trust merchants. The consumer will demand that "the AI" take responsibility — but "the AI" is a credential issued by the network, executing logic the vendor wrote, under a scope the consumer approved, against a product description the merchant published.

This is not a theoretical problem. The 4,700% surge in AI-driven traffic to U.S. merchants that Visa cited when it announced TAP in October 2025 is already a leading indicator. The traffic is real, the conversions are real, and the failure modes are real — they are just being absorbed, for now, by the existing chargeback infrastructure that was designed for a different threat model.

The 'Decision Traces' Argument Just Became Concrete

Six weeks ago, the case for decision traces as mandatory infrastructure was theoretical. Six weeks of agent payments later, it is operational.

A decision trace is a structured record of what an agent knew, decided, and executed at the moment it took an autonomous action. For a payment, that means: the agent's identity, the scope of authority the consumer granted, the product description the agent believed it was buying, the price it believed it was paying, the merchant it believed it was buying from, and the policy logic it applied to decide the purchase was in scope. When the dispute lands, the decision trace is the difference between an arbitrable case and a he-said-she-said one.

Without decision traces, every disputed agent transaction is a forensic reconstruction problem. With decision traces, it is a lookup. The agent vendors that capture them get to arbitrate disputes quickly and earn the network's trust. The ones that don't get the same chargeback treatment as merchants with high fraud rates — which is to say, they get shut off.

This is also the moment where the protocol wars stop being abstract. Visa's TAP, Mastercard's Agent Pay, and the half-dozen open-source alternatives (mostly MCP-based) are all implicitly making a bet about what a decision trace has to contain to be useful in a dispute. The networks that converge on a rich, interoperable decision-trace format will be the ones that scale agent payments without losing the merchant side. The ones that converge on a thin, self-serving format will see merchants exit, fraud rise, and regulators forced to step in with mandates that look a lot more like PSD2 than anyone wants.

What Should Be Built Now

The infrastructure that needs to exist before agent payments go mainstream is not a model problem and it is not a UX problem. It is an authorization, audit, and liability problem. Three things have to be built, in order, by someone:

First, a portable decision-trace schema. The networks should not each invent their own. The agent vendors should not each invent their own. The right move is an open standard — call it ADT, for Agent Decision Trace — that records the inputs, the scope, the policy applied, the action taken, and a verifiable link to the agent credential. It needs to be signed, tamper-evident, and machine-readable. The schema is small. The political work to get it adopted across two competing card networks and dozens of agent vendors is the hard part.

Second, a liability framework that puts the right party on the hook. The merchant is the wrong party in most agent failure modes. The network is the wrong party when its credential was valid. The agent vendor is the right party when the agent's logic produced a confidently-wrong result the vendor could have caught. The consumer is the right party when they authorized a scope that was obviously too broad. This is hard, and the network that designs a clean liability waterfall will be the network that scales agent payments without regulators stepping in.

Third, an outside auditor. Card networks self-audit. Agent vendors self-audit. The missing piece is a third-party body — a regulated, technically literate auditor — that can review an agent's decision-trace implementation, certify it, and give merchants a reason to trust agent-initiated transactions from certified vendors. This is the role the EMVCo-like consortiums play in the physical card world. The agent world does not have one yet, and it is conspicuous.

What This Means For The Next 18 Months

The most likely near-term outcome is that agent payments work, mostly, and that the failure modes get absorbed by the existing chargeback infrastructure the way card-not-present fraud got absorbed in the 2010s. The merchants will eat the cost, the networks will collect the volume, and the consumer experience will feel magical for the 95% of transactions that go right.

The less likely but more consequential outcome is a high-profile failure. A major agent vendor's credential gets used in a coordinated fraud. A consumer loses five figures to a misconfigured scope. A merchant class-action targets the network for enabling unauthorized software-initiated payments. The story runs for two weeks, the network tightens the rules, and the regulatory conversation that Visa and Mastercard have so far managed to keep out of the room starts in earnest.

Either way, the answer to the question in the headline — who pays when they go rogue? — is going to be settled, formally or informally, in the next 18 months. The interesting question is whether the settlement is designed or accidental. The infrastructure for a designed settlement exists. The political will to build it is the part that is still missing.

Sources: Visa Intelligent Commerce · Visa Trusted Agent Protocol announcement, October 2025 · Visa and InFlow partner on agentic payments, Forbes, May 2026 · Mastercard Agent Pay, April 2025 · PYMNTS on TAP and the AI-shopping traffic surge