01 — Introduction and Taxonomy

Part of the Agentic Payments research report. For the report map, see the README and the executive summary. This section establishes the vocabulary and conceptual boundaries used throughout the rest of the report.

---

1. What is an agentic payment?

An agentic payment is a payment that is initiated, negotiated, authorised, or settled by an autonomous software agent — typically an LLM-driven system — acting on behalf of a human or organisational principal under delegated authority. The defining attribute is not that software is in the loop (software has been in the payments loop for decades) but that decision-making about price, counterparty, quantity, or timing is delegated to a non-human actor that reasons over natural-language instructions and real-time context.

Google's Agent Payments Protocol (AP2) team frames the problem as closing the "authorisation gap" between a user's informal intent ("book me a flight under $600 that gets me home before Friday") and a specific, on-rails transaction that a merchant, issuer, and network can trust to have been truly authorised by that user.[^ap2spec] Visa, announcing its Trusted Agent Protocol in October 2025, describes the shift as moving from "human-initiated commerce to a world where AI agents can transact on behalf of consumers" and stresses that the ecosystem must be able to distinguish legitimate agent traffic from bots and fraudsters.[^visatap] The Consumer Bankers Association's 2025 white paper calls agentic AI in payments "a new paradigm where AI systems autonomously execute financial transactions on behalf of consumers."[^cba]

It is useful to contrast agentic payments with three adjacent concepts they are often confused with:

Concept	Who chooses what to pay?	Who chooses when to pay?	Real-time reasoning over context?	Example
Automated payment	Human (in advance)	Scheduler / cron	No	Standing order "£50 to landlord on the 1st"
Recurring / subscription	Human (in advance)	Merchant biller	No	Netflix monthly card-on-file charge
Card-on-file one-click	Human (at checkout)	Human (at checkout)	No	Amazon "Buy Now" with stored PAN
Agentic payment	Agent (bounded by mandate)	Agent (bounded by mandate)	Yes — prices, inventory, counterparty choice	"Rebook my cancelled flight for under $600" executed by a ChatGPT agent that compares fares and calls Stripe's Shared Payment Token API

The distinction matters because the existing payments stack — card-scheme rules, PSD2 strong customer authentication, chargeback dispute categories, merchant acceptance contracts — was written for a world in which every consumer-initiated transaction is traceable to a specific human act (a tap, a click, an OTP). Agentic payments break that assumption. When an LLM-driven shopping agent fills a cart and presses "pay," the network sees a transaction that looks card-not-present (CNP) but was not directly initiated by a human; the chargeback regime has no native category for "the agent hallucinated a discount code."[^justt] The architectural response from the industry — most concretely AP2's three-mandate model (Intent, Cart, Payment),[^ap2spec] ACP's SharedPaymentToken,[^acpstripe] Visa's cryptographically-signed Trusted Agent headers,[^visatap] and Mastercard's Agentic Tokens[^mcpress] — is to re-introduce a cryptographically verifiable human (or organisational) act into the flow, but earlier and at a higher level of abstraction than SCA was designed for.

A working definition we will use throughout this report:

Agentic payment = a payment authorised by a principal via a mandate (a machine-verifiable statement of delegated authority, usually a signed credential) and executed by an agent that selects counterparty, price, and/or timing within the bounds of that mandate, with the mandate, agent identity, and resulting payment instruction all independently verifiable by the merchant, payment service provider, and network.

Everything else in this report — the protocols, the rails, the regulation, the threat model — can be read as a different answer to "how do we make each of those four objects (mandate, agent identity, payment instruction, verification) trustworthy?"

---

2. Historical context: from EDI to agentic

Agentic payments did not appear out of nowhere in 2025. They sit at the end of a four-decade arc in which programmatic participation in commerce has steadily expanded:

2.1 EDI and B2B automation (1970s–1990s)

Electronic Data Interchange (EDI), standardised as ANSI ASC X12 in the United States (first published in 1979) and UN/EDIFACT internationally (ISO 9735, 1988), allowed enterprises to exchange structured business documents — purchase orders, invoices, remittance advices — machine-to-machine over value-added networks. EDI automated documents but not decisions: the counterparty, price, and terms were pre-negotiated by humans in a trading-partner agreement, and the EDI pipeline merely serialised the resulting instructions. EDI's legacy in the agentic era is twofold: it established the normative idea that machines can exchange commercially binding messages, and it made clear that identity and trading-partner enrolment (the human-authored contract behind the pipe) is the hard part of inter-firm automation.

2.2 Card-not-present e-commerce and tokenisation (1995–2015)

The growth of web commerce in the 1990s introduced "card-not-present" transactions at scale and, with them, elevated fraud and chargeback rates. The response from the card networks was a cascade of standards — 3-D Secure (1999, Visa), PCI DSS (2004), and the EMVCo Payment Tokenisation Specification (2014) — that progressively substituted persistent primary account numbers (PANs) with merchant- and channel-scoped tokens. Tokenisation is directly relevant here because every major card-network agentic-commerce initiative (Mastercard's Agentic Tokens,[^mcpress] Visa's Intelligent Commerce credentials,[^visaic] and Stripe's SharedPaymentToken[^acpstripe]) is an extension of this lineage. The agentic token is simply a token whose scope condition includes "this agent, on behalf of this principal, within this mandate."

2.3 PSD2 and open banking (2015–2020)

EU Directive 2015/2366 — the Revised Payment Services Directive (PSD2) — was adopted on 25 November 2015; its Strong Customer Authentication (SCA) requirements became applicable on 14 September 2019.[^psd2] PSD2 created two new regulated roles — Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) — and forced banks to expose them via APIs. This was the first time in mainstream retail payments that a third-party software agent, acting under explicit consumer consent, could initiate a payment directly from a consumer's bank account. PSD2's consent model (explicit, revocable, scoped, time-bound) is the direct conceptual ancestor of the agentic-payment mandate; AP2's specification explicitly positions its Intent Mandate as an evolution of PSD2-style scoped authorisation expressed as a W3C Verifiable Credential.[^ap2spec]

2.4 Embedded finance and programmatic payouts (2018–2023)

The rise of Stripe, Adyen, Square and their developer-first API models moved payments from a back-office concern to a primitive that any developer could embed in any product. By the early 2020s, "embedded finance" meant that payouts, issuing, card acceptance, and KYC were all callable from code. Skyfire, founded in 2023, was one of the first companies to articulate publicly that these APIs could be wired up to LLMs so that the agent itself — not a human through a UI — was the direct consumer of the payment primitive.[^skyfire] The missing pieces in 2023 were (a) reliable enough LLMs to act without constant supervision, and (b) a trust fabric (identity, mandate, dispute) that could tell a legitimate agent from a prompt-injected impostor. Both arrived in 2024–2025.

2.5 Agentic (2024–2026)

The transition point is conventionally dated to November 2024, with Anthropic's release of the Model Context Protocol (MCP), an open standard that gives LLMs a structured way to call external tools and data sources.[^mcp] MCP made it trivial for any API — including payment APIs — to become agent-callable. Google's Agent-to-Agent (A2A) protocol followed in April 2025, PayPal's Agent Toolkit and MCP server on 29 April 2025,[^paypaldev] Mastercard Agent Pay on 30 April 2025,[^mcpress] Visa Intelligent Commerce on 30 April 2025,[^visaic] Coinbase's x402 on 6 May 2025,[^x402docs] Google's AP2 on 16 September 2025,[^ap2cloud] OpenAI + Stripe's ACP on 29 September 2025,[^acpstripe] Visa's Trusted Agent Protocol on 14 October 2025,[^visatap] Cloudflare's Web Bot Auth collaboration on 21 October 2025,[^cloudflare] Mastercard × PayPal on 27 October 2025,[^paypalmc] and the Google + Shopify Universal Commerce Protocol (UCP) at NRF's Big Show in January 2026.[^ucp] A twelve-month compression of activity of this density has no precedent in retail-payments standard-setting.

1979  ANSI X12 EDI
1999  3-D Secure
2014  EMVCo Payment Tokenisation
2015  PSD2 adopted (EU)
2019  SCA in force
Nov 2024  MCP
Apr 2025  A2A, PayPal Agent Toolkit, Mastercard Agent Pay, Visa Intelligent Commerce
May 2025  x402, Catena Labs, Nekuda seed
Sep 2025  AP2, ACP (Instant Checkout in ChatGPT)
Oct 2025  Visa Trusted Agent Protocol, Walmart×OpenAI, Cloudflare, MC×PayPal
Jan 2026  Universal Commerce Protocol (UCP)

---

3. Actor model

A coherent taxonomy of agentic payments starts from an enumeration of the actors and the trust relationships among them. The canonical list follows; a more detailed protocol-by-protocol mapping appears in the AP2 deep dive, the ACP deep dive, and the card-networks chapter.

#	Actor	Role	Examples
1	Principal (user / delegator)	Holds the underlying payment instrument and legal liability; grants a mandate	Individual consumer; a business; a DAO
2	Agent	Executes intent on behalf of the principal within a mandate	ChatGPT agent, Claude, Google's Gemini agents, Perplexity Comet, bespoke enterprise agents, autonomous on-chain bots
3	Agent operator / provider	Runs the agent runtime, may be liable for agent behaviour	OpenAI, Anthropic, Google, Microsoft, or first-party enterprises
4	Merchant	Sells goods or services; must accept agent-originated orders	Etsy, Walmart, Shopify sellers, APIs-as-products
5	Merchant-of-Record (MoR)	The legal seller on the receipt; collects tax, handles refunds	The merchant itself (ACP), the platform (Shopify Payments), or a third party (Paddle, Lemon Squeezy)
6	Issuer	Issues the principal's funding instrument	Chase, Citi, U.S. Bank (Mastercard pilot),[^mcpress] Stripe Issuing for virtual agent cards
7	Acquirer / PSP	Accepts card authorisation on the merchant side	Stripe, Adyen, Checkout.com, Worldpay, Braintree, Fiserv
8	Network	Routes and rule-sets the transaction	Visa, Mastercard, American Express, Discover; card-alternate rails (see §5)
9	Facilitator	Non-custodial intermediary that verifies a payment proof and settles on an underlying rail	x402 facilitators (Coinbase CDP is the canonical example)[^x402fac]
10	Identity / credential issuer	Binds a public key to an agent or principal identity	Nekuda (agent wallets / mandates),[^nekuda] Skyfire (KYA),[^skyfire] W3C VC issuers, DID methods, ERC-8004 registries[^erc8004]
11	Infrastructure / bot-auth provider	Signs and verifies machine traffic at the network edge	Cloudflare Web Bot Auth; Visa's Trusted Agent Protocol edge[^cloudflare][^visatap]

Two points deserve emphasis. First, in the existing web-payments stack, the merchant, MoR, and acquirer are often assumed to coincide; agentic architectures frequently split them. In ACP, for example, the merchant remains the Merchant-of-Record even though the user never visits the merchant's website and the order originates from OpenAI's ChatGPT surface; Stripe's SharedPaymentToken is the mechanism that conveys the agent-captured payment credential to the merchant without disclosing the underlying PAN.[^acpstripe] Second, the "agent operator" role is genuinely new: it is neither a merchant nor a payment institution under any existing licensing regime, yet its software can move money. Much of the regulatory debate surveyed in the regulation chapter is about which existing role to analogise this to — gateway, service provider, PISP, or something sui generis.

A simple mermaid sketch of the minimal flow (a consumer agentic purchase on card rails, ACP-style) illustrates the relationships:

sequenceDiagram
    participant U as Principal
    participant A as Agent (ChatGPT)
    participant M as Merchant
    participant PSP as Acquirer / PSP
    participant N as Network
    participant I as Issuer

    U->>A: "Buy the Etsy mug I looked at"
    A->>M: Product query / cart build
    M-->>A: Cart + price
    U->>A: Approve (one-tap SCA equivalent)
    A->>PSP: Shared Payment Token + cart
    PSP->>N: Authorisation with agent-aware token
    N->>I: Auth request
    I-->>N: Approved
    N-->>PSP: Approved
    PSP-->>M: Order confirmed (merchant = MoR)

The Agent-to-Agent (A2A) flow variant collapses the "Principal/Agent" distinction into an "Agent/Counter-agent" pair; the mandate, not a live human, is the thing that closes the trust loop. This is treated in §4.3.

---

4. Flow taxonomy

The agentic-payment ecosystem has converged, across otherwise divergent protocols, on roughly four flow archetypes. They differ in (a) whether a human is present at the moment of payment, (b) whether there is a counter-agent, and (c) the size and frequency of the payment.

4.1 Human-Present (HP)

The user is in-session with the agent at the moment of payment and explicitly approves the cart (for example, by tapping a "confirm" button or biometrically signing a passkey challenge). The agent's role is to compose the transaction — find the item, build the cart, select the payment method — but not to authorise it unilaterally. HP flows map cleanly onto existing SCA-compliant card-not-present semantics; the novelty is that the merchant is interacting with an agent surface rather than the merchant's own checkout page.

AP2 names the signed artefact for this moment the Cart Mandate: a verifiable credential, signed by the user, binding the exact cart contents, price, and merchant at the moment of confirmation.[^ap2spec] ACP's "Instant Checkout in ChatGPT" (launched 29 September 2025 with Etsy as the first merchant and Walmart added 14 October 2025)[^walmartopenai][^acpstripe] is the paradigmatic HP agentic flow in the wild: the agent builds the cart, the user taps once inside ChatGPT, and Stripe's SharedPaymentToken conveys the confirmed order to the merchant.

HP flows are the easiest to reconcile with existing dispute, liability, and regulatory regimes and are accordingly the first flows most incumbents have supported in production.

4.2 Human-Not-Present (HNP)

The user has pre-authorised, via a mandate, a class of future purchases bounded by predicates — for example, "book any flight home from SFO before Friday under $600, once." The agent transacts without a real-time human approval step. This is the flow that most concretely requires the cryptographic mandate architecture that AP2 makes explicit with its Intent Mandate (scope and constraints, signed in advance) plus Payment Mandate (signed by the network/issuer at the moment of payment to establish that an agent was involved).[^ap2spec]

HNP is where the existing payment-rails assumptions break down most severely. The transaction looks card-not-present to the issuer but has no real-time cardholder act; classical 3-D Secure challenge flows are not applicable; chargeback reason codes such as "cardholder did not authorise" become ambiguous (the cardholder authorised a class of transactions, not this one). The card-network responses — Mastercard's Agentic Tokens and Agent Pay Acceptance Framework, Visa's Trusted Agent Protocol — are largely about giving issuers and merchants a verifiable signal at authorisation time that an HNP transaction is a legitimate agent transaction under a valid mandate, not an impersonation attack.[^mcpress][^visatap]

4.3 Agent-to-Agent (A2A)

Two agents, each acting for a different principal, negotiate and settle a transaction without human involvement during the negotiation. A canonical consumer example is a travel agent negotiating with a hotel's reservations agent; a B2B example is a procurement agent buying compute from a cloud vendor's sales agent. The machine economy discussed in the future-directions chapter is largely an A2A construct.

Google's A2A protocol (April 2025) and its integration with AP2 are the most developed industry answer here.[^ap2cloud] In A2A flows the "SCA-equivalent" is not a biometric at all but the verifiability of the mandate chain: each agent presents a credential (ideally a W3C Verifiable Credential or ERC-8004 trustless-agent registration[^erc8004]) attesting to its scope of authority, and the transaction is only valid if the two mandates reconcile. A separate but closely related design is Catena Labs' open-source Agent Commerce Kit (ACK).[^catena] On-chain variants treat the agent identity as a smart-contract account and use x402-style micropayments for settlement.[^x402docs]

4.4 Pay-per-call / per-crawl micropayments

A distinct class of agentic payment is the micropayment for machine-consumed resources: an agent paying a few cents (or fractions thereof) for an API call, a search query, or access to a piece of web content. The legacy credit-card rail is structurally unable to support this — interchange and scheme fees dwarf a $0.01 price — and the ecosystem response has converged on crypto rails with stablecoin settlement.

Coinbase's x402, announced on 6 May 2025, resurrects the reserved HTTP status code 402 Payment Required: a server responds 402 with a payment requirement payload, the agent attaches a signed EIP-3009 or Permit2 token in the X-Payment header, and a non-custodial facilitator verifies and settles the USDC transfer on Base, Ethereum, Polygon, Arbitrum, or Solana. Coinbase's CDP facilitator is free on Base for the first 1,000 transactions per month.[^x402fac][^x402docs] Cloudflare, as co-founder of the x402 Foundation, has generalised this into pay-per-crawl — web publishers charging bots per retrieval, with payment in-band at the HTTP layer.[^cloudflare]

Flow	Typical size	Rails	Canonical artefact	Example
HP	$10 –$10,000	Card, wallet	Cart Mandate	ChatGPT × Etsy[^acpstripe]
HNP	$1 –$1,000	Card, A2A bank rails	Intent + Payment Mandate	AP2 delegated purchase[^ap2spec]
A2A	$1 –$100,000+	Stablecoin, wire, card	Mandate chain	Agent negotiates hotel
Micropayment	$0.001 –$1	Stablecoin on L2	x402 X-Payment header	Per-API-call, pay-per-crawl[^x402docs][^cloudflare]

These archetypes are not mutually exclusive; a single agent session may involve all four (HP purchase of an airline ticket, HNP rebook if cancelled, A2A negotiation with the hotel concierge bot, and x402 micropayments to the weather API the travel agent consults).

---

5. Rails taxonomy

The rail is the underlying value-transfer network used to move money. Agentic payments can, in principle, ride any rail, but the economic, regulatory, and trust properties of each rail differ sharply. A summary:

Rail	Settlement speed	Per-tx floor economics	Chargeback regime	Dominant agentic use-case
Card networks (Visa, Mastercard, Amex)	T+1–T+3	Uneconomic < ~$0.50	Scheme-mandated chargebacks	HP and HNP consumer commerce
Open banking / account-to-account	Seconds (FPS, SEPA Instant, Pix, UPI, FedNow)	Cheap at all sizes	Limited; bank-dispute only	HP, some HNP; B2B and cross-border
Stablecoins (USDC, USDT, PYUSD)	Seconds to minutes	Near-zero on L2s	None at protocol layer; contract-layer escrow	A2A, micropayments, machine economy
Wallets (PayPal, Apple Pay, Google Pay, Alipay)	Instant UX, underlying card/ACH	Underlying-rail economics	Wallet-provider policy	HP consumer flows
ACH / SEPA (batch)	T+1–T+3	Cheap	Limited	Payouts, subscriptions, not real-time HP

5.1 Card rails

The card networks' explicit agentic programmes — Visa Intelligent Commerce (April 2025) and Trusted Agent Protocol (October 2025),[^visaic][^visatap] Mastercard Agent Pay (April 2025) and the MC × PayPal extension (October 2025)[^mcpress][^paypalmc] — are detailed in the card-networks chapter. The headline pattern is that card rails, because they already have a rich ecosystem of issuers, dispute rules, and fraud-scoring, are the incumbents' preferred locus for absorbing agentic flows. The networks' contribution is cryptographic: signed agent identity at the edge (via HTTP Message Signatures[^rfc9421] and Web Bot Auth[^webbotauth]), plus a new generation of scope-limited tokens (Mastercard Agentic Tokens, Visa agent credentials) that make the mandate machine-verifiable at authorisation time.

5.2 Open banking / A2A bank rails

PSD2 AISP/PISP-style account-to-account rails, plus their global equivalents (UPI in India, Pix in Brazil, FedNow in the US, SEPA Instant in Europe), are a natural match for agentic HP and HNP flows because they already support consent-scoped, PISP-initiated payments. European analyses from McKinsey,[^mckinsey] Kearney,[^kearney] and Linklaters[^linklaters] expect open-banking rails to capture a disproportionate share of agentic volume in Europe precisely because PSD2's consent model is close to the mandate model. PSD3, currently in legislative progress, is widely expected to tighten and clarify agent-mediated PISP flows; this is covered in the regulation chapter.

5.3 Stablecoins

Stablecoins are the rail of choice for flows where either per-transaction cost or 24/7 global settlement matters more than chargebacks. Coinbase's x402 is the most concrete standardisation on top of stablecoin rails,[^x402docs] but a broader ecosystem has formed: Skyfire's stablecoin-backed agent identities,[^skyfire] Catena Labs' AI-native financial institution thesis (with $18M a16z-crypto seed, May 2025),[^catena] Crossmint's agentic stablecoin wallets, virtual cards, and MoneyGram payouts,[^crossmint] and Circle's investment in Crossmint.[^crossmintcircle] The detailed treatment is in the x402 and crypto chapter.

5.4 Wallets

PayPal's Agent Toolkit and MCP server (29 April 2025) exposed orders, invoices, disputes, catalog, shipment tracking, subscriptions, and reporting as MCP-addressable tools; PayPal explicitly positioned the release for use inside the OpenAI Agent SDK, the Vercel AI SDK, and LangChain.[^paypaldev] Apple Pay and Google Pay remain primarily HP surfaces; their agentic role so far has been to supply the biometric that signs Cart Mandates.

5.5 ACH / SEPA

Batch bank rails are not well suited to real-time HP agentic flows, but they are the backbone for payouts, subscription settlement, and B2B. The wallets and platforms chapter and the regulation chapter cover the compliance nuances.

---

6. Trust and authorisation primitives

The cryptographic plumbing of agentic payments rests on a short list of primitives. Each protocol uses a different subset, but the underlying concepts recur.

6.1 Delegated consent

The foundational abstraction: the principal declares, in a machine-readable and independently-verifiable form, what the agent is allowed to do, when, and for how much. The PSD2 consent object was an early version; the AP2 Intent Mandate is the current generation, expressed as a W3C Verifiable Credential (VC).[^ap2spec]

6.2 Mandates

A mandate in the AP2 sense is a signed credential that carries the consent. AP2 defines three:

• Intent Mandate — signed by the user in advance; scope, constraints, validity window.
• Cart Mandate — signed by the user at the moment of confirmation (for HP) or by the agent within the Intent Mandate's scope (for HNP); binds the specific cart contents, merchant, and price.
• Payment Mandate — signed by the payment network or issuer; asserts that an agent was involved in this transaction and that the network has verified the mandate chain.[^ap2spec]

Nekuda, a $5M-seed (May 2025, Madrona Ventures with Visa Ventures and Amex Ventures[^nekudafund]) fintech, has productised a mandate-and-wallet layer that integrates with Visa Intelligent Commerce.[^nekuda] ERC-8004 Trustless Agents is a parallel on-chain analogue that anchors mandates to smart-contract registries on Ethereum.[^erc8004]

6.3 Verifiable Credentials and Decentralized Identifiers

W3C Verifiable Credentials Data Model 2.0 (a W3C Recommendation)[^w3cvc] and Decentralized Identifiers (DIDs) v1.0[^w3cdid] are the standards from which AP2 borrows its credential format. A VC is a tamper-evident statement (claims + proof) about a subject, issued by an issuer and verifiable by any relying party. DIDs provide the identifier layer: globally unique, self-sovereign identifiers that do not depend on a central registry.

6.4 Tokenisation

Classical EMVCo tokenisation is extended by the networks for the agentic case. Mastercard's Agentic Tokens, announced with Agent Pay on 30 April 2025, extend the Mastercard Tokenisation Service so that the token's scope conditions include agent identity and mandate binding.[^mcpress] Stripe's SharedPaymentToken plays an analogous role within ACP: a token that can be handed to a merchant for a specific, agent-originated order without disclosing the underlying PAN.[^acpstripe]

6.5 Strong Customer Authentication (SCA)

PSD2 SCA (in force 14 September 2019)[^psd2] requires at least two independent factors drawn from knowledge, possession, and inherence. In HP agentic flows the "possession" factor is typically a passkey bound to the user's device; in HNP flows the SCA act is the signing of the Intent Mandate ahead of time, and the regulatory question (covered in the regulation chapter) is whether such an anticipatory SCA satisfies PSD2 when the actual transaction occurs without a live user.

6.6 Agent identity and Web Bot Auth

A distinct layer from mandate: the identity of the software making the request. IETF RFC 9421 HTTP Message Signatures (February 2024)[^rfc9421] is the underlying signing primitive. Cloudflare's IETF draft Web Bot Auth, in collaboration with Visa's Trusted Agent Protocol,[^webbotauth][^visatap] gives each agent a signed identity that edge networks and merchants can verify. Skyfire's KYA (Know-Your-Agent) framework adds a KYC-equivalent: identity, principal, and scope for each agent.[^skyfire]

6.7 Facilitators (x402)

On crypto rails the role analogous to an acquirer is the facilitator: a non-custodial service that verifies an X-Payment header (an EIP-3009 or Permit2 signed transfer), settles it on-chain, and returns a receipt. Coinbase CDP is the reference implementation; Cloudflare's x402 Foundation partnership makes the pattern available at edge scale.[^x402fac][^cloudflare]

A compact mapping:

Concern	Card-rail primitive	Open-banking primitive	Crypto primitive
Principal consent	SCA + 3DS	PSD2 consent	Signed mandate VC, EIP-712 sig
Credential	PAN / network token	Account tokenised reference	EOA address / smart-account
Agent identity	Web Bot Auth + network-signed agent cert	Bank-side agent allow-list	DID / ERC-8004 registry[^erc8004]
Settlement	Network → issuer → acquirer	A2A instant rail	Facilitator + on-chain transfer
Dispute / repair	Scheme chargeback	Bank dispute	Contract escrow, social arbitration

---

7. Scope boundary: what is NOT an agentic payment?

It is as important to say what this report does not cover as what it does. The word "agent" in payments literature predates the current wave by decades and is routinely stretched until it loses meaning. The following are not agentic payments in the sense used here:

1. Chatbots that hand off to a human checkout. A conversational interface that collects a customer's intent and then redirects the user to a standard hosted checkout page is simply a new UI on top of a pre-agentic flow. The agent is not authorising or initiating the payment. This pattern is sometimes — misleadingly — marketed as "agentic commerce."
2. RPA-driven bill-pay. Classic robotic-process-automation scripts that log into a bank portal using stored credentials and click "pay" are automation, not agency: they have no mandate, no verifiable identity, and no ability to reason about whether the invoice is legitimate. They are also, under most terms-of-service regimes, non-compliant.
3. Programmatic B2B payouts. A nightly ACH batch generated from an ERP is "automatic" but deterministic; there is no delegated discretion. It is EDI in modern dress.
4. Traditional recurring subscriptions. A merchant-initiated card-on-file charge under a pre-agreed subscription (e.g. Netflix) is recurring, not agentic; the "discretion" (how much, when) was fixed at contract time.
5. Autopay under a fixed rule. "Pay my credit-card statement balance on the due date" has no open-ended reasoning; it is a trigger, not an agent.
6. Algorithmic trading / HFT. Trading bots that execute within a prime-broker account are autonomous but are governed by their own regulatory regime (market-abuse rules, best-execution, MiFID II, Reg NMS) and do not use consumer-payment rails. They are out of scope except insofar as DeFi agents blur the boundary (see future directions).
7. "AI-powered" fraud scoring. Machine-learning models used by issuers and acquirers to authorise or decline a human-initiated transaction are not initiating payments; they are making risk decisions on someone else's flow.

A useful litmus test: could the payment have been blocked by pulling the power on the LLM at inference time, without any human-configured fallback completing it? If yes, it is agentic. If the payment would still have gone through under a pre-set schedule or rule, it is not.

This boundary matters because regulators (the US CFPB, the UK FCA and PSR, and EU authorities under the AI Act and PSD3 negotiations[^cba][^linklaters]) are actively scoping which parts of the stack fall under which regime, and the industry's tendency to call everything "agentic" is already generating confusion. We adopt the stricter definition throughout.

---

8. Why now?

Four independent trends converged in 2024–2025 to make agentic payments suddenly tractable. Each was necessary; none on its own was sufficient.

8.1 LLM capability

By late 2024, frontier LLMs (Claude 3.5, GPT-4o, Gemini 1.5/2.0) were reliable enough at tool use, long-context reasoning, and structured output that agents could plausibly be trusted with small-dollar commercial decisions. Before 2024, the error rate on multi-step commerce workflows was too high to underwrite; by mid-2025, OpenAI and Anthropic were shipping production agent SDKs that major merchants (Etsy, Walmart, Shopify) were willing to integrate.[^walmartopenai][^acpstripe]

8.2 Protocol and standards maturity

The MCP → A2A → AP2 → ACP stack, assembled in roughly twelve months, gave the industry a shared vocabulary. MCP (November 2024)[^mcp] standardised how agents call tools; A2A (April 2025) standardised how agents call each other; AP2 (September 2025)[^ap2cloud] standardised the mandate artefacts; ACP (September 2025)[^acpstripe] standardised the merchant-side checkout surface. This is more protocol activity in payments in one year than PCI or EMVCo produced in any five-year window of the previous two decades. The academic protocol survey from Shanghai Jiao Tong University (arXiv:2504.16736, April 2025) catalogues the resulting design space and is discussed in the academic-literature chapter.[^sjsusurvey]

8.3 Stablecoin and on-chain settlement maturity

USDC and USDT reached multi-hundred-billion-dollar circulation by 2024; Base, Arbitrum, and Polygon offered sub-cent settlement latency and cost. This made micropayment economics viable for the first time — a prerequisite for pay-per-call, pay-per-crawl, and A2A machine-economy flows that the card rails structurally cannot serve. x402 is the concrete artefact of this maturity at the HTTP layer,[^x402docs] Catena Labs and Crossmint at the institutional and product layer.[^catena][^crossmint]

8.4 Incumbent card-network pivot

Perhaps most striking, the major card networks moved in lock-step within a six-month window. Visa announced Intelligent Commerce on 30 April 2025,[^visaic] Mastercard announced Agent Pay the same day,[^mcpress] American Express announced its own agentic commerce programme and, by October 2025, had joined Cloudflare's agentic commerce security collaboration.[^amex][^cloudflare] Visa's Trusted Agent Protocol (14 October 2025) launched with a co-authorship list — Adyen, Checkout.com, Coinbase, Fiserv, Microsoft, Shopify, Stripe, Worldpay, Nekuda — that crosses the historical boundaries between card acquirers, crypto, cloud, and e-commerce.[^visatap] The signal is unambiguous: incumbents have decided that the defensible ground is not to resist agentic commerce but to own the trust fabric (identity, tokenisation, dispute) at its centre.

A more speculative fifth driver — the economic pressure of AI-generated bot traffic on the open web, which Cloudflare has repeatedly flagged as an existential threat to the advertising-funded content business — deserves mention. Pay-per-crawl and x402-style micropayments are as much an ad-replacement story as they are a payments story; this is discussed further in the pain points chapter.

---

Cross-reference map

• For the specific mandate schemas and Verifiable-Credential formats, see the AP2 deep dive.
• For the SharedPaymentToken flow and Instant-Checkout merchant onboarding, see the ACP deep dive.
• For x402, ERC-8004, Skyfire, Catena, Crossmint, Nekuda, and micropayments, see the x402 and crypto chapter.
• For Visa Trusted Agent Protocol, Mastercard Agent Pay, Amex, and Web Bot Auth, see the card-networks chapter.
• For PayPal, Stripe Issuing, wallets, and Klarna, see the wallets and platforms chapter.
• For Walmart × OpenAI, Shopify × Google UCP, Etsy, Perplexity Comet, see the merchant and retail chapter.
• For prompt-injection, mandate-spoofing, and the KYA threat model, see the security and trust chapter.
• For CFPB, FCA/PSR, EU AI Act, PSD2/PSD3, and chargeback-regime reform, see the regulation and compliance chapter.

---

Sources

[^ap2spec]: Google Agentic Commerce, Agent Payments Protocol (AP2) — Specification. https://github.com/google-agentic-commerce/AP2/blob/main/docs/specification.md [^ap2cloud]: Google Cloud Blog, "Announcing Agents-to-Payments (AP2) Protocol," 16 September 2025. https://cloud.google.com/blog/products/ai-machine-learning/announcing-agents-to-payments-ap2-protocol [^acpstripe]: Stripe, Agentic Commerce Protocol documentation. https://docs.stripe.com/agentic-commerce/protocol ; Agentic Commerce Protocol site: https://agenticcommerce.dev/ ; spec repo: https://github.com/agentic-commerce-protocol/agentic-commerce-protocol [^visatap]: Visa Investor Relations, "Visa Introduces Trusted Agent Protocol: An Ecosystem-Led Framework for AI Commerce," 14 October 2025. https://investor.visa.com/news/news-details/2025/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce/default.aspx ; spec: https://github.com/visa/trusted-agent-protocol [^visaic]: Visa Intelligent Commerce programme, announced 30 April 2025. See Visa IR release above and BusinessWire: https://www.businesswire.com/news/home/20251014974512/en/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce [^mcpress]: Payment Expert, "Mastercard and Microsoft announce AI Agent Pay," 30 April 2025. https://paymentexpert.com/2025/04/30/mastercard-microsoft-ai-agent-pay/ [^paypalmc]: PayPal Newsroom, "Mastercard and PayPal Join Forces to Accelerate Secure Global Agentic Commerce," 27 October 2025. https://newsroom.paypal-corp.com/2025-10-27-Mastercard-and-PayPal-Join-Forces-To-Accelerate-Secure-Global-Agentic-Commerce [^paypaldev]: PayPal Newsroom, "PayPal Brings Together Developers, AI Leaders to Power Agentic Commerce at Dev Days," 29 April 2025. https://newsroom.paypal-corp.com/2025-04-29-PayPal-Brings-Together-Developers,-AI-Leaders-to-Power-Agentic-Commerce-at-Dev-Days ; docs: https://paypal.gitbook.com/agent-toolkit-and-mcp-server/agent-toolkit/quickstart [^mcp]: Model Context Protocol official site. https://modelcontextprotocol.io (Anthropic open-sourced MCP in November 2024.) [^x402docs]: Coinbase, x402 documentation (announced 6 May 2025). https://docs.x402.org/ ; repo: https://github.com/coinbase/x402 [^x402fac]: Coinbase, x402 facilitator core concept. https://docs.x402.org/core-concepts/facilitator [^cloudflare]: Cloudflare Press Release, "Cloudflare Collaborates With Leading Payments Companies to Secure and Enable Agentic Commerce," 21 October 2025. https://www.cloudflare.com/press/press-releases/2025/cloudflare-collaborates-with-leading-payments-companies-to-secure-and-enable-agentic-commerce/ [^walmartopenai]: Walmart Corporate, "Walmart partners with OpenAI to create AI-first shopping experiences," 14 October 2025. https://corporate.walmart.com/news/2025/10/14/walmart-partners-with-openai-to-create-ai-first-shopping-experiences [^ucp]: Google Developers Blog, "Under the hood: Universal Commerce Protocol (UCP)." https://developers.googleblog.com/under-the-hood-universal-commerce-protocol-ucp/ (Announced at NRF Big Show, January 2026.) [^skyfire]: TechCrunch, "Skyfire lets AI agents spend your money," 21 August 2024. https://techcrunch.com/2024/08/21/skyfire-lets-ai-agents-spend-your-money/ [^nekuda]: Crowdfund Insider, "Nekuda Secures Funding Led by Madrona Ventures to Enable Agentic Payments," May 2025. https://www.crowdfundinsider.com/2025/05/239660-fintech-startup-nekuda-secures-funding-led-by-madrona-ventures-to-enable-agentic-payments/ [^nekudafund]: Ibid. (Round: $5M seed, Madrona Ventures lead, Amex Ventures and Visa Ventures participating.) [^catena]: BusinessWire, "Circle Co-Founder Sean Neville Takes Catena Labs Out of Stealth with Plans to Build the First AI-Native Financial Institution," 20 May 2025. https://www.businesswire.com/news/home/20250520361792/en/Circle-Co-Founder-Sean-Neville-Takes-Catena-Labs-Out-of-Stealth-with-Plans-to-Build-the-First-AI-Native-Financial-Institution [^crossmint]: Crossmint, Agentic Payments product page. https://www.crossmint.com/solutions/agentic-payments [^crossmintcircle]: Crypto Briefing, "Circle Ventures Investment in Crossmint." https://cryptobriefing.com/circle-ventures-investment-crossmint-stablecoin/ [^erc8004]: Ethereum Improvement Proposals, ERC-8004 "Trustless Agents." https://eips.ethereum.org/EIPS/eip-8004 ; Ethereum Foundation blog: https://ai.ethereum.foundation/blog/intro-erc-8004 [^w3cvc]: W3C, Verifiable Credentials Data Model 2.0 (W3C Recommendation). https://www.w3.org/TR/vc-data-model-2.0/ [^w3cdid]: W3C, Decentralized Identifiers (DIDs) v1.0. https://www.w3.org/TR/did-core/ [^rfc9421]: IETF, RFC 9421, HTTP Message Signatures, February 2024. https://datatracker.ietf.org/doc/rfc9421/ [^webbotauth]: IETF draft, Meunier et al., Web Bot Auth Architecture (Cloudflare). https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/ [^psd2]: Directive (EU) 2015/2366 on payment services in the internal market (PSD2). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L2366 (Adopted 25 November 2015; SCA requirements in force 14 September 2019 per EBA guidance.) [^cba]: Consumer Bankers Association, Agentic AI, Consumer Payments and the Future of Regulation (white paper, 2025). https://consumerbankers.com/press-release/cba-releases-white-paper-examining-agentic-ai-consumer-payments-and-the-future-of-regulation/ [^mckinsey]: McKinsey & Company, "Europe's agentic commerce moment: decision influence is here, execution is coming" (2025). https://www.mckinsey.com/capabilities/quantumblack/our-insights/europes-agentic-commerce-moment-decision-influence-is-here-execution-is-coming [^kearney]: Kearney, "Agentic payments: a new frontier in digital commerce." https://www.kearney.com/industry/financial-services/article/agentic-payments-a-new-frontier-in-digital-commerce [^linklaters]: Linklaters TechInsights, "Agentic payments: what are they, what are the legal risks and what's next." https://techinsights.linklaters.com/post/102l0hm/agentic-payments-what-are-they-what-are-the-legal-risks-and-whats-next [^justt]: Justt.ai, "Agentic Commerce: Preparing for Chargeback and Fraud Risks." https://justt.ai/blog/agentic-commerce-chargeback-risk-preparation/ [^sjsusurvey]: Y. Yang et al., "A Survey of AI Agent Protocols," arXiv:2504.16736, April 2025. https://arxiv.org/abs/2504.16736 [^amex]: American Express, "Shaping the future of agentic commerce." https://americanexpress.io/shaping-the-future-of-agentic-commerce/