13. Conclusion

As of 21 April 2026, agentic payments have moved from keynote slideware to live production rails, but the ecosystem is still visibly unfinished. Money is flowing through AI agents at Walmart, Etsy, and a growing roster of Shopify merchants; stablecoins are settling machine-to-machine calls over x402; card networks have shipped signed-identity schemes; and regulators on three continents have opened formal workstreams. And yet nearly every interview, spec, and court filing we reviewed for this report concedes that the hard questions — liability, identity assurance, dispute repair, prompt-injection defence — remain only partially answered. This conclusion distils what we now know, what we still do not, and what each constituency should do next.

13.1 The ten findings that matter

  1. Three incompatible protocol families have stabilised, not converged. AP2, ACP, and x402 each solve a different problem (cryptographic mandate chains, merchant-hosted checkout tokens, and HTTP-native stablecoin settlement respectively) and their sponsors show no appetite for a merge (see 03-protocol-deep-dive-ap2.md, 04-protocol-deep-dive-acp.md, 05-protocol-deep-dive-x402-and-crypto.md).[^1][^2][^3]
  2. The card networks have reasserted themselves as the trust anchor for human-present agent flows. Visa's Trusted Agent Protocol (14 Oct 2025) and Mastercard Agent Pay (30 Apr 2025) together enrolled Adyen, Checkout.com, Stripe, Worldpay, Fiserv, Shopify, Microsoft, Cloudflare, PayPal and the major issuers within six months (see 06-card-networks.md).[^4][^5]
  3. Cloudflare, not a bank, became the de facto agent-identity plane for the open web through Web Bot Auth (IETF draft draft-meunier-web-bot-auth-architecture) and the x402 Foundation; American Express, Visa, and Mastercard all now lean on Cloudflare-signed agent requests (see 06-card-networks.md, 09-security-and-trust.md).[^6][^7]
  4. Merchant-of-Record retention won. Every live retail deployment — ChatGPT Instant Checkout at Etsy, Shopify, and Walmart — keeps the merchant as MoR and the agent as a delegate, not a principal, precisely to preserve card-network dispute rights (see 04-protocol-deep-dive-acp.md, 08-merchant-and-retail.md).[^2][^8]
  5. Stablecoins are the default rail for agent-to-agent, not agent-to-human, spend. x402 (launched 6 May 2025) has no fiat equivalent at comparable latency or cost; USDC on Base underpins Skyfire, Crossmint, Catena Labs and Coinbase's own facilitator (see 05-protocol-deep-dive-x402-and-crypto.md, 07-wallets-platforms.md).[^3][^9][^10]
  6. Mandates — not passwords, not OAuth tokens — have emerged as the primary consent primitive. AP2's Intent/Cart/Payment Mandate triad (built on W3C VC 2.0 and DIDs) is the most-copied structural idea of the year; ACP, Nekuda, and Catena's ACK all use a mandate-shaped object (see 02-academic-literature.md, 03-protocol-deep-dive-ap2.md).[^1][^11][^12]
  7. Prompt injection is still an unsolved systems problem, not a solved ML problem. Google's own January 2025 estimation paper, Simon Willison's June 2025 design-pattern survey, and the MDPI 2026 review all converge on architectural containment — not model-side defences — as the only credible mitigation; and no shipped agent-payment stack yet implements the full pattern set (see 09-security-and-trust.md).[^13][^14][^15]
  8. Regulators are moving faster than expected but are not aligned. The CFPB's 2025 inquiry, the FCA/PSR joint discussion paper, and the EU AI Act's Article 50 transparency obligations each treat the agent as a different legal entity; the Consumer Bankers Association's 2025 white paper flags the gap explicitly (see 10-regulation-and-compliance.md).[^16]
  9. Chargeback and dispute liability has no settled answer. Justt.ai's analysis and Linklaters' TechInsights both note that "friendly fraud" rates on agent-initiated transactions are running measurably higher than card-not-present baselines, and no scheme has published a definitive liability-shift rule for a user who claims "the agent did it" (see 10-regulation-and-compliance.md, 11-pain-points-and-open-problems.md).[^17][^18]
  10. The machine-to-machine economy is real but smaller than the hype. Kearney, McKinsey, and the Payments Association all project meaningful volume by 2028, but the current (Q1 2026) share of genuinely autonomous (human-not-present) spend remains well under 1% of e-commerce by every disclosed metric we found (see 00-executive-summary.md, 12-future-directions.md).[^19][^20]

13.2 What we got right — and what remains deeply uncertain

The predictions made twelve months ago that held up include: (i) that cryptographic mandates, not session cookies, would become the consent primitive; (ii) that stablecoins would find their first real product-market fit in machine spend rather than consumer remittance; (iii) that the card networks would refuse to be disintermediated and would instead become the identity layer; and (iv) that MCP would be the de-facto tool interface for every serious agent framework (see 01-introduction-and-taxonomy.md, 07-wallets-platforms.md).

What remains genuinely uncertain, in descending order of consequence:

  • Liability apportionment in a four-party agent flow (user, agent developer, merchant, acquirer). No statute, scheme rule, or case law yet governs the split. Linklaters' and the CBA's analyses are the closest we have to a framework, and both admit they are preliminary.[^16][^18]
  • Whether AP2, ACP and UCP will interoperate in practice. The January 2026 Universal Commerce Protocol announcement from Google and Shopify was pitched as a bridge, but as of April 2026 no production merchant is running UCP and AP2 and ACP simultaneously on the same SKU (see 08-merchant-and-retail.md).[^21]
  • Whether hardware-backed keys on consumer devices will scale to agentic consent. Passkeys were designed for a human at a keyboard; every mandate scheme currently papers over this by treating a one-time user signature as sufficient for recurring autonomous spend (see 09-security-and-trust.md).
  • Whether "Know-Your-Agent" becomes a regulated function or a market one. Skyfire, Nekuda and Catena Labs all assume the latter; the FCA's discussion paper hints at the former (see 10-regulation-and-compliance.md).[^22]
  • Unit economics of micropayments. x402 makes sub-cent settlement cheap on Base, but the off-ramp cost to fiat for a small merchant remains 1–3%, which dominates the economics of pay-per-crawl and per-API-call use-cases Cloudflare is promoting (see 05-protocol-deep-dive-x402-and-crypto.md, 11-pain-points-and-open-problems.md).[^7]

13.3 Recommendations by audience

Merchants. Adopt ACP first for ChatGPT and Copilot traffic because it preserves MoR and existing dispute rights; layer AP2-compatible mandate verification next so you are not locked out when Google and Shopify route UCP traffic; reserve x402 for non-consumer API monetisation where latency and margin actually justify stablecoin rails. Do not rebuild your fraud stack — extend it: treat user_agent = agent as a first-class risk-model feature (see 08-merchant-and-retail.md).

Issuers. Ship Agentic Tokens (Mastercard) or Visa-Trusted-Agent-signed credentials before competitors, because token provisioning is where you retain the customer relationship once the agent owns the purchase journey. Invest in cardholder-facing mandate dashboards: the issuer who lets a consumer revoke an agent's authority from the banking app wins retention. Price disputed agent-initiated transactions conservatively until scheme rules settle (see 06-card-networks.md, 07-wallets-platforms.md).

Regulators. Resist the temptation to create a new agent-specific licence. Instead: (i) clarify that delegated-authority rules under PSD2/PSD3 and Regulation E already extend to software agents acting on a consumer's behalf; (ii) mandate machine-readable disclosure of agent identity at checkout — Web Bot Auth gives you the hook; (iii) publish a default liability-shift presumption favouring the consumer for disputed agentic transactions under a threshold (the CBA proposal is a workable starting point). Coordinate across CFPB, FCA/PSR, ECB and MAS before divergence hardens (see 10-regulation-and-compliance.md).[^16]

Agent developers. Adopt the architectural defences Willison, Google Security, and the MDPI review all converge on — action-gating, dual-LLM, least-privilege mandates, and provenance-tracked tool outputs — before you scale payment-capable agents. Sign every outbound request with Web Bot Auth; publish your agent's DID and mandate schema. Assume your model can and will be injected; design so the blast radius is bounded by mandate scope, not by model alignment (see 09-security-and-trust.md).[^13][^14][^15]

Consumers. Treat agent permissions like you treat OAuth scopes on a new SaaS app: grant narrowly, review monthly, revoke aggressively. Prefer agents whose payment flow keeps the merchant as MoR so you retain chargeback rights. Do not treat passkey biometrics as consent for unbounded recurring agentic spend; demand per-cart or per-budget mandates. If your issuer offers a per-agent virtual card (Stripe Issuing, Crossmint, Revolut disposables), use it (see 07-wallets-platforms.md, 11-pain-points-and-open-problems.md).

13.4 The honest state of agentic payments, April 2026

The most accurate thing one can say today is that agentic payments work, at low volume, inside carefully circumscribed corridors, and that every party in those corridors is aware the corridors are narrower than the marketing implies. The protocols are real; the volume is not yet. The cryptography is sound; the liability law is not. Prompt injection is contained, not defeated. The machine economy is beginning, but it is beginning inside the card networks, not outside them — a quieter outcome than either the crypto-maximalists or the incumbents predicted a year ago. Anyone telling you the agent-payments stack is either "essentially solved" or "a hype cycle headed for collapse" is wrong in a way that this report has, we hope, made specifically refutable. The honest posture is the one the protocols themselves take in their own specifications: ship cautiously, constrain scope, keep humans in the dispute loop, and revisit in twelve months.

Sources

[^1]: Google, "Announcing the Agent Payments Protocol (AP2)", 16 Sep 2025. https://cloud.google.com/blog/products/ai-machine-learning/announcing-agents-to-payments-ap2-protocol; spec: https://github.com/google-agentic-commerce/AP2/blob/main/docs/specification.md. [^2]: Stripe, "Agentic Commerce Protocol", 29 Sep 2025. https://docs.stripe.com/agentic-commerce/protocol; spec repo: https://github.com/agentic-commerce-protocol/agentic-commerce-protocol. [^3]: Coinbase, "x402 documentation". https://docs.x402.org/; repo: https://github.com/coinbase/x402. [^4]: Visa, "Visa Introduces Trusted Agent Protocol", 14 Oct 2025. https://investor.visa.com/news/news-details/2025/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce/default.aspx; repo: https://github.com/visa/trusted-agent-protocol. [^5]: Payment Expert, "Mastercard, Microsoft bring AI Agent Pay", 30 Apr 2025. https://paymentexpert.com/2025/04/30/mastercard-microsoft-ai-agent-pay/; PayPal expansion: https://newsroom.paypal-corp.com/2025-10-27-Mastercard-and-PayPal-Join-Forces-To-Accelerate-Secure-Global-Agentic-Commerce. [^6]: IETF, "Web Bot Auth Architecture" draft. https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/; RFC 9421 HTTP Message Signatures: https://datatracker.ietf.org/doc/rfc9421/. [^7]: Cloudflare, "Cloudflare collaborates with leading payments companies", 21 Oct 2025. https://www.cloudflare.com/press/press-releases/2025/cloudflare-collaborates-with-leading-payments-companies-to-secure-and-enable-agentic-commerce/; x402 partnership: https://blog.cloudflare.com/x402/. [^8]: Walmart, "Walmart partners with OpenAI", 14 Oct 2025. https://corporate.walmart.com/news/2025/10/14/walmart-partners-with-openai-to-create-ai-first-shopping-experiences; CNBC: https://www.cnbc.com/2025/10/14/walmart-openai-chatgpt-shopping.html. [^9]: TechCrunch, "Skyfire lets AI agents spend your money", 21 Aug 2024. https://techcrunch.com/2024/08/21/skyfire-lets-ai-agents-spend-your-money/. [^10]: BusinessWire, "Circle Co-Founder Sean Neville Takes Catena Labs Out of Stealth", 20 May 2025. https://www.businesswire.com/news/home/20250520361792/en/. [^11]: W3C, "Verifiable Credentials Data Model v2.0". https://www.w3.org/TR/vc-data-model-2.0/; DIDs v1.0: https://www.w3.org/TR/did-core/. [^12]: Crowdfund Insider, "Nekuda secures funding", May 2025. https://www.crowdfundinsider.com/2025/05/239660-fintech-startup-nekuda-secures-funding-led-by-madrona-ventures-to-enable-agentic-payments/. [^13]: Google Security Blog, "How we estimate the risk from prompt injection attacks", Jan 2025. https://security.googleblog.com/2025/01/how-we-estimate-risk-from-prompt.html. [^14]: Simon Willison, "Design Patterns for Securing LLM Agents against Prompt Injections", 13 Jun 2025. https://simonwillison.net/2025/Jun/13/prompt-injection-design-patterns/. [^15]: "Prompt Injection Attacks in Large Language Models and AI Agent Systems: A Comprehensive Review", MDPI Information 17(1):54 (2026). https://www.mdpi.com/2078-2489/17/1/54. [^16]: Consumer Bankers Association, "CBA White Paper: Agentic AI, Consumer Payments, and the Future of Regulation", 2025. https://consumerbankers.com/press-release/cba-releases-white-paper-examining-agentic-ai-consumer-payments-and-the-future-of-regulation/. [^17]: Justt.ai, "Agentic Commerce: Preparing for Chargeback and Fraud Risks". https://justt.ai/blog/agentic-commerce-chargeback-risk-preparation/. [^18]: Linklaters TechInsights, "Agentic payments: what are they, what are the legal risks and what's next". https://techinsights.linklaters.com/post/102l0hm/agentic-payments-what-are-they-what-are-the-legal-risks-and-whats-next. [^19]: McKinsey, "Europe's agentic commerce moment" (2025). https://www.mckinsey.com/capabilities/quantumblack/our-insights/europes-agentic-commerce-moment-decision-influence-is-here-execution-is-coming. [^20]: Kearney, "Agentic payments: a new frontier in digital commerce". https://www.kearney.com/industry/financial-services/article/agentic-payments-a-new-frontier-in-digital-commerce; Payments Association, "AI-powered payment agents". https://thepaymentsassociation.org/article/ai-powered-payment-agents-the-next-payments-revolution/. [^21]: Google Developers Blog, "Under the hood: Universal Commerce Protocol". https://developers.googleblog.com/under-the-hood-universal-commerce-protocol-ucp/. [^22]: Crossmint, "Agentic Payments". https://www.crossmint.com/solutions/agentic-payments; Circle Ventures & Crossmint: https://cryptobriefing.com/circle-ventures-investment-crossmint-stablecoin/.