How agentic payments are rewriting the rules for high-risk merchants - and why the industry's fraud, chargeback, and compliance stacks aren't even close to ready.
Picture this: a repeat customer’s AI shopping assistant – the kind that auto-replenishes supplements, books travel, and handles recurring SaaS subscriptions – decides at 2 a.m. to renew an annual plan for a premium health coaching service. The charge hits the card. The customer wakes up, doesn’t remember authorizing it, and files a dispute. The merchant wins the eventual chargeback fight, but only after 11 weeks, three rounds of evidence submission, and $430 in ops costs on a $299 transaction.
Â
Now multiply that scenario by the 25% of all e-commerce transactions that PayPal’s CEO predicted will be agent-driven by 2030. Then restrict it to the high-risk merchant categories – nutraceuticals, adult content, crypto, travel, online gaming – where chargeback ratios already hover near the scheme thresholds that get accounts terminated.
Â
What an AI agent actually does at checkout
Strip away the hype and an AI payment agent is software that can carry out a multi-step financial task – compare prices, select a product, authenticate, and settle – without a human clicking anything. OpenAI’s technical documentation describes agents as software that “can decide, act, and finish multi-step tasks without asking for every instruction.” Three components make that possible: a reasoning model, a set of callable tools (APIs), and a rulebook that defines scope and caps risk.
Â
The practical shift from chatbot to agent is significant. A chatbot tells you that a flight from Barcelona to London costs £87. An agent books it, charges the card, emails the confirmation, and adds it to the calendar – all within one conversation turn. For payment rails, the implication is structural: the checkout form disappears. There is no browser, no 3DS challenge window, no billing address field. There is just an API call, a tokenized credential, and a settlement event.
Â
Cheap multimodal models and structured tool-calling APIs converged fast. The barrier to writing a “buy this subscription” workflow dropped from weeks of brittle integration work to a few lines in a framework like LangChain or OpenAI’s Agents SDK. That compression of effort is why Visa, Mastercard, and PayPal all moved within weeks of each other in early 2025 – they saw what was coming.
The three rails, and what they’re actually betting on
Visa, Mastercard, and PayPal launched competing agentic payment frameworks within weeks of each other – and their design philosophies diverge sharply.
Â
Visa Intelligent Commerce wraps tokenization, authentication, and risk scoring into a single endpoint. The agent never touches raw card data. It receives a network token with embedded spending limits and executes on VisaNet. Visa partnered with OpenAI, Microsoft, and Nvidia to build distribution. The strategy is simple: own the credential vault, and every future shopping agent becomes a Visa cardholder by default.
Â
Mastercard’s Agent Pay sits on the Multi-Token Network and supports “pay on behalf” authorizations that can settle via card, bank-linked token, or regulated deposit token. Mastercard targeted Salesforce, Shopify, and Adobe Commerce as launch partners – a deliberate push into embedded retail flows rather than consumer wallets.Â
Â
PayPal’s Agent Toolkit skipped the scheme negotiation entirely. It ships a Python and TypeScript library that plugs directly into popular agent frameworks. Order, invoice, dispute, and payout APIs all wrap in minutes. PayPal concedes interchange to the card networks but targets the long tail of developers who need a working ledger today, not in Q3 after the risk review clears.
Â
And then there’s the protocol layer below all three: In September and October 2025, three rival standards launched almost simultaneously — Coinbase’s X402 (adopted by Anthropic for Claude), OpenAI and Stripe’s Agentic Commerce Protocol (ACP), and Visa’s Trusted Agent Protocol (TAP). It is, as The Payments Association noted, the VHS vs. Betamax dynamic playing out again – but this time the loser doesn’t just lose market share, it becomes unreadable to a fleet of autonomous agents routing billions in transactions.
Â
For merchants, particularly those in high-risk categories, protocol fragmentation is not an abstract standards debate. Merchants who support one protocol and not another will become invisible to agents running on the excluded stack. Supporting multiple simultaneously requires engineering bandwidth most high-risk operators don’t have.
The fraud math that high-risk merchants need to see right now
High-risk merchants already operate in punishing economics. According to LexisNexis data, every $1 lost to fraud costs merchants $4.61 in 2025 when the full chain – fees, chargeback penalties, operational handling, lost goods – runs through. Merchants win roughly 45% of represented chargebacks. The net recovery rate after all costs: 18%. Eighty-two cents of every dollar fought in chargebacks disappears.
Â
Agentic commerce lands on top of this fragile baseline and introduces new failure modes. Consider the chargeback scenario categories that panels of payments executives have already identified as most likely to surge:
Â
Unauthorized-by-confusion. An agent places an order based on a customer’s stated preferences. The customer receives the product, doesn’t recognize the charge on the statement, and files a dispute. The transaction was technically authorized through the agent’s credentials – but the cardholder denies it. This is a new flavor of friendly fraud, and it’s harder to fight than traditional first-party misuse because the authorization chain passes through a third-party AI system.
Â
Agent-to-agent telephone. Jamie George, VP of Partnerships at Ravelin, described this at the ChargebackX 2025 conference as “the most obvious case for Chinese whispers.” A user instructs an orchestration agent to book a hotel for “the same weekend as last time.” That agent calls a sub-agent, which calls a third-party travel API, which charges the card. The hotel is wrong. The merchant has impeccable records – but the authorization trail runs through two AI interpreters the merchant never consented to interact with.
Â
Scaled synthetic identity fraud. This one is external. AI tools available to bad actors already generate synthetic identities, deepfake verification videos, and automated card-testing bots at scale. Agentic commerce gives those same tools a checkout pipeline that operates at machine speed, with no browser fingerprint, no behavioral biometrics, and no typing-speed anomaly to catch.
Â
The traditional fraud detection stack relies heavily on human behavioral signals – mouse movement patterns, keystroke velocity, navigation path, device orientation changes. When the “human” is a Python script running in a cloud function, every one of those signals disappears. Riskified CMO Jeff Otto summarized it bluntly: “All the same problems we have with abuse can still happen. It could just be slightly worse because the agent did most of the work.”
Â
Who actually eats the loss when an agent makes a mistake
This is the open question that nobody in the payments industry has cleanly answered yet. Card scheme rules assume a human is in the authorization chain. When the human is a layer removed, or entirely absent, existing liability frameworks produce gaps.
Â
At ChargebackX 2025 conference, many people mentioned that the card schemes won’t absorb liability for agent transactions they didn’t authorize. The customer will disclaim the purchase because their agent “got it wrong.” The issuer sides with the cardholder by default. The AI model hasn’t collected revenue on the transaction.Â
Â
The parallel the industry keeps reaching for is autonomous vehicles. If a self-driving car hits a pedestrian, liability runs between the manufacturer, the software developer, and the operator – and it took a decade of litigation and regulatory negotiation to even partially settle those questions. The payments industry faces an equivalent complexity, compressed into a shorter timeline because capital flows faster than cars.
Â
Practically, this means high-risk merchants absorb the loss until regulation catches up. The question is what infrastructure they can build to minimize it before volumes scale.
Google’s AP2, India’s UPI-ChatGPT integration, and why geography matters
While Visa and Mastercard have framed their agentic products as global, the real infrastructure race is happening in the details of specific markets.
Â
Google’s Agent Payments Protocol (AP2) provides a structured language for secure, authorized transactions between agents and merchants. Unlike Visa and Mastercard’s network-anchored approaches, AP2 operates at the protocol layer – it defines how agents communicate payment intent, not which rail settles it. For merchants, this means AP2 integration could theoretically route across any underlying network, but it also means another protocol standard to support in a landscape already fragmented by ACP, X402, and TAP.
Â
India’s UPI-ChatGPT integration is the most concrete high-scale deployment currently live. India’s Unified Payments Interface, already processing over 18 billion transactions per month, has been connected to ChatGPT as an agentic payment layer. An agent can now navigate, select, and settle for services autonomously through government-backed infrastructure. The significance for global high-risk merchants: this demonstrates that agentic payments don’t require a card network. Real-time account-to-account rails, as The Payments Association has noted, may ultimately capture more of the agent transaction volume than cards – because agents don’t experience the UX friction that has historically made A2A awkward for humans.
Â
For high-risk merchants, the geographic dimension adds a compliance layer. An agent running on a European consumer’s device may route through SEPA Instant. One running in the US might use ACH Instant or Visa Intelligent Commerce. One in India could settle via UPI. Each of those rails carries different dispute resolution rights, different fraud liability rules, and different maximum transaction limits. The merchant’s payment stack needs to handle all of them without human intervention in the flow.
What the next 36 months actually look like
Dwayne Gefferie’s breakdown of the three adoption waves is the clearest framework available. Adapted for high-risk merchants specifically:
Â
Now through 2026 – embedded assistance phase. Conversational copilots in travel, retail, and SaaS begin triggering payments through scheme APIs. For high-risk merchants, the key risk is that agent transactions start appearing in your payment stream without you having configured anything to receive them. Agents don’t ask for merchant consent. They find a checkout API and use it. Volume is small but the edge cases hit hardest in high-risk categories where dispute rates are already elevated.
Â
2026–2028 – invisible purchasing phase. Agents embedded in consumer banking apps begin negotiating subscriptions, rolling renewals, and price-shopping without notifications. By this stage, friendly fraud chargebacks from agent-initiated transactions will be statistically visible in high-risk merchant data. Merchants without agent-specific chargeback defenses will see ratios drift toward scheme thresholds. Merchants with KYAI frameworks and audit trails will be winning disputes at the evidence-submission stage.
Â
Beyond 2028 – agent-to-agent marketplace phase. Enterprise merchant fleets run specialized agents that settle with supplier agents across multi-rail layers. For high-risk merchants, this is when regulatory clarity will either arrive and stabilize operations, or remain absent and produce a wave of forced payment processing terminations for operators who couldn’t build adequate risk controls at scale.
Â
What the industry is actually arguing about right now
The LinkedIn and Reddit conversations around agentic payments reveal a few live debates that haven’t reached consensus.
Â
“Who regulates an AI that transacts?” The EU’s AI Act creates obligations for AI system operators, but it does not specify how existing PSD2 payment liability rules interact with autonomous agents. US regulatory guidance on agent liability for payment transactions does not yet exist. Payments professionals on LinkedIn highlight this as the core blocker for enterprise adoption – legal teams will not green-light agent-initiated payments at scale without a liability framework that survives an audit.
Â
“Does this kill the card?” The Payments Association’s analysis argues that agentic commerce could be the catalyst A2A payments have been waiting for. Humans find long IBANs and multi-step bank authentication clunky. Agents don’t care. If agents begin routing high-volume consumer transactions over UPI, PIX, SEPA Instant, or ACH Instant rather than card rails, interchange revenue structures shift materially. For high-risk merchants, A2A routing via agents could reduce processing fees – but it eliminates chargeback protections entirely, since A2A disputes lack the card scheme enforcement mechanism.
Â
“Is Mastercard Agent Pay actually ready?” The LinkedIn posts from Sharat Chandra and others in the payments community point to a gap between announcement and live capability. Agent Pay was announced in April 2025 with Shopify and Salesforce as partners, but pilot access has been selective and the documentation for high-risk merchant categories specifically is sparse.Â
Â
Merchants in nutraceuticals, gaming, and adult content have not received clear guidance on whether their categories qualify for agent payment integration at all – a significant operational gap given that these categories stand to benefit most from automated payment recovery on disputes.
Â
The takeaway for high-risk merchants
Agents will find your checkout APIs whether you have optimized for them or not. The question is whether your fraud stack, chargeback defenses, and authorization audit trails can handle transactions initiated by a Python script at 2 a.m. before your chargeback ratio tips into penalty territory.
Â
McKinsey pegs enterprise value from generative agents at up to $4.4 trillion annually. High-risk merchants with properly instrumented payment infrastructure will capture more of their margin from that wave. Those relying on legacy fraud scoring built for human buyers will watch their dispute ratios climb and their processing relationships deteriorate.
Â
The decisions that matter right now are operational, not strategic: audit trail policy, fraud model retraining schedule, KYAI framework design, and threshold rules for agent-initiated authorization. None of these require waiting for Mastercard Agent Pay to go GA or for regulators to clarify liability.
Agentic commerce shortens the distance between a consumer’s intent and a settled transaction to one API call. For high-risk merchants, that same distance now also runs between your current risk posture and your next processing termination notice.
Â
Vendo specializes in high-risk payment processing for CBD, seeds, and other high-risk industries. Our solutions are tailored to meet the unique needs of your business, ensuring seamless transactions and reducing the risk of payment disruptions. Contact our expert team to learn how we can help your business to maximize growth during the festive holidays and beyond.