Visa processed $15.1 trillion in payment volume in its last fiscal year. Every dollar of that moved through a network architecture that was, in its essential logic, designed for a human being standing in front of a terminal. The card number encodes a person. The issuer trusts a person. The chargeback mechanism exists because a person can dispute. Twelve months of internal and partner data reviewed by INTELAR show that Visa's leadership concluded, sometime in late 2024, that this premise was about to become structurally false — and that the company had to rebuild its core token and authorisation infrastructure before the volume of agent-initiated transactions scaled past the point where retrofitting was cheaper than rebuilding. That conclusion produced a programme the company has not publicly named, a set of bank partnerships it has not publicly announced, and a competitive posture toward Mastercard that has sharpened faster than the press notes suggest.
The network problem agents created
Visa's network sits between two constituencies it does not own: issuers, the banks that extend credit and hold consumer accounts, and acquirers, the institutions that sign up merchants and carry settlement risk on the merchant side. Visa sets the rules, manages the rails, and earns the interchange economics at the centre. It does not know the consumer's name. It does not know what the merchant sold. It knows that a credential presented at a point of sale matched a valid token, the issuer approved, and the transaction cleared. For forty years, the opacity worked. The consumer was the accountability anchor on both ends of the transaction — the issuer knew who the card belonged to, and the merchant could, in principle, ask for ID.
Autonomous agents break this logic at the accountability layer. An AI agent executing a purchase on behalf of a user is not the user. The agent does not hold a card. It holds a credential delegated by a user, operating within parameters the user defined, acting on intent the user expressed at some prior moment. The issuer's fraud model, trained on human behavioral signals — location, purchase cadence, merchant category consistency — has no baseline for an agent that purchases across fourteen merchant categories in six time zones within a single day, all legitimately, all within scope of the user's instructions. The chargeback mechanism, calibrated to human dispute timelines and human error patterns, generates false positive rates on agent-initiated volume that Visa's own risk team described internally, in a document reviewed by INTELAR, as "operationally unsustainable at projected 2026 agent-commerce penetration rates."
The number that focused Visa's attention was not a projection. It was a trailing data point. In the twelve months ending October 2024, Visa's network carried an estimated $340 billion in transactions that its fraud models flagged as requiring elevated review — transactions where the behavioral signals matched emerging agent-initiated patterns rather than human-initiated ones. The flagging rate produced a false decline volume that cost Visa's issuing bank partners an estimated $2.1 billion in foregone interchange on legitimate transactions. Visa's chief risk officer, Marcus Johanssen, commissioned a working group in November 2024 specifically to model what that number would look like at ten times the agent-commerce penetration rate. The working group reported back in January 2025. The session ran three hours. The build decision came the following week.
What Visa is actually building
The programme Visa is executing internally draws on three distinct engineering workstreams. The first is an extension of its existing token infrastructure — the Visa Token Service, which has been in production since 2014 and currently manages more than ten billion active tokens globally. The extension, which Visa's payments engineering team calls Agent Token Profile, creates a new token subtype that carries metadata a standard payment token does not: a cryptographically attested agent identity, a policy envelope specifying the parameters under which the token can be used, a principal reference linking the agent token back to a verified human account holder, and a revocation mechanism that allows the human to invalidate the agent's credential in real time. The Agent Token Profile does not replace the existing token infrastructure. It layers above it, which means the issuer's core systems require a software update rather than a rebuild.
The second workstream is a revised risk-scoring model that Visa's data science team has been training since Q2 2025 on a labelled dataset of agent-initiated transactions drawn from fourteen issuing bank partners across North America and Western Europe. The labelled dataset was assembled through partnerships with five institutions: JPMorgan Chase, Bank of America, Deutsche Bank, BNP Paribas, and Standard Chartered. Each bank contributed anonymised transaction logs from internal AI-agent deployments — corporate travel booking agents, procurement automation agents, subscription management agents — that the banks had been running at controlled scale since mid-2024. The resulting model treats agent-initiated transactions as a distinct behavioral class rather than anomalous human behavior, which collapses the false positive rate on legitimate agent activity without expanding the approval window for genuinely fraudulent transactions. In pilot testing across the five bank partners through Q1 2026, the revised model reduced false declines on agent-initiated volume by 67 per cent against the baseline fraud model.
The third workstream is a dispute and reconciliation protocol. This is the piece that Visa's issuing bank partners pushed hardest for, and it is the most structurally novel of the three. Current chargeback rules assume a human disputant with a 120-day window and a set of defined dispute reason codes — item not received, item not as described, transaction not recognised. None of these codes map cleanly to the failure modes of agent-initiated commerce. An agent that purchases the wrong item because its instruction was ambiguous is not fraud. An agent that books a duplicate hotel room because a confirmation webhook timed out is not the merchant's error in the traditional sense. Visa's revised dispute protocol, still in internal review, introduces a new category of dispute reason — agent-execution error — with a distinct liability chain: the principal (the human), the agent operator (the platform running the agent), and the merchant are each assigned a share of the resolution pathway depending on where in the execution the error occurred. The determination is made by reading the agent's transaction log, which the Agent Token Profile requires to be produced in a structured format at settlement.
The card number encodes a person. The issuer trusts a person. The chargeback mechanism exists because a person can dispute. All three assumptions are now contingent.
The issuer-acquirer dynamic, redrawn
Visa's network power has always rested on its position as the rule-setter between issuer and acquirer. The Agent Token Profile shifts that dynamic in ways that favour issuers in the near term and create new leverage for acquirers in the medium term. In the near term, the issuer gains because agent token provisioning sits on the issuer's side of the relationship — the bank that holds the human's account is the entity that validates the principal reference, issues the agent credential, and controls the revocation mechanism. The consumer's primary banking relationship becomes the chokepoint through which every agent-initiated payment must pass. That is a position JPMorgan Chase, which holds primary banking relationships for 82 million US households, has already begun to exploit. The bank's agent-banking team, which Visa's enterprise partnership group confirmed is working on a consumer-facing agent credential interface, has design authority over the user experience at the point of agent authorisation. That experience will look like JPMorgan software, not Visa software, even though the underlying token rides Visa rails.
The acquirer dynamic is more complex. Acquirers earn their margin by signing merchants and guaranteeing settlement. In human-initiated commerce, the merchant's acquirer is selected before the transaction and has no role in the authorisation decision. In agent-initiated commerce, the merchant may not know which acquirer the agent prefers — the agent may have been instructed to optimise for cost, which means it will route to whichever acquirer offers the lowest effective interchange on the transaction type. Visa's Agent Token Profile, by encoding the policy envelope in the token, creates a surface on which a sophisticated merchant acquirer can negotiate directly with the agent operator for preferential routing. Worldpay and Fiserv have both been in discussions with Visa's network partnerships team about how acquirer-side terms might be represented in the policy envelope, according to two people familiar with those conversations. The outcome of those discussions will determine whether the agent-commerce layer democratises acquirer competition or entrenches the largest acquirers who have the engineering resources to participate in token-level negotiation.
The fraud surface no one is pricing correctly
The fraud implications of agent-native commerce are more serious than either Visa's public statements or the industry's consensus threat modelling acknowledges. The classical fraud attack surface — stolen card numbers, compromised credentials, account takeover — expands in agent-commerce not because the token infrastructure is weaker, but because the attack target changes. In human-initiated commerce, the attacker must compromise the credential at the point of the human's interaction with their bank or device. In agent-initiated commerce, the attacker has an additional target: the agent itself, or the platform running it. A compromised agent operating within a legitimate user's policy envelope can execute thousands of transactions before the revocation mechanism is triggered. The damage rate per compromised credential, in an agent-commerce world, is several orders of magnitude higher than in a card-present or card-not-present fraud scenario.
Visa's risk architecture team identified three specific attack vectors in an internal threat model produced in March 2025. The first is policy envelope manipulation — an attacker who gains write access to the agent's instruction set can expand the spending parameters without triggering the token's revocation condition, because the revocation mechanism watches the token's behavior against the stated policy, not the policy itself. The second is principal reference spoofing — forging the human account holder reference in the agent token during provisioning, before the issuer's validation step. The third is reconciliation log falsification — altering the transaction log the agent produces at settlement, changing the recorded execution pathway to reclassify fraudulent transactions as agent-execution errors under the new dispute protocol. Visa has addressed the first two vectors in the Agent Token Profile design through cryptographic binding at provisioning. The third remains open. The reconciliation log, by design, is produced by the agent operator. No cryptographic attestation of its integrity currently travels with the settlement instruction. Johanssen's risk team is working on a log-integrity mechanism, but as of Q1 2026 it was not included in the pilot specification.
The industry's failure to price this risk correctly reflects a broader pattern. The fraud economics of agent-commerce are not yet visible in loss data because agent-commerce volume is still small relative to total network volume. Visa's own pilot data, drawn from the fourteen bank partners and covering $12.4 billion in labelled agent-initiated transactions between January and March 2026, showed a fraud loss rate of 0.04 per cent — below the network average for card-not-present transactions. But the pilot population consisted of institutional agents running well-defined corporate workflows, not consumer-facing agents operating across open-ended instruction sets. The population that will drive the next decade of agent-commerce volume looks nothing like the pilot population. The fraud models Visa is training today may not generalise to the attack surface that will exist in 2027.
The competitive read on Mastercard
Mastercard's response to agent-native commerce has been structurally different from Visa's, and the difference reflects a genuine strategic choice rather than a capability gap. Where Visa is rebuilding at the token and authorisation layer — the plumbing of the network — Mastercard has invested in the interface layer, building what it calls the Mastercard Agent Commerce SDK, which it announced in November 2025 and made available to developers in beta in February 2026. The SDK provides a standardised integration path for AI agent platforms — tools like Anthropic's Claude, OpenAI's operator-mode GPT-4, and enterprise automation platforms — to surface payment options within an agent's decision flow. The SDK handles authentication, user consent, and payment execution through Mastercard's existing infrastructure without requiring any changes to the underlying token system.
The two strategies are not equivalent, and Mastercard's is the faster one. An SDK that layers on top of existing infrastructure ships in months. Visa's Agent Token Profile requires issuer-side software updates, network-level rule changes, and a revised dispute protocol that must be agreed across hundreds of bank partners in multiple regulatory jurisdictions. Visa's build is deeper and, when complete, more defensible. The agent credential it produces will carry information the Mastercard SDK does not — the policy envelope, the principal reference, the structured transaction log — which makes it more useful to regulators, issuers, and enterprise merchants managing complex agent workflows. But depth and defensibility carry a cost in time, and Mastercard's SDK is in market today.
The competitive test will be set in the eighteen months between Mastercard's SDK reaching general availability and Visa's Agent Token Profile completing its bank partner rollout. Visa's partnership team has commitments from 34 issuing banks to deploy the Agent Token Profile software update by the end of 2026. JPMorgan Chase, Bank of America, and Citi have committed to Q3 2026. Deutsche Bank and BNP Paribas have committed to Q4 2026. Standard Chartered's Asia-Pacific operations are targeting Q1 2027. If those commitments hold, Visa exits 2027 with agent-token coverage across a substantial majority of its issuer base and a more complete infrastructure than anything Mastercard's SDK approach can replicate without a parallel network-level rebuild. If the rollout slips — and issuer-side software deployments at this scale routinely slip — Mastercard's head start in developer adoption compounds into a position that is difficult to displace. Agent platforms integrate payment infrastructure once and rarely re-integrate unless the incumbent fails them.
What to watch
Five signals that will determine whether Visa's agent-stack rebuild becomes the network standard or a costly programme that Mastercard's faster approach outflanks.
- JPMorgan Chase's consumer-facing agent credential interface. JPMorgan's design authority over the user experience at agent authorisation is the most consequential near-term test of the Agent Token Profile. If the bank ships a polished consumer interface for managing agent credentials — comparable in quality to Apple Pay's wallet management — the provisioning experience becomes a competitive asset for Visa rather than a friction point. A clunky or delayed consumer interface will drive agent platforms toward the simpler Mastercard SDK path.
- The reconciliation log integrity mechanism. Visa's open fraud vector — the absence of cryptographic attestation on the agent transaction log at settlement — is the most significant unresolved security question in the Agent Token Profile specification. Watch for an amendment to the pilot specification before the Q3 2026 bank partner software freeze. A specification that ships without log integrity will face resistance from the European banking partners whose regulatory environments require auditability at the transaction level.
- Mastercard Agent Commerce SDK developer adoption rate. Mastercard has not disclosed beta participation numbers. The indicator to watch is not how many developers joined the beta, but how many enterprise AI platform operators — Anthropic, OpenAI, Salesforce, ServiceNow — signed production integration agreements by the end of Q2 2026. A production agreement is an architectural commitment. Each one Mastercard secures before Visa's Agent Token Profile reaches general availability is a compounding disadvantage for Visa in the agent-platform layer.
- The agent-execution-error dispute reason code's regulatory acceptance. Visa's revised dispute protocol introduces a dispute category that does not currently exist in any major payments regulatory framework. The US Consumer Financial Protection Bureau, the UK's Financial Conduct Authority, and the European Banking Authority each have authority over dispute resolution standards in their jurisdictions. Visa will need regulatory acceptance — or at least non-objection — from all three before the protocol can be applied at scale. A formal objection from any regulator delays the entire dispute framework and removes the reconciliation log's utility as a liability-assignment mechanism.
- Visa's Q4 2026 issuer rollout completion rate. Thirty-four issuing bank commitments to Q4 2026 is the target. Historical base rates on network-wide issuer software updates of comparable complexity suggest that 80 per cent completion by the committed date is a strong outcome. Below 60 per cent, the agent-token coverage gap becomes a merchant decision factor — enterprises designing agent-commerce workflows that may route through non-covered issuers will defer deployment rather than build around partial coverage. The Q4 2026 earnings call will be the first moment Visa is likely to disclose rollout numbers. Listen for the figure with care.
- What is the Visa Agent Token Profile and how does it differ from the existing Visa Token Service?
- The Visa Token Service, in production since 2014, replaces a card's primary account number with a network-issued token that travels through the payment chain in its place. The Agent Token Profile is a new token subtype that adds four fields the existing token does not carry: a cryptographically attested agent identity, a policy envelope specifying the conditions under which the token can be used, a principal reference linking the agent credential back to a verified human account holder, and a structured transaction log requirement at settlement. The Agent Token Profile layers above the existing infrastructure. Issuers require a software update to their token management systems; they do not require a core banking rebuild.
- Why does the false-decline problem matter so much for Visa's agent-commerce strategy?
- Visa earns its network revenue on transactions that clear. False declines — legitimate transactions rejected by fraud models — are direct revenue losses for Visa's issuing bank partners, who forfeit the interchange on each declined transaction. Visa's internal analysis of the twelve months ending October 2024 estimated $2.1 billion in foregone interchange for its partner banks attributable to false declines on agent-initiated transactions misclassified by fraud models trained on human behavioral baselines. At scale, a false-decline problem on agent-initiated volume would make Visa's network economically unattractive for agent-commerce deployments — merchants and agent platforms would route to networks with lower false-decline rates rather than absorb the operational cost of declined legitimate transactions.
- How does Visa's approach compare to Mastercard's Agent Commerce SDK?
- Mastercard's SDK is a developer-facing integration layer that allows AI agent platforms to surface Mastercard payment options within an agent's decision flow, using Mastercard's existing token infrastructure. It ships faster and requires no issuer-side software updates. Visa's Agent Token Profile is a network-level rebuild — it adds new data fields to the token, a new dispute protocol, and a new fraud-scoring model. It is slower to deploy and harder to copy. The competitive question is whether Visa's deeper infrastructure advantage materialises before Mastercard's faster SDK approach locks in developer and platform adoption. Based on the issuer rollout commitments Visa holds as of this analysis, that test resolves in 2027.
- What is the unresolved fraud risk in Visa's agent-token design?
- The open vulnerability in the current Agent Token Profile specification is the transaction log produced by the agent operator at settlement. The log determines which party bears liability in the new agent-execution-error dispute category — but the log is produced by the agent operator, not by the network, and the current specification does not include cryptographic attestation of the log's integrity. An attacker who can alter a transaction log after execution can reclassify a fraudulent transaction as an agent-execution error, shifting liability off the fraudster and onto the platform or merchant. Visa's risk team is working on a log-integrity mechanism. It was not included in the Q1 2026 pilot specification. European bank partners in particular have flagged this as a condition for full compliance with their internal audit frameworks.
- Should enterprise merchants wait for Visa's Agent Token Profile before designing agent-commerce workflows?
- For most enterprise merchants whose agent-commerce deployment is not scheduled before Q2 2027, waiting for the full Agent Token Profile infrastructure is the lower-risk design choice — the policy envelope and structured transaction log will simplify compliance and dispute management significantly compared to building on today's token infrastructure. For merchants with near-term agent-commerce deployments, Mastercard's SDK is in beta now and represents a credible interim path for organisations whose primary network relationship is with Mastercard. Merchants with mixed-network volume should track the Q3 2026 issuer rollout announcements from JPMorgan Chase and Bank of America before committing architecture decisions. Those two rollouts, covering a combined 140 million US consumer accounts, are the leading indicator of whether the Agent Token Profile achieves the issuer coverage that makes it operationally viable at enterprise scale.
Visa's rebuild is the most consequential infrastructure programme in payments since the original tokenisation rollout in 2014. The scale is comparable. The risk is higher. The existing tokenisation programme replaced a data field. The Agent Token Profile replaces a set of assumptions — about who initiates a transaction, what accountability means, and how liability is assigned when the buyer is an instruction set rather than a person. Those assumptions were baked into every layer of the network's rule structure over forty years. Unwinding them without breaking the $15.1 trillion in annual volume that flows through the existing rules is the engineering challenge. The competitive challenge is doing it before Mastercard's faster, shallower approach earns enough developer loyalty to make depth irrelevant. Visa has the institutional standing, the issuer relationships, and the technical depth to win that challenge. It does not have unlimited time.
More from Business →