When Visa published agentic platform requirements in its April 2026 rules and Mastercard announced Agent Pay with registered agent identities and consumer controls, something quiet happened. Agent-mediated actions entered a domain where institutional challenge infrastructure has been refined for decades. Directly inside the payment networks.
A transaction succeeds, the item ships, the confirmation email arrives. The cardholder calls their bank. The file decides.
Visa's compelling evidence rules spell out what a merchant must produce to defend a challenged card-absent transaction: proof the cardholder's identity was verified, proof goods were delivered to an address-verified location, proof the device and payment credential match a prior undisputed purchase. Mastercard's chargeback guide requires signed receipts, authentication records, refund transaction references. This machinery predates agents by decades. Now it applies to them.
Strip away the agentic-commerce framing and the dispute file asks four questions, each of which cascades into something an agent system must actually produce.
Authorization. Can you prove someone with authority said this could happen? Visa's agentic rules require cardholder consent to provision a token, identity verification before storing credentials, and retention of the agreement for the duration of the relationship. The agent runtime needs to generate and preserve a consent artifact that links a specific person to a specific scope of permission, retrievable on demand.
Boundary. Can you prove the action stayed within its scope? Visa requires the agent to use only cardholder-defined criteria, with a disclosed expiration date on payment instructions. That means the agent must capture the original instructions in a form that can be compared against what it actually did. The gap between "buy coffee beans" and "buy a coffee machine" has to be auditable after the fact.
State change. Can you prove what actually happened? Visa requires order confirmations retained for at least 120 days: goods ordered, total price, merchant contact details, transaction currency. A record a human can read and a bank can evaluate, distinct from a log of API calls or model reasoning traces. The agent must produce documentation of the completed state, beyond evidence that it ran.
Remedy. Can you prove there's a path to undo this? Cancellation policies, refund terms, contact information. The dispute file asks what happened and what recourse exists. The agent must capture the merchant's remedy terms at transaction time, because those terms may change or disappear.
Visa's public dispute categories still don't include an agent-specific reason code. A cardholder challenging an agent-mediated purchase today would file under the same card-absent fraud condition as any other online transaction. The operating rules for agents arrived before the dispute rules caught up.
But these four questions aren't unique to payments. They belong to any domain where actions get challenged. A GAO bid protest demands the contracting officer's statement of facts, evaluation documents, and solicitation records. Credit-reporting disputes require furnishers to investigate contested information, review supporting documentation, and correct inaccurate records. Authorization, boundary, state change, remedy. Payments are simply where the challenge machinery is most mature. In procurement and compliance, the challenge will come but the infrastructure to answer it is thinner. An agent acting on a procurement workflow today might produce a clean execution trace and still have nothing that survives a formal protest, because the trace proves the action occurred without proving it had authority or stayed within scope.
The dispute file asks whether what happened can be defended. Most agent systems aren't yet producing the artifacts that would let them answer.
-
Visa's "middle" problem: AP reported that Visa sees a novel dispute scenario where consumer intent and merchant processing both look valid while something goes wrong in the agent-mediated layer between them.
-
Benchmarks testing final state: Tau-bench introduced pass^k to measure repeated-trial reliability by comparing database state against annotated goals, with retail pass^8 scores below 25% in its experiments.
-
OWASP's agentic risk catalog: The 2026 Top 10 for Agentic Applications identifies risks like tool misuse, where an agent operates within authorized privileges but applies a legitimate tool in unsafe or unintended ways.
-
Agent recognition cuts both ways: A June 2026 preprint found that some web agents bypassed all tested anti-bot mechanisms while simultaneously being distinguishable from humans through multi-layer fingerprinting across network, HTTP, and browser layers.

