Agentic commerce is breaking the chargeback math

The chargeback system is commonly described as a consumer-protection mechanism. That description is true but partial. The more accurate one, in the Evans and Schmalensee canon of two-sided card-market economics, is a cost-allocation mechanism. Card networks are platforms, platforms allocate costs across the two sides, and chargeback handling is a platform cost like any other. Interchange does not just price acceptance. It amortises the platform’s expected dispute losses across cardholders and merchants, with issuers absorbing some, merchants absorbing more, and the network setting the rules that determine the split.

Inside that allocation, friendly fraud and first-party misuse function as a cross-subsidy. Cardholders who do not abuse the dispute mechanism end up underwriting the disputes filed by those who do; the same pattern repeats on the merchant side, where firms that document carefully pay for the consequences of firms that do not. The instrument distributing the burden is the scheme dispute rules (Visa Compelling Evidence 3.0, Mastercard First Party Trust, the network monitoring programmes), and the cost flows through interchange and acquirer pricing. The cross-subsidy has worked because the underlying loss distribution has been approximately stationary. Human-initiated card-not-present commerce generates dispute frequencies and severities that move slowly enough for the platform’s pricing rules to lag without breaking.

The relevant numbers are not subtle. The CFPB’s 2025 Consumer Credit Card Market Report finds that in 2024 US cardholders disputed $9.8 billion in credit-card charges, of which $5.9 billion resulted in chargebacks (Federal Register publication of the CFPB report). Visa disclosed processing 106 million disputes globally in 2025, up 35% from 2019 (American Banker, November 2025). The Merchant Risk Council’s 2026 Global Payments and Fraud Report finds 64% of surveyed merchants reporting increasing first-party misuse rates, one quarter of them reporting an increase above 25%, and resolution cost per first-party-misuse dispute at $82, up from $74 a year earlier (MRC press release on the 2026 report). LexisNexis fraud-multiplier data, cited via Mastercard, puts every $1 of US merchant fraud loss at $4.61 in total cost in 2025, up 37% since 2020 (Mastercard B2B blog citing LexisNexis). Sift’s Q4 2025 Digital Trust Index shows aggregate chargeback rate moving from 0.17% in Q1 2025 to 0.26% in Q3 2025, a 53% rise across two quarters on a normalised merchant cohort (Sift Q4 2025 Digital Trust Index). Issuers do not escape the cost stack: each dispute costs US issuers $9.08 to $10.32 to process, and institutions hire one back-office FTE per $13,000 to $14,000 of annual dispute volume.

The aggregate describes a system absorbing more dispute volume each quarter, with merchants bearing roughly half of the resulting fraud cost, issuers absorbing back-office overhead, and the schemes setting the rules. Honest and cooperative participants underwrite dishonest and uncooperative ones inside that frame, and the schemes update the cohort pricing on a cadence slow enough that the system lags the distribution without breaking it. The cross-subsidy is invisible to a merchant paying the bundled rate, because the rate-card never declares it.

Agent-initiated transactions do not break the system at the aggregate level; they break the stationarity assumption that lets the cross-subsidy work. Agents do not transact across the full distribution of CNP merchant categories. They cluster in subscription billing, low-value high-frequency commerce, cross-border purchases, and the categories most exposed to bot misuse. Subscription disputes carry different reason codes than one-shot CNP, cross-border disputes carry different evidentiary requirements, and an agent transaction in any of those categories enters the dispute distribution at a different baseline frequency than the human transaction the rules were written against.

The behavioural fraud signal disappears in parallel. A bot does not rage-type, hover, abandon, or re-enter form fields. The behavioural signals issuers and acquirers have used to score transaction risk for the past decade either do not apply to agent-initiated traffic or apply in inverted directions. The fraud-scoring stack was trained on human behaviour, and an agent traffic increment forces either a redesign or an accepted degradation in scoring accuracy.

The reason-code distribution shifts at the same time. Consumer-protection regulators have not resolved whether granting an AI agent credential access satisfies the authorisation condition that bounds consumer liability under Regulation E or section 1643 of TILA. While that question is unresolved, friendly-fraud-style disputes are likely to migrate toward the fraud-card-absent reason codes, where consumer-favourable defaults are stronger and merchant evidence requirements heavier. The reason-code mix shifts before agent volumes scale, because the legal default in the absence of clarity is the cardholder-friendly code.

The cleanest evidence that the platform has not priced any of this is the silence of the agentic-commerce protocols on chargeback liability. The OpenAI Agentic Commerce Protocol, released under Apache 2.0 in September 2025 with Stripe as primary co-author, contains no language on chargeback liability allocation. Stripe’s stated position is that “the business is the merchant of record” (Stripe announcement of the ACP; ACP repository), which embeds an allocation choice without binding it; the actual allocation lives in Stripe’s separate preview terms rather than the open protocol. Visa’s Trusted Agent Protocol, published October 2025, is purely an authentication and identity protocol (RFC 9421 message signatures, agent-payer-auth and agent-browser-auth tags), and the specification contains zero language on chargebacks, merchant of record, or liability allocation (Trusted Agent Protocol developer specification). Mastercard’s Verifiable Intent product, developed with Google for 2026, is the most explicit about its limits. The cryptographic record “may be used to help avoid and/or resolve potential cardholder disputes” (Mastercard Verifiable Intent), which is conditional rather than a liability shift. Google’s AP2 specification is the most candid; its liability-allocation table is preceded by a concession that “every payment network will define its own liability contracts” and that the table is a guide, not a binding contract (Rivero analysis of AP2). The protocols cannot price what the underlying scheme rules have not priced, and the underlying rules were written for human-initiated CNP.

The regulatory side is silent for adjacent reasons. Regulation E defines an unauthorised electronic fund transfer as one initiated by a person other than the consumer without actual authority; TILA section 1643 caps consumer liability for unauthorised credit-card use at $50, defining unauthorised use as use by a person without actual, implied, or apparent authority. Whether granting an AI agent credential access satisfies the authorisation condition under either statute is unsettled (Federal Reserve Consumer Compliance Outlook on Reg E error resolution; Fenwick analysis of agentic payment liability). The Consumer Bankers Association published a January 2026 white paper drawing together regulator and industry positions and concluded that the dispute framework has not been resolved for agent flows (CBA press release on the white paper). The Federal Reserve, OCC, FDIC, and Treasury have done significant scoping but issued no enforceable rule on AI-agent dispute treatment, and the Bank of England’s Financial Policy Committee has tasked the Bank and the FCA to study agentic AI in payments. None of this has produced binding allocation, and schemes will not unilaterally re-allocate liability while regulators are still defining what authorisation means in agent flows.

What schemes can do under existing authority is re-price the cross-subsidy on the merchant side, and the Visa Acquirer Monitoring Programme update that took effect on 1 April 2026 has begun. The merchant ratio threshold for monitoring tightened from 2.2% to 1.5% in the United States, Canada, and Europe, a 32% tightening in a single step. The monitoring floor moved from 1,000 to 1,500 combined fraud and dispute reports per month. Penalties run at $8 per disputed-or-fraudulent transaction above threshold, with no warning tier (Basis Theory analysis of the 2026 VAMP update). VAMP does not target agent traffic specifically; it targets merchant cohorts whose dispute ratios run high. The segments where agent volume concentrates are the same segments most likely to push a merchant over that threshold, which makes VAMP a segment-tilted re-pricing applied through a segment-agnostic rule. CE 3.0’s October 2025 auto-qualification update and Mastercard’s First Party Trust scale-out in 2025 carry the same logic on the defensive side, with evidence credit accruing to merchants that authenticate and being withheld from those who do not (cside analysis of CE 3.0 auto-qualification; Mastercard First Party Trust press release). Mastercard describes quantification of FPT win-rate impact as premature, which two years into the framework is itself a data point.

A skeptic can argue that VAMP is just continued tightening of an existing rule. The skeptic is correct. The point is that this is how the cross-subsidy gets re-priced: not in a single announcement but through an accelerating sequence of merchant-side rule tightenings, each of which shifts a fraction of the cohort burden onto merchants the rules can identify. Per-segment dispute pricing, including agent-flag interchange categories and agent-specific dispute thresholds, is what VAMP has begun gesturing toward. The complement to that on the contractual side is merchant-of-record reallocation, already implied by Stripe’s “the business is the merchant of record” language; the opposite allocation would push liability to whichever entity operates the agent, and the bilateral terms behind the protocols are where that question is currently being negotiated. Beyond either of those sits credential-class withdrawal, in which issuers refuse to authenticate cards into agent flows. That outcome is the tail-risk scenario; the present direction of issuer behaviour is engagement through Trusted Agent Protocol, Agent Pay, and Verifiable Intent rather than withdrawal, though issuers are also tightening Access Control Server treatment of agent-flagged telemetry (data-centre IPs, headless-browser signatures, absent behavioural biometrics), which is a softer form of the same restriction.

The strongest objection to the thesis is that better authentication will solve the dispute-cost problem without explicit re-pricing. Trusted Agent Protocol, Agent Pay, Verifiable Intent, AP2’s Intent and Cart Mandates, and CE 3.0 auto-qualification through Visa Secure together amount to a credible authentication-first stack, and the silence in the protocols on liability is consistent with the schemes routing everything through existing rails on the back of better authentication. The objection has force but conflates two questions. Authentication assigns a transaction to an agent with high confidence; it does not assign dispute cost. After two years of CE 3.0 Visa has produced no audited public win-rate uplift number, Mastercard’s First Party Trust has produced none, and both schemes describe quantification as premature. If authentication alone were closing the dispute-cost problem the data gap would have closed by now, and the silence on outcomes is the more telling number than any single win-rate would be.

Another objection holds that agent volumes are too small to matter. Independent estimates put 2026 global agentic spend at single-digit billions of dollars against trillions in CNP volume, and consumer-adoption surveys cluster well below mass adoption. The thesis remains about distribution, not level. At single-digit billions of agent volume, if dispute frequency in clustered segments runs several times the human CNP baseline, the cross-subsidy takes a measurable hit at the segment level. VAMP did not wait for agentic volumes to scale before tightening; the rule was set on observed merchant-cohort patterns, and the cohorts the agent cluster maps onto are exactly the cohorts being tightened.

The most theoretically serious objection is that interchange is not a cross-subsidy at all. The International Center for Law and Economics has argued for fifteen years that interchange is an efficient pricing equilibrium that allocates costs across users with different elasticities, not a redistribution from honest to dishonest participants (ICLE on the cross-subsidy theory). The objection is fair as a matter of vocabulary. Cross-subsidy is loose language for what is more precisely efficient cohort pricing under stationarity. The agentic-commerce question is identical under either label. Whether the existing arrangement is called a cross-subsidy or an efficient equilibrium, agent traffic introduces a class of transaction for which no equilibrium has been priced. The platform must extend pricing to that class, and the mechanism it picks will determine where the surplus settles and who carries the loss when authentication is correct but the underlying transaction was never going to be honoured.

The signals worth watching are not the marketing announcements. They are the rate-card line items, the merchant-monitoring programmes, and the bilateral contract terms behind the published protocols. VAMP April 2026 is the first. The next will be an agent-flagged interchange category, a separately-published monitoring programme for agent-initiated authorisations, or a CE 3.0 amendment that excludes agent-initiated transactions from auto-qualification, any of which would constitute explicit per-segment re-pricing. Issuer-side tightening of Access Control Server treatment for agent-flagged telemetry is a parallel signal, applied through Reg E and TILA risk rather than interchange. For private-equity diligence on payments assets through 2027, the question worth pressing is not whether the asset has an agentic strategy but whether the asset’s dispute economics survive per-segment re-pricing of the cross-subsidy. On current evidence most assets do not yet have a credible answer to that question, and the rate-card revisions and monitoring tightenings will continue running ahead of any new authentication regime that might otherwise have absorbed the cost.