AI Agents Are Buying Things. Who Has the Proof the Human Said Yes?
Visa, Mastercard, and the agent-shopping wave have shifted chargeback risk to the merchant. The defense is evidence the principal delegated the purchase before the agent transacted.
When an AI agent buys on a cardholder’s behalf and the human later disputes the charge, your auth log proves the agent transacted, not that the human delegated. The chargeback evidence stack that wins in 2026 captures four layers: the principal’s delegation event, the agent identity and credential, the rendered confirmation surface, and the post-purchase acknowledgment loop. Together they answer the only question the issuer will ask.
Picture this: a customer’s AI shopping agent buys a pair of trail-running shoes from your store. The agent picks the size, color, and shipping option. Forty-two days later, the cardholder files a chargeback under reason code 10.4, claiming they never authorized the purchase. Your auth log is clean. Your fraud score was green. The shoes arrived, signed for, on time. The issuer still sides with the cardholder, because the agent’s signature was never the question.
The buyer just stopped clicking
The card networks have wired the rails. Visa expanded its Agentic Ready program globally in late April 2026, and now predicts millions of consumers using AI shopping agents by the 2026 holiday season. Mastercard launched Agent Pay with a Verifiable Intent trust layer and pilots at Citi and US Bank. In March, Mastercard and Santander completed Europe’s first live end-to-end AI-agent payment in a regulated banking framework.
The demand side is already there. Signifyd’s Commerce Network logged a 1,247% year-over-year jump in AI-agent referral orders through October 2025, with sales from those referrals up 894%. Early merchant data shows agentic checkouts have lower cart abandonment than human-driven sessions. They also show higher chargeback rates in several categories, and the reason is structural, not behavioral.
The human principal sets up the agent once, then the agent transacts on its own. When the dispute comes back, the merchant has plenty of evidence that the agent acted. What they often cannot produce is evidence that the human authorized the agent to act in the first place.
Why your existing evidence stack is incomplete
Your existing packet for fraudulent-CNP disputes is roughly this: authorization log, device fingerprint, IP and geolocation, AVS and CVV results, a 3D Secure response if used, shipping confirmation, and a customer-confirmation record where you have one. It has carried merchants through years of Visa 10.4 and Mastercard 4837 disputes. In an agentic transaction it answers the wrong question.
Visa has publicly confirmed that its zero-liability guarantee applies to AI-agent-initiated transactions. The cardholder is not on the hook for an “unauthorized” charge, even when an agent authorized to shop on their behalf is what placed the order. The issuer’s decision turns on a different test now: did the human delegate this purchase, with what scope, at what time. A clean auth log proves the agent reached your checkout. It does not prove the human sent the agent.
Authentication proves the agent transacted. Only an evidence record proves the human delegated. In a 10.4 representment on an agentic transaction, that delegation record is the data point the issuer is looking for and the typical merchant cannot produce.
This is the same gap the blog has covered in other contexts. 3D Secure alone does not stop chargebacks, and the Mastercard First-Party Trust program shifts liability only when the merchant can produce the enhanced data. The agentic checkout sharpens both points: authentication says less when the entity authenticating is not the entity the issuer is asking about, and enhanced data now has to include a layer that did not exist two years ago.
The four evidence layers that prove the human said yes
An agentic-ready evidence stack adds four layers on top of your existing packet. Each answers a question the issuer will ask, and each is captured on the page where the principal interacted.
1. The delegation event
When did the cardholder set up the agent, accept its terms, and define its budget, category, and policy scope? The capture happens on the principal’s own session, on the page where they link their wallet, connect an agent, or enroll in an agent-shopping product. The output is a tamper-evident timestamp tied to the rendered page the principal actually saw. This is the foundation of every other layer.
2. The agent identity and credential
Mastercard Agentic Tokens, Visa Agentic Ready signals, and wallet-provider attestations are all designed to prove that the entity transacting matches the entity the human authorized. Pass that signal through your authorization step and store it alongside the delegation record. The two together let you show the issuer that the agent on the dispute matches the agent in your customer’s wallet.
3. The rendered confirmation surface
What did the agent show the principal at the moment of purchase, or what did the agent confirm under the principal’s pre-authorized policy? Capture the page or surface as the principal would have seen it, tied to the transaction. For preauthorized purchases (a subscription replenishment, a scheduled travel rebook), the rendered surface is the original authorization page. For confirmed purchases, it is the agent’s confirmation message itself.
4. The post-purchase acknowledgment loop
Email receipt, in-app notification, or chat-surface confirmation, sent to the principal, timestamped, and retained. The acknowledgment loop is what proves the principal had the opportunity to dispute inside the merchant’s policy window and did not. It is the same pattern Evidora already uses for the customer email receipt, applied to a new transaction class.
| The question the issuer asks | What a 2025 evidence stack delivers | What a captured interaction delivers |
|---|---|---|
| Did the human delegate this purchase? | Auth log (the agent transacted) | Delegation event with timestamp and rendered consent page |
| Was the agent identity verified? | Token presence in the auth message | Token tied to the same evidence record as the delegation |
| Did the principal see the product or confirmation? | Shipping or order confirmation email | Rendered confirmation surface as shown to the principal |
| Did the principal acknowledge inside the policy window? | Email send log | Tamper-evident receipt with retention you control |
In agentic commerce, the auth log proves the agent transacted. Only an evidence record proves the human delegated.
Where to start before the 2026 holiday window
Visa’s own forecast puts mass-consumer agent shopping at the end of 2026, roughly nine months from this post. That is enough time to capture the delegation event on your enrollment pages, pass the agent identity through authorization, and tie a rendered confirmation surface to each transaction. The work breaks into four short steps.
Audit your delegation surfaces. Find every page where a customer connects a wallet, links an agent, or accepts agent-shopping terms. If you do not support agent checkouts yet, audit whichever surface your roadmap places that consent on.
Capture consent with a single line of code. A session-level evidence script captures the rendered page, the affirmative click, and a tamper-evident timestamp. The output is an Evidence Record ID that follows the principal across setup, their agent’s purchases, and any later dispute. The blog covered the pattern for traditional checkout pages; the agentic surface is the same idea on a different page.
Pass the agent identity through authorization. Visa Agentic Ready and Mastercard Agentic Token fields are designed to be carried with the transaction. Store them with the same Evidence Record ID as the delegation, so the dispute team pulls both with a single lookup.
Retain what matters, expire what does not. An Evidora Evidence Record stays active for three days, extends to 30 days on a verified submission, and can be claimed for five-year retention at any point. For agentic transactions, claim the delegation record when the agent transacts, then let the per-transaction records auto-expire after the dispute window closes.
Most merchants are treating agentic commerce as a frictionless upgrade to checkout. The chargeback team will treat it as a category of transactions where the principal can always say no, and the auth log alone cannot answer. The missing piece is the principal’s delegation event captured before the agent transacts, retained for the dispute window, retrievable in a single Evidence Record. The merchants who build that record before the 2026 holiday season will defend the dispute wave that follows. The ones who do not will fight 10.4 representments with a packet designed for a buyer who was not at the keyboard, and lose them.
For context on what already wins representment today, the post on what actually wins chargeback disputes covers the existing five elements. Agentic commerce adds a sixth, sitting on top of them: the delegation event. If your dispute ratio is already pressing the 1.5% VAMP threshold, every undefended agentic dispute counts against the same ratio.
Frequently asked questions
What is an agentic commerce chargeback?
An agentic commerce chargeback is a dispute on a transaction completed by an AI shopping agent acting on behalf of a cardholder. The human principal disputes the charge after the fact, often claiming they never authorized the specific purchase. The merchant defends with evidence that the principal delegated the purchase scope to the agent before the transaction.
Does Visa’s zero-liability guarantee apply when an AI agent makes the purchase?
Yes. Visa has confirmed that the zero-liability guarantee covering all Visa cardholder transactions applies equally to AI-agent-initiated transactions. The cardholder is not responsible for unauthorized charges, which means the chargeback risk on a disputed agent purchase lands on the merchant.
Which Visa and Mastercard reason codes apply to agent-initiated disputes?
Most agent-initiated disputes file under Visa reason code 10.4 (fraudulent card-not-present) or Mastercard 4837 (no cardholder authorization). Some cases route through reason codes tied to product or service complaints (Visa 13.x, Mastercard 4853). Evidence requirements differ by code, but the principal’s delegation record is useful across all of them.
Can a session recording capture the principal’s delegation event?
A consent-first session-level evidence record can. The capture happens on the page where the principal links their wallet, authorizes an agent, accepts agent-shopping terms, or sets the agent’s spending scope. The output is a tamper-evident record of the page the principal saw, the click that authorized the agent, and the timestamp.
Does the Mastercard First-Party Trust program help with agentic commerce disputes?
Yes, where the merchant qualifies. First-Party Trust shifts liability on first-party fraud chargebacks when the merchant submits enhanced data at authorization or post-dispute. Agentic transactions carrying a Mastercard Agentic Token plus the merchant’s delegation evidence fit the First-Party Trust enhanced-data pattern.
What evidence wins an agentic commerce chargeback today?
Four layers, captured together: the principal’s delegation event (when the human authorized the agent and the scope), the agent identity and credential (Visa Agentic Ready signal or Mastercard Agentic Token), the rendered confirmation surface as shown to the principal or the agent under disclosed delegation, and the post-purchase acknowledgment loop with timestamp.
When do AI agents become enough of a checkout pattern for me to act on?
Visa predicts millions of consumers using AI shopping agents by the 2026 holiday season. Signifyd’s Commerce Network logged a 1,247% year-over-year jump in AI-agent referral orders through October 2025. If you process card-not-present transactions, the pattern is on your roadmap and the holiday window is the practical deadline.
Turn every agentic checkout into a defensible record
Evidora captures court-ready evidence of every delegation event, agent authorization, and rendered confirmation surface. One line of code. Retain what matters, expire what does not, produce a reproduction when an inquiry or chargeback arrives.
See how it works →