Visa × ChatGPT and Mastercard Agent Pay: AI agents can now pay on your behalf — the race for autonomous payments
🔎 On June 10, 2026, your wallet became accessible to AI
Two payment giants crossed a red line on the same day. Visa plugged its payment network directly into ChatGPT. Mastercard launched Agent Pay for Machines, a machine-to-machine payment protocol.
Agentic commerce is no longer a white paper concept. It is a deployed infrastructure, with real transactions, real merchants, and your real money at stake.
After automated web browsing, after autonomous code generation, AI agents are crossing the last taboo: direct access to your wallet. The question is no longer whether it's happening, but whether the safeguards are sufficient.
The key points
- Visa × OpenAI: the Visa payment network is integrated into ChatGPT, allowing AI agents to make purchases from any Visa merchant after user authorization (source Visa Corporate).
- Mastercard Agent Pay for Machines: a multi-rail protocol for high-frequency autonomous payments between AI agents and machines, launched with 35 partners (source Mastercard).
- Safeguards: multi-factor authentication, configurable spending limits, transaction transparency — but no continuous human supervision required once settings are validated.
- Risks: massive new attack surfaces (Agentjacking, AutoJack), and an ecosystem where AI can spend without real-time human supervision.
Recommended tools
| Outil/Protocole | Main use | Price (June 2026, check on site) | Ideal for |
|---|---|---|---|
| ChatGPT avec intégration Visa | Agentic purchases via LLM | ChatGPT Plus/Pro subscription | End consumers |
| Agent Pay for Machines | Autonomous M2M payments | On quote (B2B) | Agent developers |
| Nevermined | Crypto payments between agents | Open source | Decentralized agent-to-agent commerce |
Visa in ChatGPT: how it actually works
An AI agent in ChatGPT can now search for a product, compare it, and pay for it — in a single conversation, with any merchant accepting Visa.
The mechanism relies on tokenized transactions. Your Visa card is not stored in raw form in the LLM. OpenAI generates a payment token that leverages the existing Visa network, the same one that already processes billions of transactions per day (Bloomberg source).
The user must first authorize the agent. This authorization includes configurable spending limits and multi-factor authentication. Once these parameters are validated, the agent can act autonomously within these bounds.
This is agentic commerce as it had been promised for months — but this time, it is plugged into the world's largest payment infrastructure.
Why Visa chose OpenAI and not the other way around
Visa brings the network. OpenAI brings the interface. The deal is asymmetrical in favor of OpenAI: it is Visa integrating into ChatGPT, not the other way around. According to Quartz, the announcement was made at the Visa Payments Forum in San Francisco on June 10, 2026, which reflects Visa's determination not to leave the field open to Mastercard.
Mastercard Agent Pay : the machine-to-machine response
On the same day, just hours apart, Mastercard unveiled Agent Pay for Machines. The approach is fundamentally different from Visa's.
Agent Pay is not designed for a human asking an agent to buy something. It is a protocol for machines to pay each other, at machine speed, without human intervention (source Fortune).
An AI agent that needs to access a paid API, that must pay another agent for computational subcontracting, or that buys cloud resources in real time — that is the target use case. The framework is multi-rail: it supports cards, bank accounts, and new payment rails (source Mastercard IR).
35 partners at launch, according to OurCryptoTalk. It is a strong signal: Mastercard is not launching a proof of concept, but an operational network.
Agent-to-agent: commerce without humans
The key distinction: Visa targets agent-to-merchant (the agent buys for you from a merchant). Mastercard targets agent-to-agent (one agent pays another agent). These two models will coexist, but agent-to-agent raises much more complex regulatory questions.
Who is responsible if agent A pays agent B for a defective service? The owner of A? The developer of B? The answer does not yet exist in positive law.
Safeguards: sufficient or cosmetic?
Both networks highlight three types of safeguards: initial multi-factor authentication, spending limits, and transactional transparency.
MFA authentication is a solid entry point. You cannot enable agentic payments without having verified your identity. Configurable limits make it possible to cap potential damage. Transparency means that every transaction is logged and viewable.
The problem of continuous supervision
But here is the critical point: once authorization is given and limits are set, there is no human supervision transaction by transaction. The agent can make 50 micro-purchases in a minute, all legitimate with respect to the parameters, but none will be individually validated by a human.
This is by design. The value proposition of agentic commerce is speed and autonomy. Adding a human validation step to every transaction would destroy the utility of the system. The security/convenience trade-off clearly leans towards convenience.
The card trust model vs the crypto model
Alternative approaches exist. Nevermined proposes a blockchain-based agent monetization protocol, where smart contracts define payment conditions in an immutable way. No bank tokenization, no traditional financial intermediary.
The crypto model has a theoretical advantage: native programmability. A smart contract can encode payment rules that a banking network cannot express (for example: "pay only if agent B's result is verified by a third-party oracle"). But it has a massive disadvantage: adoption. Nobody pays for their groceries in stablecoin.
Visa and Mastercard are betting on the fact that their existing network is their biggest asset. Why build a new trust infrastructure when 4 billion cards are already in circulation?
The AI models behind these agents: who is spending your money
The agents driving these transactions are not low-end models. For reliable agentic commerce, high-level reasoning is required.
The June 2025 agentic benchmark puts OpenAI's GPT-5.5 in the lead with a score of 98.2, followed by Gemini 3 Pro Deep Think (95.4) and Claude Opus 4.7 Adaptive (94.3). It is these models, or their direct successors, that will be at the helm of your portfolio.
An agent powered by Claude Sonnet 4.6 (81.4) or Grok 4.1 (79) could theoretically handle simple purchases, but complex scenarios involving price comparison, negotiation, and product authenticity validation demand the top-ranked models. If you want to understand the differences between these engines, our Claude vs ChatGPT comparison details their respective strengths.
Agentic memory is the real crux of the matter
An agent paying on your behalf must remember your preferences, your purchase history, your food allergies, your size. AI memory becomes a critical component of the payment system. Without reliable memory, an agent buys the wrong size, the wrong model, the wrong supplier.
The new attack surfaces: AutoJack and Agentjacking
This is where the business tone must give way to security. Plugging a payment network into an LLM means creating a target of unprecedented value for attackers.
AutoJack: a single web page can hack your agent
The AutoJack attack revealed by Microsoft shows that a malicious web page can manipulate a browsing AI agent. If this agent has access to your Visa wallet via ChatGPT, the web page isn't just hacking your browser — it's hacking your bank account.
The vector is elegant and terrifying: the agent reads the page, the page injects invisible instructions for the agent, the agent executes them. No traditional malware, no phishing, no human error. The attack exploits the trust placed in one's own agent.
Agentjacking: a fake bug report is all it takes
The Agentjacking phenomenon goes even further. A fake bug report submitted to a development agent can trigger the execution of arbitrary code. Transposed to the payments domain: a fake "refund" or "order confirmation" notification could prompt the agent to initiate an unwanted payment.
These attacks are not theoretical. They are documented, demonstrated, and they exploit exactly the mechanisms that Visa and Mastercard are deploying.
The problem with agent frameworks
Frameworks like Vercel's Eve accelerate agent development but also widen the attack surface. The easier it is to create an agent with payment capabilities, the easier it is for an attacker to find entry vectors.
What it changes for e-commerce
The e-commerce as we know it relies on the user interface: the website is designed for a human who clicks, scrolls, compares. With agents, the human interface disappears.
Algorithmic negotiation
An AI agent can compare prices across 15 sites in 200 milliseconds. But does it go further? Will it negotiate the price? The APIs of some merchants could allow agents to submit offers below the displayed price. This is a scenario that retailers dread: the automated price war, where no human sets the final price.
SEO for agents
If your customers are AIs, your metadata, your data structure, your API become your true storefront. Traditional SEO (optimizing for a human typing a Google query) is gradually being replaced by AEO (Agent Experience Optimization): making your catalog readable and actionable by an agent. The meilleurs agents IA autonomes become your new distribution channels.
Hosting and infrastructure
E-commerce sites will have to support completely different API request loads. Thousands of agents querying your catalog simultaneously, without generating a single page view. A host like Hostinger will have to adapt its offerings for this agentic traffic — lightweight but extremely frequent requests.
And what about the banks in all this?
According to American Banker, banks risk being the big losers in this transition. Visa and Mastercard are building payment layers that directly bypass traditional banking interfaces.
The user no longer goes through their banking app. They configure an agent in ChatGPT, the agent uses the Visa network, and the bank becomes nothing more than an invisible backend. For banks that have invested billions in their mobile apps, this is a pure disintermediation scenario.
Agent-to-agent commerce: when AIs buy from AIs
The most disruptive scenario is not "a human asks an agent to buy". It's "an agent decides to buy from another agent".
Let's take a concrete example: a home energy management agent detects that your house is going to consume more electricity than expected. It contacts an agent from a competing energy provider, negotiates a spot rate, pays via Mastercard Agent Pay, and switches your supply. All of this happens in a few seconds, without you even knowing it took place.
This is autonomous commerce. And it raises a fundamental question: who is the consumer protected by consumer law when the consumer is an algorithm?
Codex Mobile and the on-the-go purchasing act
The integration of Codex in ChatGPT Mobile shows the direction: the agent works on your machine while you are on the go. Add Visa payments to the mix, and you have an agent that can not only code on your remote server, but also pay for cloud resources, domains, APIs — all from your phone while you are walking down the street.
The convergence between agentic coding and agentic commerce is fast. A developer could ask their agent: "Deploy this app, buy the domain, configure the SSL, pay for a year of hosting." A single instruction, a chain of autonomous transactions.
❌ Common mistakes
Mistake 1: Thinking the agent asks for your CVV code on every purchase
What's wrong: confusing agentic commerce with traditional online payment. The agent uses a persistent payment token, not your card number. The risk is not in storing your card, but in the legitimate yet unwanted use of the token by a manipulated agent.
The solution: set low spending limits by default, and disable agentic payment when you are not actively using it.
Mistake 2: Believing MFA safeguards protect against injection attacks
What's wrong: multi-factor authentication protects the initialization of the payment session, not individual transactions once the session is open. An agent compromised by AutoJack acts within an already authenticated session.
The solution: monitor your transaction histories. Repeated small transactions are the weak signal of a hacked agent.
Mistake 3: Ignoring agent-to-agent because "it's niche"
What's wrong: underestimating the speed of M2M adoption. Mastercard is launching with 35 partners. The machine-to-machine transaction volume could surpass human-to-machine volume well before 2030.
The solution: if you are a developer or architect, start thinking about your APIs as agent-first interfaces right now, not just REST for humans.
❓ Frequently Asked Questions
Can an AI agent empty my account in one click?
No, thanks to configurable spending limits. But it can make many small transactions within the bounds you have authorized, which remains a real financial risk.
Are Claude or ChatGPT safer for agentic payments?
ChatGPT has the advantage of native Visa integration. Claude doesn't have a direct banking equivalent yet. But security mostly depends on the architecture around the model, not the model itself. Our ChatGPT vs Gemini comparison can help clarify the raw capabilities.
Are cryptocurrencies a safer alternative?
Theoretically yes, thanks to the programmability of smart contracts. In practice no, because the crypto ecosystem doesn't have the distribution of Visa/Mastercard. Nevermined is trying to bridge this gap, but it's still early stage.
Can I disable agentic payments?
Yes. Activation is opt-in. You can also configure strict rules (max amount, authorized categories, whitelisted merchants) to limit the agent's scope.
Can an agent negotiate a price?
Technically yes, if the merchant exposes a negotiation API. Today, most e-commerce sites do not offer this capability. This could change quickly.
✅ Conclusion
June 10, 2026, will be remembered as the date money entered the agentic loop. Visa and Mastercard have turned LLMs into payment terminals. Safeguards exist but are designed for the nominal case, not for instruction injection attacks. If you are building with agents, learn how to create an AI agent with payment security in mind from the start — not as an afterthought.
