The Thredd Team
July 08, 2026
A year ago, agentic commerce was new enough that few people in payments were seriously worried about it. That has changed considerably, and the questions coming into Thredd now are concrete: what does this mean for the issuing side, the acquiring side, and particularly for players operating in online-heavy environments? These are the questions we are actively working through, and they are reshaping how we think about the role of an issuer processor.
J.P. Morgan's July 2026 Fintech sector report on agentic commerce and payments sets the scale of what is coming. McKinsey estimates that agents could mediate somewhere between $3 trillion and $5 trillion of global consumer spend by 2030, with BCG projecting that over half of US e-commerce spending could be agent-assisted within the next several years. The infrastructure question that sits underneath those numbers is the one the payments industry is still working out.
Ryan Dew, our Chief Product Officer, has been working through those questions in detail. His starting point is that the fundamental shift is simpler to state than it is to solve.
"The fundamental shift, in the simplest terms, is that credentials are no longer held and presented by a person. They are now being delegated to software. Agents are the carriers of the parameters that the person has defined at some point in the process."
That delegation changes three things for issuer processors: the provisioning logic, lifecycle management, and identity binding. Each one represents a meaningful departure from how the existing infrastructure was designed to work.
Credential provisioning has historically tied a card to a device, a wallet, a watch, all anchored to a cardholder identity. The agentic model requires something more granular: setting the parameters of the transaction at the point of issuance, with the credential and the mandate bundled together from the start. That has to happen in real time and at scale, with infrastructure that is flexible and configurable at the transaction level rather than at the programme level.
The J.P. Morgan report maps out a protocol landscape that reflects how rapidly this is developing. Standards including ACP, UCP, TAP and Mastercard's Agent Pay are each attempting to define how agents discover merchants, initiate transactions and establish trust, with more than 25 major partners already live or building on ACP alone. No single standard has consolidated the market yet, which means the infrastructure that can operate across multiple protocols rather than betting on one will be better positioned as the ecosystem matures.
Lifecycle events for a digital wallet have traditionally been relatively static: provisioning, updates, expiry. In an agentic context those events happen at the point of transaction and at the point of purchase, and the complexity compounds quickly in ways that the existing tokenisation model was not designed to support.
What is needed is a new class of tokens: short-lived, mandate-bound, and use-specific. As Ryan puts it: "Rather than a token that represents just a card, it's going to have to be a card for this transaction, authorised up to this amount, for this merchant category, for this session. That's the key difference." The metadata coming in on those transactions will be far richer than anything the current infrastructure is built to handle in real time, and acting on it across authorisation, fraud monitoring and signal parsing is where the real infrastructure investment sits.
Visa's network intelligence layer, as described in the J.P. Morgan report, reflects exactly this direction. Token data is being enriched with transaction type, usage context and payer identity, with a token assurance signal computed across the credential's lifecycle. The aim is to replace absent human behavioural signals with credential-level trust, which is the same problem Ryan is describing from the issuer processor side.
You need to bind three things together at the point of transaction: the agent, the cardholder, and the specific purchase intent the cardholder is making.This is where the scheme-level protocol work becomes directly relevant to what issuer processors need to build. Mastercard's verifiable intent work, in conjunction with what Google is developing, is focused on exactly this problem, and from a processor perspective the question is how to align infrastructure with that thinking and capture the right data so that if a dispute or chargeback occurs, the evidence exists to reconstruct what happened.
The J.P. Morgan report notes that trust is shifting from interface-level signals to cryptographic verification and registered entities, with Visa's Agentic Directory and Agent Score capabilities both moving in this direction. For issuer processors, that shift has direct operational consequences: the signals that fraud models have historically relied on are being replaced by verification of agent identity, transaction intent and credential scope.
The existing dispute framework developed around two scenarios: unauthorised use of a card credential, or authorised use. Agentic commerce introduces a third scenario that sits outside both. An agent acted on a consumer's behalf, within a mandate the consumer set, but the consumer disputes the outcome. The infrastructure changes required to handle that scenario need to be in place before the volume arrives, not retrofitted afterwards.
Ryan is direct about where the industry needs to get to: "It is going to be critical for issuer processors to store those snapshots showing that the agent was the permitted agent to act on behalf of the customer. That way, if a dispute arises, it can be reconstructed, and the issuer has the evidence of whether the claim is legitimate." Shifting the resolution point upstream, capturing the mandate at the time of authorisation rather than reconstructing it afterwards, is the direction the industry is heading, and the J.P. Morgan report identifies liability frameworks as one of the primary unresolved challenges across the ecosystem, with chargeback rules for agent errors still undefined.
That gap is where issuer processors have both the most exposure and the clearest opportunity to shape what the standard becomes.
The protocols developing in this space are largely focused on the agent and merchant side of the transaction. What sits between those protocols and the issuer is still being defined, and that is where the work for issuer processors is most consequential: delegated authority, dynamic spend governance, token lifecycle and dispute reconstruction.
These are not abstract future problems. They are the areas we are focused on at Thredd as we build towards the infrastructure agentic commerce will require, working alongside our scheme partners and clients to make sure the foundations are right. The processors who understand that responsibility now are the ones who will be best placed to deliver on it as volume builds.