I’ve been spending time this week getting up to date on Europe from stablecoins to MiCA to AMLA. My list of official whitepapers and academic articles are below (20 of them). My summary:
Continue readingFor the past eighteen months, I’ve written extensively about agentic commerce as a test of *incentive alignment*, not technology. The tech works. What doesn’t work is getting all parties—networks, issuers, merchants, platforms, and payment processors—to align around who owns the agent, who owns the data, and who bears the risk.
Today, American Express did something important: it solved that problem for its own closed loop (and its customer base). What does this mean? I hope it means US Issuers will lean in on the V/MA solutions that can allow them to operate at near parity (V/MA have the rules, tech and governance). But changing a network is really hard.
Continue readingThe U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) and OFAC issued a 303-page proposed rule implementing the GENIUS Act, reclassifying permitted payment stablecoin issuers (PPSIs) as financial institutions under the Bank Secrecy Act. Requirements include bank-grade KYC, suspicious activity reporting, transaction blocking/freezing capabilities, and appointment of a U.S.-based compliance officer. Enforcement begins January 2027. A 60-day comment period opens now.
The NPRM (Notice of Proposed Rulemaking) introduces 31 CFR Part 1033, which specifically outlines the obligations of PPSIs. The density of this document reflects the complexity of applying traditional banking rules to a distributed ledger environment.
Just left a UBS webinar from the head of product for Wero and thought it would be a good time to update my July 2025 assessment of Wero as a “solution in search of a problem,”. The biggest change in Wero is the core infrastructure has transitioned from a voluntary service to a mandated utility. However, as the European Payments Initiative (EPI) attempts to scale, the project faces a fundamental conflict between political objectives and commercial unit economics.
Last week I wrote about MPP and x402 solving the internet’s original sin: the inability of machines to pay machines without a human in the loop. This week, Visa made that argument a lot easier to make.
Visa Crypto Labs quietly launched Visa CLI, a command line tool that gives AI agents a wallet. One npm install. One setup command. And your agent can pay for anything on the internet, charged to a real Visa card, without an API key, without a pre-funded crypto wallet, without human intervention.
I got beta access this week and tested it. Here’s what I learned, and why I think the CLI is the most important signal yet that the incumbent payment networks are serious about the agentic commerce era.
Continue readingMy friend Simon Taylor at Fintech Brainfood published a provocative piece this week: The Checkout is Dead, Part 2. His thesis is elegant — the future of agentic commerce is invisible. No cart. No confirmation screen. No “Pay Now” button. Just an event in the world, and money moves.
IMHO He’s right about the general direction. But he’s wrong about the scope and timeline. Not everything fits in instant, and its really important to look not only at OpenAI’s instant checkout FAILURE at Walmart, but also their internal success (ie Sparky driving 35% sales increase with internal checkout).
In my previous post, covering Target’s “Your Bot is Your Responsibility” was the only move they could make. When you let an AI bot loose with your credit card, you are effectively handing your car keys to a teenager; you can’t act surprised when there’s a dent in the bumper. But Target’s stance isn’t just a legal shield; it is a flare gun fired over a massive Governance Gap. Today’s agentic commerce is high on technology and standards, but dangerously low on the commercial terms that actually make markets function. To be clear, it’s not for lack of effort from V/MA, nor is it technology; it is resistance to change.
Continue readingTarget updated its consumer terms on March 22, 2026 to clarify that AI agent-initiated purchases are the customer’s responsibility.
In May 2025, Google announced its agentic checkout feature: track a price, set your threshold, and when it drops, tap “buy for me.” Behind the scenes, Google adds the item to your cart and completes checkout via Google Pay — without you touching a keyboard.
Target is a named Google Gemini retail partner, announced by Google CEO Sundar Pichai at NRF 2026. This is not a generic partnership. When “Buy For Me” goes live at scale, it will represent the first true machine-to-machine (M2M) agentic commerce program with mass consumer reach. An automated, bypass-checkout flow with no human in the loop at the moment of purchase. Target sees this coming. Their terms update is the legal groundwork being laid before launch.
Target has the largest card services footprint of any US merchant. Approximately 25 million customers that hold a portfolio including:
These cards, with integrated loyalty and discounts, drive roughly 24% of Target’s total sales. It is a massive proprietary stake in payments (and a massive liability exposure if agentic purchases go wrong at scale).
As I wrote in Device Graph Extinction, Stripe’s Agentic Commerce Protocol (ACP) is currently the most operationally capable agentic payment protocol in the market. ACP is notable for one specific capability: it can simulate a consumer’s device environment, backfilling device telemetry (via Stripe Radar data) for transactions that originate from an agent rather than a human. In plain English: ACP can make an automated M2M transaction look, to a merchant’s fraud system, like a normal human-initiated purchase.
This is a direct threat to the 30-year fraud investment that merchants like Target have made. Their risk models depend on behavioral signals — time on site, device fingerprints, navigation patterns. An agent that simulates a device but bypasses the checkout UI strips all of that signal away.
Target’s new terms are also a message to OpenAI and Stripe ACP: You may be able to simulate and bypass controls. But if you do, the consumer owns the fraud — not us.
As I outlined in my analysis of UCP Enables a New Economy, the US bank consortium’s Paze wallet has failed to gain merchant traction, and that failure is structural and political.
Target will not participate in an agentic commerce framework that excludes its proprietary card portfolio. The Paze consortium represents only the top 6 V/MA Issuers. It excludes other cards and also serves as a blocker to V/MA (DAF and TAF) rule sets. If Target is going to take risk in agentic, it certainly isn’t going to add to that risk in a new payment system they have not control over, AND excludes their cards (Duh).
Target’s logic is straightforward: we will not accept an agentic architecture that pushes risk onto us for transactions we can’t see, can’t control, and can’t dispute through our own instruments.
IMHO Visa and Mastercard have built a very solid technical and rule infrastructure to manage agentic risk. DAF (Device Authentication Framework) and TAF (Transaction Authentication Framework), along with VAS services like Visa TAP and Mastercard AgentPay, are designed precisely to govern M2M payment flows with liability shift potential. It is open, and standardized.
While AgentPay and Intelligent Commerce will play in ROW, US Banks are effective blockers. For example, AP2 mandates could be sent in “buy for me” BUT retailers own the risk, don’t control authorization process (or including AP2 Mandates within a 3DS payload), AND US banks have no plans to act on them.
Without issuer participation in a formal liability shift framework, merchants like Target bear 100% of the fraud risk — as they do today in US eCommerce. A “Buy For Me” flow that bypasses merchant checkout also bypasses the device data capture that powers Target’s risk models.
Target must own the checkout experience. It is not stubbornness. It is the only available mechanism for risk management in the absence of a network-governed liability shift that includes their full card portfolio. As I noted in UCP Enables a New Economy, UCP’s embedded checkout (iFrame) flow preserves exactly this.
Google Buy For Me represents the first REAL Machine to Machine (M2M) agentic transaction flow. Since merchants own the risk, they can set the consumer terms. Target’s consumer terms act as a liability fence before the product launches. If a consumer’s Gemini agent buys 47 shower curtain rings at 3am, Target wants it on the record that this was an authorized transaction. I also see it as a message to the ecosystem. Any AI platform (Gemini, ChatGPT, Stripe ACP) that attempts to simulate a consumer device or bypass the checkout flow is operating in a zone where the consumer owns the consequences. Target will not absorb the cost.
Until network stakeholders align, the “Your Bot Is Your Responsibility” policy is what the liability infrastructure looks like at the starting line of M2M, I believe the V/MA frameworks will succeed in long term, but Issuers and merchants must buy in.
Related reading: UCP Enables a New Economy | Stripe Agentic Commerce Protocol (ACP) | Device Graph Extinction
Short Blog
To my regular readers, you know the flow of data within a network is complex (see Data Games). The news that OpenAI is effectively shelving its “Instant Checkout” initiative in favor of a referral-based “conversational commerce” model shouldn’t come as a surprise. While the tech press might frame this as a strategic pivot, those of us in the eCommerce trenches know it for what it is: a collision with merchant’s role in risk, costs, CX, control and their own AI dreams.
OpenAI attempted to solve its monetization problem by trying to seize control of the top of the funnel, betting that the sheer volume of consumer demand would force merchants to bow to their interface. They were wrong. They fundamentally miscalculated the power dynamics of the transaction and the complexity of the global conversion funnel, a funnel that Google understands intimately because they serve both ends of it globally (ie merchant partners).
Continue reading