Selling alcohol requires age verification. Gambling requires identity checks. Financial products require KYC. These rules were drawn because we assumed the buyer was human. This no longer holds true.
Stripe’s Agentic Commerce Suite is targeting over a million merchants. Mastercard and PayPal are already signed to competing protocols. The scale is real.
Every protocol racing to own these rails has solved the mechanics of payment. None has solved who is buying. ACP’s Shared Payment Token is scoped to a merchant and a cart total. It says nothing about whether the person behind the agent is 18. L402 is permissionless by design. No KYC. No signup. No pre-existing relationship.
Sooner or later, someone will ask: who authorized the payment? Who processed it? Were both parties legally permitted to transact? In Europe, the Payments Services Directive (“PSD2”) already answers part of it: if an agent causes an unauthorized transaction, the payment processor bears liability. Two US courts issued conflicting rulings on AI’s legal status in February alone: Heppner in New York, Warner in Michigan. Agentic payment standard proposals currently elude these questions.
The companies building the rails are moving fast. The frameworks governing what you can sell, and to whom, are not.