In The Payment Lasagna I mapped the six layers of payment infrastructure — identification, authentication, authorisation, acceptance, settlement, disputes — and showed where the agentic protocols cover them and where they don’t. Two gaps stood out: disputes (barely addressed) and identification (essentially missing). The protocols are treating AI agents as a form factor — another way to present a credential tied to a human’s account. And the form factor model breaks when the form factor has autonomy.
But there’s a more interesting question than “what’s missing.” The interesting question is: what’s already there that could be extended?
The SCA problem
The first two layers of the lasagna — identification and authentication — are bound through SCA. Something you have (a device, a card), something you know (a PIN, a password), or something you are (a biometric). Human factors, every one of them. A machine can’t offer a fingerprint. It doesn’t carry a physical card. It doesn’t “know” a secret the way a human does.
So how do you authenticate an agent?
Here’s what practitioners forget because it’s so deeply embedded: EMV chip cards already use PKI at scale. The ICC has a private key, the certificate chain runs card → issuer → scheme CA, and the chip signs transaction data cryptographically. DDA and CDA prove that the card is genuine and the transaction hasn’t been tampered with. Billions of authentications. But it’s PKI for a chip, not a person. The human authentication — the SCA part — happens separately: PIN, fingerprint, 3DS challenge. The chip proves it’s a real card; the human proves they’re the real cardholder. Two authentications, two trust models, fused into one flow.
PKI for a chip works. PKI for a human doesn’t — certificate management, key rotation, revocation lists have been too complex for consumers for decades. But an agent isn’t a human. Managing a certificate store, checking revocation in real-time, rotating keys on schedule — that’s trivial for software. The thing that killed PKI for humans might be exactly what makes it work for agents.1
The agentic protocols already figured this out. Visa’s TAP uses RFC 9421 HTTP Message Signatures with a centralised Agent Registry — flat PKI with Visa as sole CA. Google’s AP2 uses W3C Verifiable Credentials with Decentralised Identifiers. Mastercard’s Agent Pay combines VC-based Web Bot Auth with a Know Your Agent framework. Three incompatible PKI models for the same problem.
But there’s already infrastructure that bridges PKI and human authentication, sits in the acceptance domain, and produces a cryptographic proof that travels through the entire payment chain. It’s been in production for over a decade. It’s called 3D Secure.
The 3DS opportunity
3D Secure has three domains: the Acquirer Domain (3DS Server), the Interoperability Domain (Directory Server), and the Issuer Domain (ACS — Access Control Server, where the cardholder authenticates). The 3DS Server asks the Directory Server whether a card is enrolled. The DS routes to the issuer’s ACS. The ACS evaluates risk, challenges the cardholder if needed, and produces a CAVV — the Cardholder Authentication Verification Value. That cryptogram travels through the authorisation message on the payment rails. Everyone downstream — acquirer, scheme, issuer — can see this transaction was authenticated, and how.
The beauty of 3DS: it’s an acceptance domain protocol whose output flows through the entire lasagna. Authentication happens at one end; the cryptographic proof propagates to the other. Exactly the property you need for agent authentication.
Issuers already manage the full cardholder authentication lifecycle across channels — KYC at onboarding, card enrolment in 3DS, wallet provisioning for Apple Pay (with ID&V), mobile SCA, transaction risk evaluation. These aren’t always the same system, but they share risk data and they share an owner. Agent enrolment is one more enrolment type into this ecosystem. The issuer provisions the agent with a PKI credential during enrolment. When the agent initiates a transaction, the 3DS flow kicks in as usual: 3DS Server queries the DS, DS routes to the ACS. But instead of challenging a human with a biometric or PIN, the ACS verifies the agent’s cryptographic signature against its enrolled credential. The agent proves it’s genuine — the same way an EMV chip proves it’s genuine. The ACS issues an agent-specific CAVV. The ECI value indicates “agent-authenticated.” The cryptogram flows through existing rails.
The rails don’t change. The message format barely changes. Just the authentication method at the ACS shifts from human SCA to agent PKI. New cheese topping, same lasagna.
The issuer opportunity
This is where it gets commercially interesting — and where issuers might finally catch a break.
Apple Pay extracted rent from issuers: device token fees on every transaction flowing through Apple’s wallet. The schemes followed suit with network tokens. PSD2 pushed SCA costs onto issuers — the ones who invested in good ACS infrastructure and smart risk engines won the Transaction Risk Analysis game, but the ones who challenged everything lost customers to smoother checkout flows. Either way, the intermediaries took their cut. Issuers spent a decade building authentication infrastructure that someone else monetised.
Agent enrolment flips this. The issuer owns the ACS, the cardholder relationship, the risk data, and the enrolment flow. There’s no Apple sitting between the cardholder and their agent — the issuer is the enrolment authority. “Connect your AI agent to your account” is a service the issuer provides directly, and one they can charge for: enrolment fees, per-transaction authentication fees, premium mandate tiers with higher limits or broader merchant categories. This is revenue, not rent.
And issuers bring something to agent risk management that nobody else has: decades of cardholder transaction data. An issuer knows that this cardholder shops at these merchants, in this price range, at these times. When the cardholder’s agent starts transacting, the issuer can map that behavioural profile onto the agent’s activity. An agent acting within the expected patterns of a well-profiled cardholder is an agent you can risk-score accurately. Better risk scoring means fewer false declines, fewer chargebacks, lower fraud losses — a competitive advantage that compounds. The issuers who are masters at profiling their cardholders can leverage that massively for agentic commerce, reducing disputes before they happen rather than managing them after.
The liability model maps cleanly. At enrolment, the issuer performs SCA — proper human authentication. The agent’s PKI credential is bound to that SCA event, just as a tokenised card in a wallet is bound to the SCA that provisioned it. After enrolment, the agent transacts under the mandate’s scope. The ACS evaluates each transaction against mandate constraints — spend limits, merchant categories, counterparty allowlists — the same way it evaluates risk for any 3DS transaction. Agent exceeds the mandate? Decline. Mandate fraudulently created? Liability falls on whoever failed the SCA at enrolment.
This isn’t theoretical. 3DS v2.3 already has decoupled authentication and delegated authentication — the building blocks for agent auth exist in the current spec. EMVco announced in November 2025 that they’re formally working on agentic payment specifications. And 3DS is the right vehicle because it iterates faster than anything else in the lasagna: v1 to v2 in five years, v2.1 to v2.3 in three. Compare that to ISO 20022 (two decades and counting) or chip migration (a decade per market).
The identification gap remains
But even a 3DS extension treats the agent as a form factor. The identity chain still terminates at a person: form factor → credential → payment account → KYC’d entity. The agent is enrolled under a human’s account, authenticated against a human’s mandate, settling through a human’s credential. No independent identity.
For the schemes, that’s fine — their model is built on the account holder as the identified entity. For AML monitoring, it’s not. An agent making forty purchases across twelve merchants in a single afternoon looks like structuring to a system trained on human behaviour. Without a way to tag a transaction as “initiated by verified agent X under mandate Y,” monitoring systems will either flag everything (useless) or miss actual fraud hiding behind legitimate agent activity (dangerous).
PSD2 solved an analogous problem for Third Party Providers: register with a national authority, get a licence, meet capital requirements, carry insurance. AI agents are functionally the same — third parties acting on behalf of account holders, initiating transactions. But there’s no registration, no licence, no regulatory identity.2
PSD3, expected by end of Q2 2026, doesn’t mention agents. The gap between the regulatory framework and the technology is wide and growing wider.
The European angle
There’s a problem the American protocol designers aren’t thinking about. The agentic protocols are designed for card-based and crypto-based settlement. A2A instant payments are an afterthought. And yet A2A is where Europe is heading — with Wero, with the mandatory instant payments regulation, with the digital euro.
The 3DS approach is inherently card-centric — it extends the issuer domain, flows through scheme rails, produces a CAVV for card authorisation messages. Wero and the broader A2A ecosystem need their own answer. The dispute layer in particular — what happens when an agent buys on irrevocable rails and something goes wrong — deserves its own analysis.
What I’m watching
Two things.
First, whether the 3DS path materialises. The building blocks are technically feasible. The question is whether issuers see this as revenue opportunity or compliance burden. With Apple Pay, the issuers who moved first captured wallet share but paid rent to Apple. With agent enrolment, the issuers who move first capture the agentic cardholder relationship and own the revenue stream. Different game.
Second, whether the identification layer — Know Your Agent — gets built as a proper framework. KYC took decades to mature from ad hoc bank practice to global regulatory standard. KYA is the same journey, compressed. The difference is that nobody has written the regulation yet. And the agents aren’t waiting.
Footnotes
-
The irony runs deeper. FIDO2 and WebAuthn passkeys are explicitly not being adapted for agents — they’re bound to physical devices and human intent. An agent can’t hold a YubiKey, and that’s the point. The pattern is: human authenticates with passkey, agent receives a scoped credential. The human-machine authentication boundary is maintained, not collapsed. ↩
-
There’s a reasonable argument that agents shouldn’t have independent identities — that the mandate model is sufficient and that attributing agency to the AI itself is a philosophical mistake. Fair enough. But AML monitoring doesn’t care about philosophy. It cares about transaction patterns, and agent patterns will break every model trained on human behaviour. ↩