To understand agency payments, follow a transaction.

This is the first of three articles on agency trading that I will be publishing here on NeoFeed in the coming weeks. Before getting into the subject, it's worth a word about what motivated the series and how it's structured. The topic has gained rapid editorial traction in recent weeks.

Visa has formalized the Visa Agentic Ready program in Brazil, with five partner issuers: XP , Bradesco , Santander , Banco do Brasil , and Dock. Mastercard has advanced with Agent Pay and, in partnership with Google, announced in March Verifiable Intent, a trust framework aligned with the Agent Payments Protocol and the Universal Commerce Protocol.

Elo, in partnership with Decolar, is testing an agency-based journey that conducts the search, comparison, and payment of airline tickets in a single conversation—via WhatsApp or through leading AI assistants—combining Pix , credit cards, and loyalty programs according to the best benefit, and without being restricted to its own card brand.

And Pagos (Brazilian Association of the Payment Ecosystem), through its Agency Commerce Working Group, has released a comprehensive e-book on the subject, which I recommend as an institutional starting point for anyone who wants a map of the ecosystem.

My goal in this series is to contribute to this ongoing conversation, helping the reader to understand in more detail how an agency transaction actually happens from end to end.

When you follow the flow, each player 's role becomes clear on its own. Since the topic is new and rapidly evolving, I'm describing the framework here as I understand it after studying the available material.

The series is organized into three parts that can be read independently. In this first article, I describe the end-to-end transaction and the technical detail that underpins everything: two tokens circulate within it, not one.

In the second part, I discuss Know Your Agent, or KYA, a new market and regulatory category that is rapidly gaining traction. And in the third part, I examine the silent battle between the layers of the market for the ownership of the customer.

The setup happens before any purchase occurs.

Before any purchase takes place, there's a preparatory stage, and there's a common misconception worth dispelling right from the start: the AI agent isn't created by the bank. When you read that a bank has enabled payments through agents, the natural interpretation suggests that it's building its own agent. That's not the case.

The agent is, and will likely continue to be, an external conversational AI platform: ChatGPT, Gemini, Claude, Microsoft Copilot, Perplexity. What the issuer does is different. It prepares for these agents, all of them, to be able to pay with its card, within the limits that the customer sets.

Before any purchase takes place, there is a preparatory stage, and there is a common misconception that is worth dispelling right at the beginning: the AI agent is not created by the bank.

But there's a setup process that precedes the customer's. Before any AI agent can initiate transactions on behalf of Visa, Mastercard, or Elo cardholders, it needs to be registered and verified by the card network. This accreditation, which I explore further in the second article of this series when discussing Know Your Agent, is what defines the universe of agents recognized as trustworthy.

Having made that distinction, the customer setup happens like this: they open the bank's app and go to a dedicated area, something like AI Payments or My Agents. There, they choose which agent they want to authorize. They can authorize more than one, with different mandates for each, separating, for example, personal use and professional use.

Next, define the mandate itself: categories allowed via MCC codes, limit per transaction, total monthly limit, time window, preferred or blocked brands, and other granular restrictions that the bank's system offers.

Confirmation with biometrics. This is the decisive technical trigger. From there, the bank activates, via the card network's API, the generation of a tokenized credential with scope: it's not the card number, but a cryptographic token that is only valid for that agent, in that category, within those limits.

This credential is delivered to the chosen AI platform. The customer completes the circuit on the other end, with the agent, and also completes the connection using biometrics. From there, the agent is linked to the bank card, within the configured mandate, and can initiate purchases.

The purchase process goes through seven steps, in seconds.

The actual purchase happens in seconds, but it goes through at least seven distinct processes.

The first is the conversational request. The customer tells the agent something like "buy the tickets we agreed on" or "renew what was missing from the market".

The second is searching machine-readable catalogs. The agent queries the websites of various retailers whose catalogs are exposed via OpenAI's Agentic Commerce Protocol, Google's Universal Commerce Protocol, or another emerging standard. It compares the results and chooses the option that fits the mandate.

The third is the decision. For cases within the mandate, the agent proceeds. For exceptional cases, it returns to the client for confirmation. This is the governance point that separates a well-designed agent from a poorly designed one: what it does on its own and what it scales to a human is not a detail, it's architecture.

It's worth noting that, in the current pilot phase, the calibration is conservative: Brazilian pilots already in the field, such as Elo's with Decolar, still prioritize human confirmation before the transaction is finalized. The model described here is the target design; the adoption curve will determine how much autonomy the ecosystem grants.

Brazilian pilots already in the field, such as the one from Elo with Decolar, are still awaiting human confirmation before the transaction is finalized.

The fourth step is the presentation to the retailer. This is the crucial technical moment: the agent presents two distinct credentials to the airline, clothing store, or supermarket website, not just one. These are the payment token, which replaces the card number and is what actually makes the payment; and the mandate credential, the cryptographic proof that the agent is authorized to make that specific purchase on behalf of that customer. I will return to this point later, as it is the heart of the model.

The fifth step is merchant verification. The website verifies, via Visa's Trusted Agent Protocol, Mastercard's Verifiable Intent, or an equivalent framework, that the agent is authentic, that the mandate covers that specific purchase, and that the payment credential is valid.

Mandate verification is local, based on cryptographic signatures in open standards — FIDO Alliance, EMVCo, IETF, and W3C — and takes milliseconds. If something fails, the transaction stops there.

The sixth step is sending the transaction to the acquiring bank. Here, the process almost returns to normal. The merchant sends the transaction to their acquiring bank in the same tokenized format as they would in any e-commerce platform. The difference is that it includes additional metadata, indicating that it is a transaction initiated by an agent and attaching mandate information.

The acquiring bank routes the transaction to the card network; the card network detokenizes the transaction, records the mandate in its own log, and forwards it to the issuer. The issuer authorizes the transaction, considering the balance, mandate, and its normal risk parameters. The response then returns along the same path.

The seventh step is notifying the customer. On their mobile phone, via the bank's app, SMS, or email, depending on their registered preference, something like this appears: “ChatGPT purchased TAP tickets for R$ 1,847 in your name. Amount within the mandate. See details. Dispute.”

The money flows through the traditional settlement process , with clearing between the acquirer and the issuer via the card network, respecting the usual timeframes of the payment method involved. There is no change to the payment path.

Two tokens, not one, underpin the model.

I'll now return to the technical detail I promised to explain, because that's what actually makes the agentic model work without destroying the existing infrastructure.

In traditional e-commerce, there is a single token: the payment token, also called a network token, which replaces the card number and flows through the known chain: merchant, acquirer, card network, issuer. It's the same mechanism that makes Apple Pay and Google Pay work. It has been around for over a decade and now processes immense volumes.

In the agent model, this token continues to exist, in the same way, in the same role. What is added is a second token, of a completely different nature. I call it a verifiable mandate credential, translating the term that Mastercard uses in English, Verifiable Intent, and which Visa places under the umbrella of the Trusted Agent Protocol.

Structurally, it follows the same open standards mentioned before. Cryptographic signatures simultaneously prove which agent is making the purchase, which human authorized that agent, what the mandate limits are, and that the agent is acting within those limits. Any part of the chain can validate the credential locally in milliseconds, without needing to consult a central server.

Here's a distinction that often causes confusion. All electronic transactions travel encrypted in transit; in both agent and conventional systems, it's the basic layer that prevents interception. Tokenization is something different. It replaces sensitive data, the card number, with a substitute that has no mathematical relationship to the original.

When it's said that the card network "detokenizes," it means that it translates the token back into the actual card number within its own secure vault before sending the authorization to the issuer. Encryption and tokenization are two layers that coexist. They are not alternatives, they are complementary.

What makes the system work is how these two tokens interact. The agent carries both. Presents both to the merchant. The merchant verifies the mandate locally and, if valid, sends only the payment token to the acquirer, in the traditional format, with the mandate metadata attached as supplementary data.

The acquiring bank, the card network, and the issuer process it as a normal tokenized transaction. The metadata allows for differentiated treatment: better fraud scoring, attribution of responsibility in case of dispute, specific chargeback rules. But the payment pipeline is the same as always.

The roles become clear when the transaction becomes visible.

With the transaction described, the roles of each player in the agency become clear without needing further explanation.

The issuer now does three things it didn't do before. It receives and stores the client's mandate. It issues the tokenized credential with scope, via the card network's API. It authorizes or rejects the transaction considering, in addition to balance and risk, adherence to the mandate. It has moved from the role of simply processing authorizations to the role of custodian of the new governance unit of the relationship with the client.

The card network occupies the position of orchestrator of the trust network. It provides the protocol, tokenization, biometric authentication, and the mechanism by which agents are registered and verified, as I mentioned earlier. It is the shared layer between all issuers and all agents. This is why Visa executives talk about creating an ecosystem when describing the program.

The AI platform is the one that actually executes the process. It searches, compares, decides, and initiates the payment. The merchant, in turn, needs to be prepared on two fronts: a machine-readable catalog, via one of the open protocols, and acceptance of the agent transaction through their acquiring bank, with the additional metadata. Those who don't make this adaptation won't appear in the agents' recommendations; they lose the sale before it even happens.

The payment processor continues processing, continues earning fees, continues managing chargebacks. It hasn't left the game, as a hasty reading of the initial articles suggested. Its role has become less visible in the short term, because the cryptographic verification of the agent happens at the merchant's site, not at the processor.

The technical adjustment that needs to be made is in how to handle the mandate metadata that comes attached to the transaction: not rejecting it as an anomaly, separating legitimate agentic transactions from fraudulent ones, and adjusting scoring rules. Whoever makes this adaptation first will become agentic-native; those who delay will fall behind, as Edgar Dunn already indicated in a diagnosis published in March 2026.

There is yet another layer that this article does not isolate, but which deserves mention: PSPs and gateways — Stripe, Adyen, Checkout.com — begin to operate as translators between the two worlds, converting the agency transaction into a format that acquirers not yet adapted still know how to process.

For those who work with payments, what changes immediately is less than one might think, and what changes in the medium term is more than one might imagine.

It was this compatibility engineering, first built by Stripe, that allowed the entire system to function without requiring each link to switch platforms.

It's worth noting that in the Brazilian ecosystem, the boundaries between these categories are less clear than in markets like the American one. Several of our large companies cross categories, operating simultaneously as acquirers, processors, issuers, and payment institutions.

The clarity of roles for each actor, useful for understanding the overall architecture, becomes blurred when applied to real companies. Case-by-case strategic analysis is even more necessary here than it would be elsewhere.

In the short term, it changes less than you might imagine; in the medium term, more.

The engineering I've described so far, however complicated it may seem at first glance, is what allows everything to happen without rebuilding the payment system. Acquirers don't need to change their platforms. Card networks add layers, they don't replace the entire system.

Issuers gain a new asset to custodial, but authorize transactions in the same format. Merchants, however, do have significant technical work to do. But it's adaptation work, not reconstruction.

For those who work with payments, what changes immediately is less than one might think, and what changes in the medium term is more than one might imagine. In the immediate term, it's an extension of the tokenization that already exists, with a new layer of mandate. In the medium term, when consumer agents start negotiating with merchant agents, and when the volume begins to migrate to A2A, escaping the card-based model, then the multi-layered economic model will truly be tested.

In the next article in this series, I will discuss Know Your Agent. Without reliably identifying the agent, the mandate lacks an anchor. And this category is rapidly establishing itself as a new market and regulatory frontier, with international academic support, growing attention from NIST and the Cloud Security Alliance, and an interesting competitive window for the Brazilian digital identity ecosystem.

* Edson Santos is a payment methods specialist with over 25 years of experience. He is a partner at Colink Business Consulting, and a strategic advisor to companies in the financial and technology sectors. He is the author of "From Barter to Financial Inclusion" and co-author of "Payments 4.0 — The forces that are transforming the Brazilian market".