What happens when your AI agent buys the wrong thing: a merchant’s guide to agentic-commerce liability
When an agent misreads intent and orders wrong, the merchant usually eats the chargeback. A plain-English guide to authorization, identity, and provable approval in agent-driven checkout.
A shopper tells their AI assistant to “reorder the coffee,” and it buys the wrong roast, the wrong size, or three of them. The shopper disputes the charge. Guess who usually pays? In agentic commerce — where software agents place orders on a person’s behalf — the merchant is often left holding the chargeback when the agent gets it wrong. That is a real shift, because the buyer on the other end of your checkout is no longer always a human clicking a button. This guide is written for small-business owners who are starting to see agent traffic and want to understand the liability before it becomes a monthly line item. We will walk through the four risk buckets analysts use to frame agentic commerce, explain who typically owns the chargeback, look at an emerging bot-farm refund-abuse threat, compare human and agent checkout side by side, and lay out what you should require before you accept agent orders. This is general information, not legal or payments advice.
- In agent-driven checkout, the merchant often eats the chargeback when the agent buys the wrong thing — plan for it before it becomes a monthly cost.
- Sort every agent incident into authorization, identity, fraud, or discovery; the bucket tells you which control and which record would have prevented it.
- Keep a verifiable, non-repudiable record of who approved what so you can prove an agent purchase was authorized — this is general information, not legal or payments advice.
The four risk buckets of agentic commerce
When an agent shops for a person, the familiar assumptions behind checkout start to break. You are no longer verifying that a human saw the price, chose the item, and clicked buy. Instead, a piece of software interpreted an instruction and acted. Analysts who study this shift describe the risk in four buckets, and it helps to name them plainly before you decide how to handle agent traffic. Each bucket maps to a question you already care about as a merchant — did the buyer mean to buy this, is the buyer who they claim to be, is this a scam, and where did the agent even find you.
Thinking in buckets keeps the problem from feeling abstract. Most disputes you will see trace back to one of them: the agent misread intent (authorization), the agent could not prove whose behalf it acted on (identity), someone weaponized the agent (fraud), or the agent surfaced and transacted through a channel you never vetted (discovery). Sorting an incident into a bucket tells you which control would have prevented it — and which record you wish you had kept.
- Authorization — did the shopper actually approve this specific purchase, or did the agent guess at intent?
- Identity — can the agent prove whose behalf it is acting on, and that the person is real?
- Fraud — is the agent being used to run friendly fraud, refund abuse, or automated scams?
- Discovery — through what channel did the agent find your product, and can you trust it?
Who owns the chargeback when an agent gets it wrong
Here is the uncomfortable part. When an AI agent misinterprets a shopper’s intent and buys the wrong thing, the merchant is often left liable for the resulting chargeback. The shopper did not choose that item on your product page — the agent did — but the dispute still lands on your account, with your fees and your win-rate at stake. Card rules were written for a world where a human sat at checkout, so the default liability today frequently tilts toward the seller when an agent is in the loop and nobody can show that the person approved the order.
The volume trend makes this worth planning for now rather than later. Global dispute case volume is forecast to rise about 24% from 2025 to 2028, and most of that growth is card-not-present — exactly the environment agents operate in, per Checkout.com. More agent traffic plus more disputes plus a liability default that leans toward you is a combination worth getting ahead of. The practical defense is evidence: a record of who approved what, tied to the order, that you can produce when a dispute arrives. That is where proving authorization stops being abstract and starts protecting your margin.
The bot-farm refund-abuse threat merchants aren’t ready for
Agentic commerce does not just raise honest mistakes — it raises the ceiling on abuse. Alongside the wrong-item chargebacks, agents introduce friendly-fraud and automated bot-farm refund-abuse risk, per Chargeback Gurus. The problem is scale. A human running a refund scam is limited by how fast they can type and how many accounts they can juggle. An agent, or a farm of them, can request refunds, dispute charges, and cycle through orders at machine speed, around the clock, in patterns designed to look like ordinary buyers.
For a small merchant, that changes the math on refund policy and monitoring. A refund rate that looked like noise at human pace can become a real leak at automated scale, and it can arrive suddenly rather than creeping up. You do not need to treat every agent as hostile — most will be legitimate assistants running errands. But you do need a way to tell an authorized agent order apart from an automated abuse run, and a way to show, after the fact, which orders carried a genuine approval. Without that record, every disputed agent order looks the same, and the abusive ones hide in the crowd.
Human checkout vs. agent checkout
The gap is easiest to see when you put the two flows next to each other. In a human checkout you inherit decades of card rules, a session and device trail, and a cardholder who approved the purchase directly. In an agent checkout, an intermediary approved on the shopper’s behalf, the proof of that approval is often missing entirely, and the liability default frequently swings to you. Read the accountability gap below — the middle column is what you are used to, and the right column is what you actually get when an agent checks out today.
What a small merchant should require before accepting agent traffic
You do not have to solve agentic commerce single-handedly, and you should not wait for the whole industry to standardize before you protect yourself. Emerging standards are moving in your direction: Google’s Agent Payments Protocol (AP2), Visa’s Trusted Agent Protocol (TAP), and agent payment tokens are all being built to encode and prove a shopper’s approval, per Checkout.com. Until those are universal, treat the checklist below as your minimum bar for accepting agent orders — each item is really the same idea in different clothing, which is proof that the purchase was authorized.
The through-line is a verifiable record: an independently checkable trail of who approved what, tied to the order, that you can produce when a dispute or refund demand arrives. That is the honest value of a non-repudiable approval trail — not that it makes you win every dispute, but that it lets you prove an agent purchase was authorized instead of guessing. RankShield builds exactly that kind of verifiable record, so “the customer’s agent approved this” becomes something you can show rather than assert.
- A record of authorization — evidence the shopper approved this specific order, not just a standing relationship.
- Agent identity you can check — some way to confirm whose behalf the agent acted on before you fulfill.
- Support for emerging approval standards (AP2, TAP, agent payment tokens) as your platforms adopt them.
- Refund and dispute monitoring tuned for machine-speed, at-scale abuse — not just human-paced patterns.
See it run — and prove it.
Autonomous, quantum-safe, and verifiable, for enterprise and small business.