Visa has connected its payment network to ChatGPT so that an AI agent can do the last step itself: not just surface a product, but buy it, with no human at the final click, at participating merchants. According to the report, the security model is programmatic tokenization. You pre-authorize the ChatGPT environment with spending parameters up front; then, when the agent decides to make a purchase, it generates a single-use payment token through the Visa network, which is passed by API to the merchant's backend. The report describes it as behaving exactly like a standard digital-wallet payment, with the visual checkout removed entirely. The card number never travels; a disposable token does.

The merchant side is the part builders will recognize from earlier this week. The agent does not look at a storefront. It evaluates machine-readable inventory and explicitly-formatted product attributes, pure data instead of visual merchandising, and can complete checkout across multiple vendors. That is the same agent-readable-web shape WebMCP introduced for browser actions, pointed at commerce: the store becomes a typed data surface for the agent rather than a page for a person. Visa positions its own network as the final validation layer, running fraud-detection models against the incoming token requests before they clear.

The reason this is worth covering today rather than as a routine partnership is the calendar. It lands the same day as an OWASP report naming prompt injection the top production failure mode for agentic AI, and the Visa article itself concedes that prompt injection could manipulate an agent into purchasing from a malicious vendor. Map it onto the lethal trifecta from this morning's coverage: an agent that holds a payment credential (access to value), reads untrusted merchant and web data (untrusted content), and can execute a transaction (an external action) is the trifecta lit up in full. The difference from the usual version is only what gets exfiltrated. Here it is your money. Single-use tokens and pre-set spending caps are real mitigations, and they are exactly the right shape, they bound the blast radius the way Meta's Rule of Two prescribes, but bounding is not closing, and the bound is only as good as the spending parameters a user thought to set.

The honest caveats are about the source, which is thin. It does not name the specific Visa product, though Visa has been building agentic-commerce infrastructure, so treat the mechanism as reported rather than as a confirmed named offering; it gives no spending-limit figures, no merchant scale, no executive quotes, and no clear statement of whether this is broadly live or an early pilot, so deployed is the report's word, not a verified rollout. The bigger picture is straightforward and is the demand-side mirror of everything else this week: agentic commerce, the agent that browses, decides, and pays, is the product the whole industry is racing toward, and a tokenized payment rail underneath it is the infrastructure quietly arriving to make it real. It also makes the week's recurring tension impossible to abstract away. Capability is shipping faster than the security to contain it, and an agent with a wallet is the most legible possible illustration of why that gap is not academic. The thing to watch is whether the token limits and fraud layer hold when real attackers, not the article's theoretical ones, start aiming prompt injection at a system that mints payment tokens on the model's say-so.