06 β€” Card Networks in the Agentic Era

Visa Trusted Agent Protocol, Mastercard Agent Pay, American Express, and the Cloudflare Web Bot Auth layer

This section documents how the three largest global card networks have positioned themselves for agentic commerce between April 2025 and April 2026. It assumes familiarity with the protocol deep-dives in AP2 and ACP, and cross-references the wallet and platform analysis in Wallets & Platforms.

1. Why card networks care: defending the rails in the agentic era

For Visa, Mastercard, and American Express, the arrival of autonomous shopping agents is both a volume opportunity and an existential threat. The opportunity is obvious: if a single ChatGPT, Gemini, Copilot, or Perplexity session can compress a weeks-long shopping journey into a single "buy-it-for-me" utterance, the number of card-not-present (CNP) authorisation requests flowing across the rails could grow by an order of magnitude. The threat is that those requests may arrive looking, to every existing fraud-detection system, exactly like a botnet attack.

Three structural problems have forced the networks to act in lock-step rather than wait for the market to settle:

  1. Bot-detection collateral damage. Merchants and their fronting CDNs (Cloudflare, Akamai, Fastly) have spent a decade tuning WAFs, JavaScript challenges, and device-fingerprint stacks to block non-browser traffic. A legitimate OpenAI Operator or Anthropic Computer Use agent fetching a product page is, by those signals, indistinguishable from a carding bot. Without a cryptographic "I'm a good agent" signal, merchants face the binary choice articulated by Visa's own Trusted Agent Protocol documentation: "Block potentially valuable agent-driven commerce, or accept significant operational and security risks from unverified agents."[^1]
  2. Liability and chargeback exposure. Under current card-scheme rules, card-not-present fraud liability typically falls on the merchant unless the transaction is authenticated with 3-D Secure (3DS). If a compromised or hallucinating agent makes an unauthorised purchase, today's rulebook does not clearly allocate the loss β€” is the "cardholder present" if the human is technically asleep while their agent transacts?
  3. Disintermediation by crypto and ACH rails. Coinbase's x402 (see x402 & Crypto) and stablecoin agent wallets like Crossmint and Skyfire are explicitly pitched as non-card settlement for machine-to-machine commerce. If agentic transactions default to USDC-on-Base, the networks lose interchange economics on the fastest-growing payment modality.

The networks' collective response β€” announced in a tightly coordinated four-week window in late April 2025 and formalised at the Cloudflare summit on 14 October 2025 β€” is to push agent identity and intent down into the transport layer (HTTP message signatures) and agent authorisation up into the tokenisation layer (agentic tokens / VTS). The rest of this section dissects each network's implementation of that shared strategy and where they diverge.

2. Existing primitives the networks can leverage

Before examining the new programmes, it is worth cataloguing the pre-existing infrastructure the networks are extending. Agentic commerce did not emerge in a vacuum; the networks arrived at the problem already holding a large set of cryptographic and risk primitives.

2.1 Network tokenisation (VTS, MDES)

Visa Token Service (VTS) and Mastercard Digital Enablement Service (MDES) replace the 16-digit Primary Account Number (PAN) with a domain- and device-scoped token. The token can be restricted by merchant, channel, dollar limit, or time window. This is the exact scoping primitive agentic payments need: an agent-specific token can be restricted to a specific merchant domain, a single purchase, a single session, or a revocable per-agent credential.

Mastercard's "Agentic Tokens" β€” announced as part of Agent Pay on 29 April 2025 β€” are explicitly framed as an extension of the same MDES tokenisation used today for Apple Pay, Google Pay, card-on-file and recurring payments, now with an agent-identifier dimension added to the cryptogram.[^2] Visa's "AI-ready cards" under Visa Intelligent Commerce are similarly tokenised credentials issued through VTS, with agent-scoping metadata.[^3]

2.2 EMV 3-D Secure 2.x (3DS2) and Strong Customer Authentication

3DS2 already carries a rich payload of device, behavioural, and merchant-risk signals from merchant to issuer, and supports frictionless authentication where risk is low and step-up (biometric, OTP) where risk is high. In PSD2-regulated geographies, 3DS2 is the compliance vehicle for Strong Customer Authentication (SCA). The networks' play for agentic commerce is to extend the 3DS2 payload with agent-context fields: which agent is acting, under what mandate, with what cryptographic provenance. This is exactly what EMVCo confirmed on 20 November 2025 it was working on, stating that "EMV Specifications β€” including EMV 3-D Secure (3DS), EMV Payment Tokenisation and EMV Secure Remote Commerce (SRC) β€” can be developed and enhanced to promote seamless and secure card-based agentic payments."[^4] Amex sits on EMVCo and has publicly committed to driving that workstream.[^5]

2.3 Network-level risk scoring

Visa Advanced Authorization and Mastercard Decision Intelligence already score every transaction in-flight using network-wide data the issuer cannot see. Those scoring engines are being re-trained to incorporate agent-origin signals β€” whether a transaction was initiated by a verified agent, what the agent's prior reputation looks like, and whether the user's mandate permits this purchase type.

2.4 Dispute and chargeback rules

Finally, both networks already run global arbitration systems (Visa Resolve Online, Mastercom) that decide who eats fraud. Agentic commerce will require new reason codes and new evidence requirements β€” cryptographic proof of mandate, agent signature logs, intent signals β€” that the networks are uniquely positioned to define. This is one of the open questions in Β§9 below.

3. Visa Intelligent Commerce and the Trusted Agent Protocol

Visa's agentic strategy is a two-layer stack:

  • Visa Intelligent Commerce (VIC) β€” announced 30 April 2025 at the Visa Global Product Drop β€” is the business programme: tokenised "AI-ready" Visa credentials, APIs for AI platforms to provision them, risk controls, and a commercial partner programme. Launch partners named on the investor release include Anthropic, OpenAI, Microsoft, Mistral AI, Perplexity, Samsung, IBM, and Stripe, plus commerce and acquiring partners.[^3]
  • Trusted Agent Protocol (TAP) β€” announced 14 October 2025 β€” is the technical protocol that lets a shopping agent prove its identity and authorisation directly to a merchant's front door.[^6]

3.1 The problem TAP solves

The TAP GitHub repository states the framing bluntly: "For an agent to make a purchase, merchants must answer: Is this a legitimate, trusted, and recognized AI agent? Is it acting on behalf of a specific, authenticated user? Does the agent carry valid instructions from the user to make this purchase?"[^1] Today, merchants cannot answer any of those three questions from HTTP headers alone. TAP is Visa's attempt to encode answers into a verifiable signature attached to every request.

3.2 Cryptographic construction

TAP is built on three IETF building blocks:

  1. RFC 9421 β€” HTTP Message Signatures (Feb 2024). This is the canonical standard for signing arbitrary HTTP messages: a client selects a set of "covered components" (method, path, headers), canonicalises them into a signature base, signs with a private key, and emits Signature-Input and Signature headers. RFC 9421 is what TAP uses to bind the signature to the specific merchant domain and specific HTTP operation.
  2. Web Bot Auth β€” the IETF draft draft-meunier-web-bot-auth-architecture, authored by Thibault Meunier (Cloudflare) and Sam Major (Google). Revision -05 (2 March 2026) describes "an architecture for identifying automated traffic using HTTP-MESSAGE-SIGNATURES… to allow automated HTTP clients to cryptographically sign outbound requests, allowing HTTP servers to verify their identity with confidence."[^7] Web Bot Auth adds the Signature-Agent header (pointing at a key-discovery URL), anti-replay nonces, and a public list mechanism for discovering trusted agent keys.
  3. Agent registry. Visa's reference implementation ships with a standalone agent-registry service alongside the merchant-backend, cdn-proxy, merchant-frontend, and tap-agent components in the open-source sample.[^1] The registry is the authoritative directory of agent public keys and metadata; merchants resolve a signature's key identifier against the registry to decide whether the agent is known and in good standing.

3.3 What is actually on the wire

According to Visa's TAP documentation, the signature that an agent attaches to each merchant request includes:

  • A timestamp (prevents time-shift attacks),
  • A unique session identifier (prevents cross-session replay),
  • A key identifier pointing to the agent's registry entry,
  • An algorithm identifier,
  • Binding to the merchant's domain and the specific operation (browse vs. pay).[^1]

Critically, query parameters can carry consented consumer identifiers β€” a Payment Account Reference (PAR) for a card-on-file, email, phone, or loyalty number β€” so that the merchant can pre-fill checkout without the agent needing to scrape forms. The PAR is the same tokenised reference that VTS already emits, which is how TAP hands off to the existing authorisation flow: the agent proves identity and intent at the front door, the merchant uses the PAR to look up the token, and the authorisation request runs through VisaNet as a tokenised CNP transaction with additional agent-context flags in the 3DS2 payload.

3.4 Bypassing bot detection for trusted agents

The operational payoff is that Cloudflare (and in principle any other CDN adopting Web Bot Auth) can be configured to allow-list requests that carry a valid Web Bot Auth signature from a registered agent, instead of forcing them through a CAPTCHA, JavaScript challenge, or behavioural fingerprinting gauntlet designed to block non-browser traffic. The Cloudflare press release of 14 October 2025 explicitly frames this as the purpose: "merchants can determine the identity and intent of agent traffic and securely accept any payment method from an agent, such as credit, debit, crypto and others."[^6] For the first time, a merchant can distinguish a legitimate LLM agent acting on a customer's behalf from a credential-stuffing script, without installing anything proprietary β€” both are visible as RFC 9421 signatures referencing a key in a public registry.

3.5 Architectural diagram (simplified)

sequenceDiagram
    participant U as User
    participant A as AI Agent
    participant R as Agent Registry
    participant CF as CDN / Cloudflare
    participant M as Merchant
    participant V as VisaNet (VTS)

    U->>A: "Buy me running shoes under $150"
    A->>A: Construct HTTP request + RFC 9421 signature
    A->>CF: GET /product (Signature-Agent, Signature)
    CF->>R: Resolve key ID
    R-->>CF: Public key + reputation
    CF->>M: Forward request (trusted)
    M-->>A: Product data + checkout URL
    A->>M: POST /checkout (PAR via TAP query param, new signature)
    M->>V: Authorise token (with agent-context)
    V-->>M: Approved
    M-->>A: Order confirmed
    A-->>U: "Bought. Arriving Tuesday."

4. Visa's partner stack

Visa's approach is deliberately ecosystem-led: rather than build a proprietary agent runtime, it has recruited the AI platforms to originate traffic and the acquirers/PSPs to terminate it. The partners fall into three tiers:

4.1 AI model & platform partners (announced with VIC, 30 April 2025)

Named on the Visa investor release and corroborated by coverage at the Global Product Drop: Anthropic, OpenAI, Microsoft, Mistral AI, Perplexity, Samsung, and IBM, plus Stripe as a payments platform.[^3] These partners hold the user's "buy-it-for-me" prompts and are the natural originators of agentic transactions.

4.2 Acquirer, PSP and commerce partners (announced with TAP, 14 October 2025)

The Trusted Agent Protocol launch named feedback-giving partners: Adyen, Ant International, Checkout.com, Coinbase, CyberSource, Elavon, Fiserv, Microsoft, Nuvei, Shopify, Stripe, and Worldpay.[^8][^6] Their contributions differ:

  • Adyen, Checkout.com, Nuvei, Worldpay, Fiserv, Elavon, CyberSource β€” acquiring-side PSPs that will implement TAP verification at the merchant gateway, so a merchant integrated with any of them inherits agent-trust without custom code.
  • Ant International β€” brings Asia-Pacific merchant reach (Antom, Alipay+) and will carry TAP signals through its cross-border rails.
  • Coinbase β€” uniquely straddles card and crypto; as steward of x402 and issuer of commerce cards, Coinbase's participation is the clearest signal that Visa intends TAP to carry stablecoin-settled agent transactions too ("any payment method from an agent, such as credit, debit, crypto and others").[^6]
  • Microsoft β€” provides the Copilot and Azure OpenAI agent runtimes; Microsoft's participation on both Visa and Mastercard programmes is one of the few explicit cross-network bridges.
  • Shopify β€” the canonical mass-market merchant stack; TAP enabled on Shopify's storefronts effectively pushes agent-trust to tens of millions of SMB merchants by default.
  • Stripe β€” sits on both sides of the fence; see Β§10 for how Stripe's ACP work ties in.

4.3 Portfolio and ventures partners

Nekuda is worth explicit mention: the Tel-Aviv agentic-payments startup raised a $5M seed in May 2025 led by Madrona Ventures with participation from Visa Ventures and Amex Ventures, and its product is explicitly pitched as building "Agent Wallets, Agentic Mandates, and Visa Intelligent Commerce integration."[^9] Nekuda is thus a Visa Intelligent Commerce integrator and a Visa Ventures portfolio company, but β€” contrary to some secondary coverage β€” it is not listed among the TAP feedback partners on either the Visa IR release or Cloudflare's 14 October press.[^8][^6]

5. Mastercard Agent Pay

Mastercard announced Agent Pay on 29 April 2025, one day before the Visa announcement.[^10] The product has several distinct components.

5.1 Agentic Tokens

Agentic Tokens are an extension of Mastercard's existing tokenisation service (MDES). Mastercard positions them as the same trust primitive it used to bootstrap mobile contactless, card-on-file, and digital credentials β€” a tokenised representation of the underlying card, but with new scoping dimensions for agent identity, scope of delegation, and audit trail.[^2] A given cardholder can provision multiple Agentic Tokens, one per trusted agent, with per-agent spend limits, merchant restrictions, and revocation.

5.2 Agent Pay Acceptance Framework

The Agent Pay Acceptance Framework (APAF) is the merchant-facing rulebook and technical specification for accepting agent-initiated Mastercard transactions. It defines:

  • How merchants verify agent identity (via Web Bot Auth / Cloudflare; see Β§7),
  • How agent-context data flows through authorisation,
  • Evidence and liability rules for disputed agent transactions,
  • Certification requirements for acquirers and PSPs.

The PayPal press release of 27 October 2025 confirms APAF as the framework PayPal will pilot: "PayPal will pilot the Mastercard Agent Pay Acceptance Framework and partner to co-develop and test with agents and merchants in the market."[^11]

5.3 MOR/MDES integration and issuer pilots

Unlike ACP (which pushes Merchant-of-Record status to the merchant), Agent Pay runs over Mastercard's existing rails, with the issuer as MOR of the card credential and the merchant as MOR of the transaction. The Citi and U.S. Bank pilots β€” first announced by Mastercard and widely reported in September 2025 β€” make Citi and U.S. Bank Mastercard cardholders the first cohort able to provision Agentic Tokens for use with participating AI agents, with national U.S. expansion flagged for the 2025 holiday season.[^12][^13]

5.4 Mastercard partner stack

The 29 April 2025 launch and subsequent announcements name a consistent roster:

  • Microsoft β€” Azure OpenAI Service and Copilot Studio integration for conversational agentic commerce.
  • IBM β€” watsonx Orchestrate for B2B agentic procurement use cases.
  • Stripe and Braintree (PayPal's acquiring arm) β€” scaling tokenisation and agentic acceptance on the PSP side.
  • Checkout.com β€” acquirer-side agentic acceptance.
  • Ant International / Antom β€” APAC agentic acceptance reach.
  • Crossmint β€” stablecoin wallet and agent-commerce stack that interoperates with Agentic Tokens.
  • Lobstercash β€” cashback / loyalty agentic integration.
  • PayPal (27 October 2025) β€” Agent Pay integrated into the PayPal wallet, exposing Mastercard credentials on file and PayPal co-branded credit/debit to agent checkout wherever PayPal is accepted.[^11]

5.5 How an Agent Pay transaction flows

sequenceDiagram
    participant U as User
    participant I as Issuer (Citi/USB)
    participant A as Agent (Copilot/watsonx)
    participant M as Merchant
    participant MC as Mastercard (MDES)

    U->>I: Provision Agentic Token for Agent A (scope, limits)
    I->>MC: Request MDES token bound to Agent A
    MC-->>I: Agentic Token + cryptogram key
    I-->>A: Agentic Token delivered
    U->>A: "Order groceries under $120"
    A->>M: Checkout with Agentic Token (Web Bot Auth signed)
    M->>MC: Authorisation with token + agent context
    MC->>I: Forward with agent-risk score
    I-->>MC: Approved
    MC-->>M: Approved
    A-->>U: Order placed

6. American Express: an issuer-acquirer on both sides

American Express's position is structurally different from Visa or Mastercard: Amex is a closed-loop network, meaning it issues cards and acquires merchants and operates the rail. That means it does not need partner banks or partner acquirers to bring agentic capability to its cardholders β€” it can ship end-to-end on its own timeline.

Amex's public positioning, published on its technology blog americanexpress.io, emphasises this vantage point: "As a global payments network, issuer, and acquirer, American Express sits at a unique intersection within the commerce ecosystem."[^14] The strategy has three prongs:

  1. Standards contribution, not proprietary protocol. Rather than launch an "Amex Agent Pay" analogue, Amex has explicitly signed on to three external standards: Google's AP2, Cloudflare's Web Bot Auth, and EMVCo's forthcoming agentic-commerce extensions to 3DS, EMV Payment Tokenisation, and SRC.[^14][^5]
  2. SafeKey + agentic context. SafeKey is Amex's implementation of EMV 3DS. As EMVCo's agentic workstream produces amended 3DS payload fields, Amex will carry them via SafeKey β€” allowing Amex issuers to apply biometric step-up, spending controls, and transaction-specific mandates to agent transactions without a separate product.
  3. Web Bot Auth at the front door. Per the Cloudflare release: "American Express will also leverage Web Bot Auth for use in its agentic commerce program" β€” Luke Gebb, EVP & Head of Global Innovation at Amex, is quoted affirming the collaboration.[^6]

Amex is also a named contributor to AP2, an early Amex Ventures investor in Nekuda, and (per the americanexpress.io blog) an active participant in EMVCo's agentic payments workstream.[^14][^9]

The practical effect is that an Amex transaction initiated by an AI agent will:

  • Present a Web Bot Auth signature at the merchant's CDN (identity);
  • Carry AP2 Payment Mandate context into the authorisation (intent);
  • Terminate in a SafeKey-authenticated, network-tokenised authorisation back to Amex as both issuer and acquirer.

The absence of a branded "Amex Agent Pay" product should not be read as inaction; it is a deliberate bet that closed-loop networks can ship the same capability faster without a marketing wrapper.

7. Cloudflare as the common substrate

Cloudflare is the pivot point for all three networks. Its 14 October 2025 press release is unusual in naming Visa, Mastercard, and American Express simultaneously β€” three competitors in the same sentence, aligned on a single authentication primitive.[^6] Three Cloudflare products underpin this:

  1. Web Bot Auth β€” the IETF draft authored by Cloudflare (and co-authored with Google) that lets bots cryptographically sign outbound HTTP requests. It is the common layer underneath Visa TAP, Mastercard Agent Pay verification, and Amex's agentic programme.[^7][^6]
  2. Agent SDK / AI Agent identity β€” Cloudflare's developer toolkit for building agents that can issue Web Bot Auth signatures natively. Per the press release, "AI agents built with the Cloudflare Agents SDK will soon be able to use these protocols to shop autonomously at millions of merchants globally."[^6]
  3. Pay-per-crawl β€” Cloudflare's crawler-monetisation product, which uses the same identity primitives to let sites charge machine traffic. Pay-per-crawl is bundled with x402 (see x402 & Crypto) and demonstrates that the same Web Bot Auth stack used for agent checkout can also meter machine-to-machine content access.

Additional partners named on the Cloudflare release as co-evolving Web Bot Auth for agentic commerce: Adyen, Checkout.com, Circle, Fiserv, Microsoft, Nuvei, Shopify, Webflow, and Worldpay.[^6] The presence of Circle β€” issuer of USDC β€” alongside Visa and Mastercard again signals that Web Bot Auth is explicitly payment-rail-agnostic.

In effect, Cloudflare is doing for agentic identity what it previously did for TLS: providing a standardised, free-at-the-edge primitive that every network can adopt without picking sides.

8. Comparison: Visa TAP vs Mastercard Agent Pay vs American Express

Dimension Visa (VIC + TAP) Mastercard (Agent Pay) American Express
Umbrella brand Visa Intelligent Commerce (VIC) Mastercard Agent Pay Shaping the Future of Agentic Commerce (programme, no product brand)
Announcement date VIC: 30 Apr 2025; TAP: 14 Oct 2025[^3][^6] Agent Pay: 29 Apr 2025[^10] Ongoing; Cloudflare collab 14 Oct 2025[^6]
Transport-layer identity Trusted Agent Protocol (RFC 9421 + Web Bot Auth + agent registry)[^1] Web Bot Auth (per Cloudflare release)[^6] Web Bot Auth[^6][^14]
Token primitive VTS "AI-ready" credentials + TAP PAR in query parameters[^3][^1] Agentic Tokens (MDES extension)[^2] Network-tokenised Amex credentials via SafeKey[^14]
Authentication / SCA EMV 3DS2 + agent-context fields (EMVCo workstream)[^4] EMV 3DS2 + agent-context + Agent Pay Acceptance Framework[^11] SafeKey (Amex 3DS) + EMVCo agentic extensions[^4][^14]
Reference open source github.com/visa/trusted-agent-protocol (registry, CDN proxy, merchant backend, TAP agent)[^1] Developer docs on Mastercard Developers; APAF spec[^11] None public; contributes to AP2 + EMVCo[^14]
AI model partners Anthropic, OpenAI, Microsoft, Mistral, Perplexity, Samsung, IBM[^3] Microsoft (Azure OpenAI, Copilot), IBM (watsonx Orchestrate)[^10] Contributor to AP2; no exclusive AI model deals announced[^14]
Acquirer / PSP partners Adyen, Ant International, Checkout.com, Coinbase, CyberSource, Elavon, Fiserv, Microsoft, Nuvei, Shopify, Stripe, Worldpay[^8][^6] Stripe, Braintree, Checkout.com, Ant International/Antom[^10] Self-acquiring (closed loop)[^14]
Issuer strategy Any VTS-enabled issuer Pilot with Citi and U.S. Bank; national U.S. rollout planned[^12][^13] Amex is issuer
Wallet integration Via Shopify, Stripe, PSP partners PayPal wallet integration (Agent Pay in PayPal, 27 Oct 2025)[^11] Integrated within Amex app / SafeKey
Crypto bridge Coinbase is a TAP partner; TAP signals carry "any payment method"[^6][^8] Circle on Cloudflare partner list; Crossmint partner[^6] Web Bot Auth is payment-agnostic
AP2 compatibility Supports AP2 Payment Mandates[^15] Supports AP2 Payment Mandates[^15] Named AP2 contributor[^14]
ACP compatibility ACP uses Stripe tokenisation; Stripe is a Visa TAP partner[^8] ACP tokenisation via Stripe/Braintree for Mastercard rails[^11] ACP-neutral
Posture Ecosystem-led open protocol Full-stack product + framework Standards contributor

9. Open questions

9.1 Liability shift

None of the three networks has publicly published an updated liability matrix for agent-initiated transactions. Key unresolved questions:

  • If a compromised agent initiates an unauthorised purchase but it presented a valid Web Bot Auth signature and a valid Agentic Token within the user's scope, does liability sit with the issuer, the merchant, or the agent operator?
  • Does the presence of an AP2 Payment Mandate signed by the user shift liability to the user in the same way that a 3DS2 authenticated transaction shifts liability to the issuer today?
  • Will the networks create a new liability category (an "agent-present" flow) distinct from card-present and card-not-present?

EMVCo's November 2025 announcement explicitly scoped these questions into the agentic workstream.[^4]

9.2 Interchange for agent-initiated transactions

Agent-initiated transactions resemble card-not-present for pricing purposes today, but they arrive with more authentication signal than a typical CNP. A logical evolution would be a new Merchant Category Code / transaction identifier with its own interchange tier β€” neither Visa nor Mastercard has published one as of April 2026. Merchants fear the networks may use "better authenticated therefore more valuable" as cover for higher rates; issuers argue that the risk mitigation justifies premium pricing.

9.3 New fraud categories

Agentic fraud vectors not yet well-handled by existing fraud models include:

  • Prompt injection (see Security & Trust) β€” malicious merchant content that manipulates the agent into buying unintended items or exceeding mandate scope.
  • Mandate spoofing β€” forged or replayed AP2 Payment Mandates.
  • Agent impersonation β€” malicious bots copying Web Bot Auth headers (mitigated by RFC 9421 domain-binding, but not fully eliminated).
  • Cross-agent collusion β€” automated agents negotiating with merchant-side agents to extract discounts that the human principal never authorised.

9.4 Cross-network interoperability

Today, a merchant implementing TAP at the CDN layer automatically inherits Web Bot Auth for Mastercard and Amex traffic too β€” the transport layer is genuinely common. But once the flow moves into the acquirer's integration to the network, each scheme's agent-context fields differ. Whether those converge (e.g. via EMVCo 3DS extension work) or diverge into three parallel implementations is the single biggest interoperability question of 2026.

9.5 Cardholder consent UX

How an issuer surfaces the "provision an Agentic Token to this agent" step matters enormously. Mastercard's pilot with Citi and U.S. Bank will be the first at-scale test of whether consumers actually understand what they are authorising when they click through. The consent UX is also the obvious attack surface for social-engineering agents.

10. Interaction with AP2 and ACP

The three networks have been careful to publicly support both of the major non-network protocols, rather than compete with them head-on.

10.1 AP2 Payment Mandates across all three networks

Google's Agent Payments Protocol (AP2) β€” announced 16 September 2025 and detailed in AP2 deep-dive β€” uses W3C Verifiable Credentials for Intent Mandate, Cart Mandate, and Payment Mandate. American Express's americanexpress.io page explicitly names AP2 as a framework it contributes to.[^14] Visa and Mastercard are both listed as partners in the Google–Shopify Universal Commerce Protocol announcement at NRF Big Show (January 2026), which inherits AP2 mandates.[^16] The emerging consensus is that a TAP/Agent Pay/Amex agentic transaction can carry an AP2 Payment Mandate as an additional trust signal, riding inside the 3DS2 payload or the Web Bot Auth signature envelope.

10.2 ACP and the Stripe tokenisation bridge

OpenAI and Stripe's Agentic Commerce Protocol (ACP) β€” announced 29 September 2025 (see ACP deep-dive) β€” uses Stripe's SharedPaymentToken primitive to let ChatGPT complete purchases with merchants who retain Merchant-of-Record status. Stripe is a partner on both Visa TAP and Mastercard Agent Pay; Braintree (PayPal's acquiring arm) is an Agent Pay partner.[^8][^10] In practice this means:

  • An ACP transaction runs through Stripe's tokenisation;
  • The underlying card brand (Visa or Mastercard) still sees a VTS- or MDES-tokenised authorisation;
  • The ACP SharedPaymentToken is effectively a merchant-scoped wrapper around the network token;
  • If the agent also attaches a Web Bot Auth signature, the same transaction satisfies both ACP (merchant-facing) and TAP/Agent Pay (network-facing) expectations simultaneously.

Amex β€” not a native ACP partner at launch β€” has positioned itself to accept ACP via its standards-based approach (SafeKey + Web Bot Auth), although Stripe's initial ACP rollout was Shopify- and Etsy-focused rather than Amex-specific.

10.3 The stacked envelope model

The practical upshot, by mid-2026, is that an agentic payment tends to look like a nested envelope:

[ Web Bot Auth signature      <- agent identity at the edge ]
 └─ [ TAP / Agent Pay headers <- network-specific agent context ]
     └─ [ AP2 Payment Mandate <- user authorisation credential ]
         └─ [ ACP SharedPaymentToken (if merchant-fronted) ]
             └─ [ Network Token (VTS/MDES)   <- actual payment credential ]
                 └─ [ Authorisation message  <- ISO 8583 / 3DS2 payload ]

Each layer is produced and verified by a different actor (agent, CDN, merchant, PSP, network, issuer). The card networks' strategic achievement in the 12 months between April 2025 and April 2026 has been to ensure that none of the higher-level protocols displace the innermost layer β€” the network token and authorisation message β€” where their economic moat actually sits. Whether they can maintain that moat as x402 stablecoin rails scale is the central tension of the next 12 months.

Sources

[^1]: Visa, "Trusted Agent Protocol" (public repository). GitHub: visa/trusted-agent-protocol, accessed 21 April 2026. https://github.com/visa/trusted-agent-protocol

[^2]: Mastercard, "Mastercard Unveils Agent Pay, Pioneering Agentic Payments Technology to Power Commerce in the Age of AI," press release, 29 April 2025 (BusinessWire ID 20250429047449). Agentic Tokens framed as an extension of Mastercard's tokenisation service. https://www.businesswire.com/news/home/20250429047449/en/

[^3]: Visa, "Find and Buy with AI: Visa Unveils New Era of Commerce," investor news release, 30 April 2025. Partners named: Anthropic, IBM, Microsoft, Mistral AI, OpenAI, Perplexity, Samsung, Stripe. https://investor.visa.com/news/news-details/2025/Find-and-Buy-with-AI-Visa-Unveils-New-Era-of-Commerce/default.aspx

[^4]: EMVCo, "EMVCo working on how global specifications can support agentic payments," 20 November 2025. https://www.emvco.com/news/emvco-working-on-how-global-specifications-can-support-agentic-payments/

[^5]: American Express, "Shaping the Future of Agentic Commerce." Confirms Amex membership in EMVCo and engagement in the EMVCo agentic workstream. https://americanexpress.io/shaping-the-future-of-agentic-commerce/

[^6]: Cloudflare, "Cloudflare Collaborates with Leading Payments Companies to Secure and Enable Agentic Commerce," press release, 14 October 2025. https://www.cloudflare.com/press/press-releases/2025/cloudflare-collaborates-with-leading-payments-companies-to-secure-and-enable-agentic-commerce/

[^7]: Meunier, T. and Major, S., "HTTP Message Signatures for automated traffic Architecture," IETF Internet-Draft draft-meunier-web-bot-auth-architecture-05, 2 March 2026. https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/

[^8]: Visa, "Visa Introduces Trusted Agent Protocol: An Ecosystem-Led Framework for AI Commerce," investor news release, 14 October 2025. Feedback-giving partners named: Adyen, Ant International, Checkout.com, Coinbase, CyberSource, Elavon, Fiserv, Microsoft, Nuvei, Shopify, Stripe, Worldpay. https://investor.visa.com/news/news-details/2025/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce/default.aspx

[^9]: Crowdfund Insider, "Fintech Startup Nekuda Secures Funding Led by Madrona Ventures to Enable Agentic Payments," May 2025. Investors include Madrona Ventures, Amex Ventures, and Visa Ventures. https://www.crowdfundinsider.com/2025/05/239660-fintech-startup-nekuda-secures-funding-led-by-madrona-ventures-to-enable-agentic-payments/

[^10]: Payment Expert, "Mastercard partners with Microsoft for new AI shopping agent," 30 April 2025. Partners including Microsoft (Azure OpenAI, Copilot Studio), IBM (watsonx Orchestrate), Stripe, Braintree, Checkout.com. https://paymentexpert.com/2025/04/30/mastercard-microsoft-ai-agent-pay/

[^11]: PayPal, "Mastercard and PayPal Join Forces To Accelerate Secure Global Agentic Commerce," newsroom press release, 27 October 2025. https://newsroom.paypal-corp.com/2025-10-27-Mastercard-and-PayPal-Join-Forces-To-Accelerate-Secure-Global-Agentic-Commerce

[^12]: Finextra, "Citi and US Bank customers get first access to Mastercard Agent Pay," September 2025. https://www.finextra.com/newsarticle/46577/citi-and-us-bank-customers-get-first-access-to-mastercard-agent-pay

[^13]: Banking Exchange, "Citi & U.S. Bank to Pilot Mastercard's AI Payments Service." https://www.bankingexchange.com/news-feed/item/10413-citi-u-s-bank-to-pilot-mastercard-s-ai-payments-service

[^14]: American Express, "Shaping the Future of Agentic Commerce." https://americanexpress.io/shaping-the-future-of-agentic-commerce/

[^15]: Google Cloud, "Announcing Agent Payments Protocol (AP2)," 16 September 2025. See also AP2 deep-dive. https://cloud.google.com/blog/products/ai-machine-learning/announcing-agents-to-payments-ap2-protocol

[^16]: Google Developers Blog, "Under the Hood: Universal Commerce Protocol (UCP)," January 2026. UCP partners include Visa, Mastercard, Stripe, Shopify, Walmart, Etsy, Wayfair, Target. https://developers.googleblog.com/under-the-hood-universal-commerce-protocol-ucp/