Visa Intelligent Commerce

Who Vouches for the Robot? Visa and Mastercard Step In

Visa and Mastercard are quietly underwriting AI agents. When a machine reaches for your card, they swear it is allowed. That may be agentic commerce's key role.

Picture the moment a software agent tries to buy something. It has read a catalogue, compared options, chosen a pair of shoes, and now it needs to pay. The merchant's checkout has one question it has always asked, just never out loud: is the entity holding this card actually allowed to spend this money? For thirty years the answer was a person, present, clicking a button. The agent breaks that. It is software acting for the cardholder, and the merchant has no way, on its own, to tell a genuine assistant working under instruction from a script draining a stolen number.

Someone has to vouch. Someone has to stand between the cardholder and the merchant and say, in effect, this agent is permitted to spend this specific person's money, up to this amount, here. That role did not exist two years ago. Through 2025 and into 2026 the card networks claimed it. Visa and Mastercard, with American Express close behind, decided that underwriting AI agents was a job they wanted, and one they were well placed to do. This post is about why that role matters, how they built it, and what it still does not solve.

Where this problem came from

Online card payments have always run on a quiet act of faith. In a card-not-present transaction, the kind every ecommerce checkout is, nobody checks a chip or a signature. The merchant sends a number to a processor, it routes through Visa or Mastercard, the issuing bank approves or declines, and everyone trusts that the person typing the number owns it. Fraud systems exist because that faith is often misplaced. They watch for a human behaving oddly: a new device, an unusual country, a burst of attempts.

The first real fix for the card number itself was tokenization. In 2014 the standards body EMVCo published a framework for payment tokenization. The idea is durable. The real card number, the primary account number, is the most valuable thing for a thief, so you stop sending it. A token service provider issues a substitute value, a token, and keeps the mapping to the true number locked in a vault. The token can be constrained, tied to one merchant, one device, one type of transaction, so that even if it is stolen it is close to useless anywhere else. This is what makes a phone wallet safe. The merchant never sees your card; it sees a token scoped to that wallet.

Tokenization solved the card number problem. It did not solve the agent problem. A phone wallet is operated by the cardholder's own thumb; an agent is a separate actor, and the merchant now has to trust not just the card but the thing wielding it. That is a trust gap, and a trust gap is exactly the kind of thing card networks are built to fill.

The role the networks decided to take

Visa moved first in public. On 30 April 2025 it announced Visa Intelligent Commerce, a programme to let AI agents browse, choose, and buy on a cardholder's behalf. Its chief product and strategy officer, Jack Forestell, framed the issue bluntly: agents will need to be trusted with payments by users, banks, and sellers alike. Visa launched it with a roster that reads like a map of the AI industry, including Anthropic, OpenAI, Microsoft, Mistral, Perplexity, Samsung, and Stripe. The core piece is what Visa calls an AI-ready credential, a tokenized digital credential that carries built-in identity verification and the cardholder's authorization controls, so an agent never touches a real card number.

Mastercard moved almost in lockstep. One day earlier, on 29 April 2025, it unveiled Mastercard Agent Pay, built on a new credential it named the Mastercard Agentic Token. It rolled the programme out in stages: a pilot with Citi and U.S. Bank cardholders in September 2025, then, by November 2025, availability to all U.S. Mastercard cardholders whose banks supported it. In September 2025 it added the supporting scaffolding: an Agent Toolkit, an Agent Sign-Up path, and Insight Tokens for sharing permissioned data with agents.

Notice what both companies built. Not a new payment rail. Not a new card. A way to vouch. The networks already sit in the middle of every card transaction, already run tokenization, already adjudicate fraud and disputes. Extending that to cover a machine actor is less a new product than a new clause in an old job. The pitch to a merchant: you cannot tell a good agent from a bad one, but we can, because the agent registered with us and the credential is ours to enforce.

How a tokenized agent credential actually works

Strip away the branding and a tokenized agent credential does three things.

First, it stands in for the card. Like any network token, it is a substitute value, not the real account number. The agent receives the token; the true card stays in the vault. If the token leaks, the damage is bounded.

Second, and this is the new part, it is scoped to the agent and the permission. A Mastercard Agentic Token is bound to a specific agent identity and limited per session and per merchant. The cardholder sets the rules, a spending cap and the kinds of purchase allowed, and the token can only do what those rules permit. Think of it less as a copy of your card and more as a single errand slip: this agent, this shop, this much, this once. A token minted to buy groceries cannot be turned around to buy a television.

Third, it carries proof of intent. A scoped token answers what the agent may do, but a merchant and a bank also want to know that a real human actually asked for this. Mastercard and Google introduced Verifiable Intent, an open framework that bundles three things into one tamper-resistant cryptographic record: the consumer's verified identity, the exact instruction they gave the agent, and the transaction that resulted. The identity step leans on passkeys and biometrics, drawing on FIDO Alliance standards, so before an agent can complete a purchase the human has confirmed it with a fingerprint or face. A selective disclosure mechanism then shares only the slice of that record each party needs: a merchant sees enough to confirm authorization, an issuer sees enough to check for fraud, and no single party sees the whole thing.

Put together, a real agent purchase now travels with a small bundle of evidence: a token that cannot stray outside its errand, a registered and verifiable agent identity, and a signed record that a specific human authorized a specific instruction. That bundle is the underwriting. It lets a merchant accept a machine's payment with something better than a shrug.

There is a parallel piece for the merchant's side of the door. In October 2025, Visa introduced the Trusted Agent Protocol, built with Cloudflare, so a merchant can recognize a registered agent before payment comes up. It uses HTTP message signatures and the emerging Web Bot Auth standard to let a merchant tell a legitimate shopper from a hostile bot, and a browser from a buyer. The credential vouches for the spend; the protocol vouches for the visitor.

Why the networks want this job

This is not charity. For a card network, vouching for agents is close to the perfect business.

The honest reason is defensive. Agentic commerce threatens a payment network's position. If purchases move inside ChatGPT, Gemini, and Perplexity, the AI platform owns the customer relationship, and the network risks becoming an invisible, swappable pipe out the back. Owning the trust layer is how Visa and Mastercard stay essential rather than commoditized. By becoming the party that registers agents, issues their credentials, and adjudicates their disputes, they turn their oldest advantage, sitting in the middle, into a service the AI era cannot route around.

The opportunistic reason is volume. The networks earn on transactions, so anything that creates more of them is good. The early signal is loud. Per Salesforce data cited in Q4 2025 reporting on payment networks' agentic moves, AI agents influenced around 67 billion dollars of global Cyber Week sales, and Adobe Analytics put the surge in AI agent traffic to retailers at more than 800 percent year over year on Black Friday. McKinsey's analysis of agentic commerce projects up to 1 trillion dollars of orchestrated retail revenue in the United States and 3 trillion to 5 trillion dollars globally by 2030. A network that underwrites those transactions takes a slice of an enormous, fast-growing number.

And there is a credibility reason. A shopper deciding whether to let an agent loose on their money is more likely to trust the brand on the card than the brand of the chatbot. Extending decades of that reputation to agents is one move a pure AI company cannot easily make.

By December 2025, Visa reported that hundreds of secure, agent-initiated transactions had completed through Visa Intelligent Commerce, with partners including Skyfire, Nekuda, PayOS, and Ramp running real consumer and B2B purchases. Still early, but past slideware.

What is still unresolved

The vouching layer is real, but it is not a finished system. A merchant or marketer counting on it should be clear about the gaps.

The hardest one is liability. A scoped token and a signed mandate prove the agent was technically authorized. They do not prove the agent did the right thing. The textbook case: a shopper tells an agent to book a quiet hotel room under a set price, the agent books one that is technically under the price but sits next to a motorway. The transaction is valid, the authorization is real, the outcome is wrong. Who pays? As things stand the answer usually lands on the merchant, because the card networks are not volunteering to absorb agent error, the issuers are not, and the AI platform took no money. The chargeback system, as payment firm Checkout.com puts it, was built for a world where the buyer clicked pay, a single clear moment of authorization. An agent smears that moment across instruction, interpretation, and execution, and the dispute rules have not caught up.

One sign of how unsettled this is: American Express felt it had to step in directly. On 14 April 2026 it launched its Agentic Commerce Experiences Developer Kit alongside Amex Agent Purchase Protection, an explicit pledge to shield eligible cardholders from charges caused by the error of a registered agent. As Amex executive Luke Gebb explained the logic, giving consumers the confidence to use agents brings more transaction volume to the network. The move admits the obvious: trust in agentic commerce will not appear on its own, somebody has to underwrite the mistakes, and the existing rules do not say who.

The other open questions are not small either. Consent scope is fuzzy: a cap and a category are blunt tools, and a vague instruction like buy what you usually buy leaves a lot of room between what the human pictured and what the agent does. Fraud has not been beaten so much as moved; once agents are trusted actors, the attacker's goal becomes impersonating a trusted agent rather than stealing a card, and prompt manipulation is a genuinely new attack surface. And the trust infrastructure itself is fragmenting. Visa's credential and Trusted Agent Protocol, Mastercard's Agentic Token and Verifiable Intent, and Amex's closed-loop kit do not yet add up to one clean standard. A merchant wanting to accept agent payments faces several overlapping schemes, not one.

The takeaway

The non-obvious thing about agentic commerce is that it does not run on smarter shopping software. It runs on a vouch. For a machine to spend a person's money, some trusted party has to stand behind the claim that it is allowed to, and the card networks, already in the middle of every transaction and already running tokenization, were the natural ones to take that job. Visa Intelligent Commerce, Mastercard Agent Pay, the tokenized agent credentials underneath both, and Amex's purchase protection are all the same move: extending a thirty-year role to cover a buyer that is not a person.

For anyone building or marketing in commerce, the practical reading is this. The agentic channel will not feel safe to merchants or shoppers until the underwriting question is settled, and it is not settled yet. Watch the liability rules, not the product launches. The network that convinces merchants it will stand behind an agent's mistakes, not just register the agent, will own the most valuable seat in agentic commerce.

Council summary

This post argues that agentic commerce turns on trust, not shopping intelligence: a merchant cannot tell a genuine assistant from a script draining a stolen card, so the card networks took the job of vouching for agents by extending tokenization into scoped, identity-bound credentials. Every named program, owner, date, and statistic was checked against primary sources, including Visa Intelligent Commerce (April 30, 2025), Mastercard Agent Pay (April 29, 2025), Visa's Trusted Agent Protocol with Cloudflare (October 14, 2025), and the American Express ACE Developer Kit with Agent Purchase Protection (April 14, 2026). The 67 billion dollar Cyber Week figure and the agent-traffic surge above 800 percent were re-attributed to Salesforce and Adobe Analytics directly. The honest conclusion is that the credentials are real but liability is not settled: when an authorized agent buys the wrong thing, the cost still tends to land on the merchant. A reader building or marketing in commerce should watch the liability rules, not the product launches.

Comments

Leave a comment

Your email won't be published. Comments are reviewed before they appear.
★ Read next