Key Takeaways
- Mastercard Agent Pay is its AI-agent payment framework, built on Agentic Tokens and Verifiable Intent.
- Where Visa TAP verifies the agent, Mastercard tokenizes the user's intent itself — a fundamentally different trust model.
- For operators it raises auth rates and cuts chargebacks; in 2026 the right posture is watching PSP pilots.
Mastercard Bets on Tokenizing Intent, Not Just Agents
Weeks after Visa announced Intelligent Commerce and TAP in May 2025, Mastercard published its own answer: Mastercard Agent Pay. On the surface the framing looks similar — "support for agent-initiated payments" — but dig in and it becomes clear that Visa and Mastercard are taking fundamentally different approaches to the same problem.
This article unpacks Mastercard Agent Pay, its core technologies (Agentic Tokens and Verifiable Intent), the contrast with Visa TAP, and what it means practically for ecommerce operators. For the full trust layer picture, see MCP vs A2A vs AP2 vs UCP vs ACP; for Visa's side, see Visa Intelligent Commerce explained.
What Mastercard Agent Pay Is
Mastercard Agent Pay is a framework for letting the network verify what an AI agent is buying, on whose intent, and within what limits. It launched in spring 2025 alongside announced partnerships with OpenAI, Microsoft, IBM, and others.
Where VIC/TAP mostly asks "is this agent legitimate?", Agent Pay asks "did the user actually intend this?" Even a technically well-behaved agent can buy things in categories or amounts the user never meant to authorize — and that's functionally indistinguishable from fraud. That's Mastercard's problem framing.
Implementation-wise, Agent Pay rests on two technical pillars: Agentic Tokens (a new kind of card token) and Verifiable Intent (a framework for verifying purchase intent).
Agentic Tokens — Per-Agent Card Tokens
Mastercard's existing tokenization technology (MDES) replaces raw card numbers with device- or app-specific tokens, containing breach damage. Agentic Tokens extend this by issuing tokens per AI agent.
For a single card, a user can issue one token for ChatGPT, one for Google Gemini, one for Perplexity. Each token can have scoping at issuance time ("groceries only," "$500 monthly cap," "weekdays only"), and when the agent tries to use the token, the network enforces the scope.
Crucially, the scope-violation decision happens at the Mastercard network layer, not at the issuer or merchant. Agent providers don't have to build scope enforcement themselves, and users can kill or restrict a specific agent's token without touching the underlying card.
Verifiable Intent — Tokenizing Intent Itself
If Agentic Tokens are "control over the payment instrument," Verifiable Intent is "verification of the reason for purchase." Formal pilots began in February 2026.
Here's how it works. A user tells an agent "pull together camping supplies for next week." The agent structures this request and records it as a signed Intent Artifact on Mastercard infrastructure. Later, when the agent actually builds a cart and pays, each transaction carries a reference to that Intent Artifact.
The card's issuer can then verify at transaction time: "is this cart consistent with the user's original intent (camping supplies)?" If the agent snuck a luxury watch into the cart, that contradicts the intent and is blocked or stepped up for approval. Traditional fraud detection looks at devices and behavioral patterns; Verifiable Intent looks at semantic consistency.
What enables this is a common Intent representation schema shared among Mastercard, issuers, and agent providers. Intent data generated by OpenAI or Google agents verifies the same way across any Mastercard issuer.
How This Differs From Visa TAP
Both VIC/TAP and Agent Pay pitch themselves as "guaranteeing trust for agent payments." But their design theories diverge substantially.
| Dimension | Visa TAP | Mastercard Agent Pay |
|---|---|---|
| Primary subject | Agent legitimacy | User intent |
| Core tech | Signing keys, delegation tokens | Agentic Tokens, Verifiable Intent |
| Enforcement point | Within the auth flow | At token issuance + Intent Artifact check |
| Relationship to AP2 | Linked via Mandates | Intent Artifact ≈ AP2 Intent Mandate |
| April 2026 status | Rolling out at major PSPs | Verifiable Intent in pilot |
Visa TAP centers on "where did this agent come from, is it real?" Mastercard centers on "what is the agent trying to do, did the user actually say so?" Neither is strictly right — they slice the problem space differently.
One practical consequence: on the Visa side, catching fraud depends on agent providers being exhaustively registered with Visa. On Mastercard's side, because enforcement is semantic, it's easier to add new agent providers — but generating Intent Artifacts is heavier implementation work. Over the long run the two are likely to absorb each other's features and converge, but in 2026 they're still clearly distinct.
The Relationship to AP2
Google's AP2 (Agent Payments Protocol) sits as the most neutral bridge at this layer. AP2's Intent Mandate and Cart Mandate carry essentially the same information as Mastercard's Intent Artifact.
This is no accident — interoperability with Mastercard was baked in during AP2's design. As of April 2026, several PSPs are shipping implementations that emit AP2 Mandates as Mastercard Verifiable Intent artifacts. Agent providers express intent in AP2, and it translates to Mastercard automatically.
Visa TAP also claims AP2 compatibility, but the translation isn't as clean one-to-one as with Mastercard — some information drops between AP2 Mandate and Visa TAP. Structurally, Mastercard and AP2 are "closer cousins."
Practical Implications for Ecommerce Operators
When considering whether to implement Mastercard Agent Pay yourself, the key realization is that this is more a "beneficiary" framework than an "implementation" one. Transactions that participate in Verifiable Intent see higher issuer authorization rates and lower chargeback risk — and merchants don't have to write much new code to benefit. Choose a PSP that supports it, correctly relay the Intent Artifact emitted by the agent provider, and you're done.
The story is different for merchants who are themselves agent providers — large retailers running their own AI shopping assistants. You become the party generating Intent Artifacts, which means you make real design decisions: how to structure user requests, how to sign them, what scoping granularity to use. Mastercard publishes a developer SDK, and combined with AP2 libraries the implementation load is lighter, but the core design thinking remains.
Short-term, the thing to watch is that you need both Visa and Mastercard support to avoid gaps. Backing only one leaves agent-initiated transactions on the other network unprotected. As of April 2026, Stripe, Adyen, and Checkout.com cover both; smaller providers often cover only one.
Conclusion — Payment Infrastructure That Verifies Meaning
Mastercard Agent Pay is the first clear signal of payment infrastructure moving from "transporting amounts and card numbers" to "transporting meaning and intent." Broad rollout beyond pilots is 2027+ territory, but the design thinking is worth absorbing now.
The right question isn't "Visa TAP or Mastercard Agent Pay?" — it's "how do we support both?" AP2 bridges them at a higher layer. The complete map lives in MCP vs A2A vs AP2 vs UCP vs ACP and Visa Intelligent Commerce explained.
