Key Takeaways
- VIC is Visa's framework for attaching network-backed trust signals to AI-agent payments, with TAP at the core.
- TAP layers three signals — agent legitimacy, user-agent binding, per-transaction auth — on top of EMV 3-D Secure.
- For operators, VIC means higher auth rates and chargeback shift to Visa; expect to run it alongside Mastercard and AP2.
Visa Rewrites the Card Rails for Agent Payments
Until 2025, credit card payments basically assumed one of two things: the cardholder is in front of the screen, or there's prior consent like a subscription. When AI agents start shopping on behalf of users, neither case fits cleanly. Visa Intelligent Commerce (VIC), announced in May 2025, is Visa's answer to this gap — and at the center of it is the Trusted Agent Protocol (TAP).
This article breaks down VIC and TAP: the architecture, the rollout status as of April 2026, and how ecommerce operators should actually use it. For how VIC fits into the broader trust layer, see MCP vs A2A vs AP2 vs UCP vs ACP; this piece stays focused on Visa.
What Visa Intelligent Commerce Actually Is
VIC isn't a protocol — it's the umbrella name for Visa's entire program for "supporting agent-initiated commerce from the network side." It has three major pieces: the core Trusted Agent Protocol (TAP), an implementation called the Visa Agent Toolkit, and certification/licensing programs aimed at issuers and merchants.
The problem Visa is trying to solve is simple. As AI-agent payments grow, merchants struggle to tell "is this a legitimate agent transaction with user approval?" Issuers lose many of their traditional fraud signals (device fingerprint, geolocation, behavioral patterns). VIC provides verifiable trust signals from the neutral position of the card network, attaching them to both the agent and the transaction.
About a year after launch, VIC is now in rollout at several major international PSPs (Adyen, Stripe, Checkout.com), integrated with Visa Direct and Visa Token Service.
How Trusted Agent Protocol Works
TAP is the technical heart of VIC. It embeds three signals into an agent transaction.
First: agent legitimacy. Agent providers (OpenAI, Google, Anthropic, and others) pre-register with Visa and sign each transaction with keys issued per agent. Visa verifies these signatures as the transaction flows through the network.
Second: user-agent binding. When an agent acts on behalf of a user, the transaction must identify which cardholder authorized it. TAP attaches a delegation token issued via the card's issuer, letting the network confirm "this agent has authority over this card."
Third: per-transaction explicit authorization. A mechanism for scoped approvals — by amount, merchant, product category. If the user said "appliances under $100 only," TAP can stop a transaction that violates that at network level. The concept is close to AP2's Mandates, and the two are designed to interoperate.
The key architectural choice is that TAP layers on top of existing EMV 3-D Secure rather than replacing it. Merchants who already have 3DS can support TAP by handling the additional fields — they don't have to rebuild their payment flow from scratch. That keeps adoption cost manageable.
Rollout Status as of April 2026
When VIC launched in May 2025, the announced participants included more than 20 names: Anthropic, IBM, Microsoft, OpenAI, Perplexity, Samsung, Stripe, Click, and others. Through late 2025 and early 2026, implementations have been rolling into production.
Stripe's integration has moved fastest — TAP-capable endpoints are available as part of Stripe Agent Toolkit. Developers using existing Stripe SDKs can attach TAP signals to agent transactions with a few additional lines of code.
Adyen officially announced support in January 2026, offering TAP as an option for enterprise merchants. Issuer-side support varies more by region: North America and Europe lead, and Asia-Pacific is still ramping up.
As of April 2026, VIC is in the "forward-leaning merchants adopt it as an option" phase. Broader merchant adoption isn't expected to become baseline until 2027 or later.
Relationship with Mastercard Verifiable Intent and AP2
VIC isn't the only answer to the trust layer. Mastercard announced its own Verifiable Intent framework in February 2026, and the approach is subtly different.
Where Visa TAP verifies the agent itself, Mastercard leans toward tokenizing and verifying the user's intent. Both target the same problem but from different angles — Visa cares about "who's transacting," Mastercard cares about "what the user meant to buy." They're not mutually exclusive; merchants will likely need to support both.
Google's AP2 sits on a separate layer: an A2A-based protocol for handling payment authorization inside agent-to-agent messaging. AP2 Mandates are designed to cross-reference with Visa TAP and Mastercard Verifiable Intent, and both Visa and Mastercard have publicly affirmed AP2 compatibility. The realistic 2026 path is implementing all three in parallel.
What It Means for Ecommerce Operators
VIC delivers two practical effects.
Lower fraud decline rates. AI-agent transactions tend to look "suspicious" to legacy fraud models, which declines legitimate transactions along with the bad ones. With TAP signals, issuers can see "this is an agent transaction Visa has network-level verified," and authorization rates go up.
Chargeback liability shift. Under specific conditions, TAP-approved transactions shift chargeback liability from the merchant to Visa, similar to 3DS liability shift today. As agent transactions grow, this becomes a meaningful real benefit.
There's a caveat. Getting the full benefit of TAP requires updating checkout implementation on the merchant side, which is non-trivial for small and mid-market merchants. The pragmatic path is to wait for platforms like Shopify Plus and Salesforce Commerce Cloud to handle it under the hood — there's little reason to rush your own integration right now.
Conclusion — The First Piece of the Trust Layer
VIC and TAP are the card networks' first serious answer to "whom do we trust" in AI-agent payments. Mastercard has its own answer with Agent Pay and Verifiable Intent, and Google's AP2 is bridging them at the protocol layer. 2026 is the year the three stand side by side; convergence is later.
For operators, it's still too early to commit to one answer. Wait for automatic platform support and implement selectively for high-value flows. In the larger picture, VIC is one story at the trust layer — above it sit AP2 (payment authorization), UCP (commerce workflow), A2A (agent-to-agent), and MCP (tool access). The full protocol comparison is the right companion read.
