Mastercard's Agent Pay lets AI agents execute verified purchases on your behalf using a framework called Verifiable Intent -- a cryptographic record linking who authorized the action, what instructions the agent received, and what the outcome was. It's live in Europe and Asia Pacific as of Q2 2026. What it doesn't solve -- the governance layer -- is where the real builder challenge starts.
The press coverage treats this like a milestone worth celebrating. I think it's worth reading carefully, because what Mastercard solved and what remains unsolved are two very different problems for anyone building agents that touch money.
What is Mastercard Agent Pay and how does it work?
Mastercard Agent Pay is a payment authentication framework that lets AI agents execute verified transactions on behalf of consumers. Its core mechanism is the Verifiable Intent framework -- a tamper-resistant cryptographic record that links three elements: the consumer's identity and authorization, the exact instructions given to the agent, and the transaction outcome. Partners who've committed to the open standard include Google, Fiserv, IBM, Checkout.com, Basis Theory, and Getnet.
The standard is built on existing specifications from FIDO Alliance, EMVCo, the Internet Engineering Task Force, and the World Wide Web Consortium -- not a proprietary Mastercard black box. The spec is open-sourced on GitHub. A key design principle is selective disclosure: each party in a transaction (issuer, acquirer, merchant) sees only what's relevant to their role. This lets every participant verify the agent acted with authorization without seeing the full instruction set the consumer gave the agent.
The mental model that helped me most: think of it as a notarized power of attorney that travels with each transaction. The agent carries cryptographic proof it was authorized, and every party in the chain can verify that proof independently without needing to see each other's data.
What did the live Santander and Australia transactions actually prove?
In January 2026, Mastercard recorded Australia's first authenticated agentic transactions: a Commonwealth Bank debit card purchased cinema tickets from Event Cinemas, and a Westpac credit card booked accommodation in Thredbo. Both used Matilda, a sovereign Australian large language model built by Maincode. In March 2026, Banco Santander and Mastercard completed Europe's first live end-to-end AI agent payment inside a fully regulated banking environment, integrated with Microsoft Azure OpenAI Service and Copilot Studio.
The distinction that matters here: the Australia transactions weren't a controlled demo. Every party -- issuer, acquirer, merchant -- could identify that an AI agent, not a human, initiated the transaction. The Santander transaction ran through Santander's live payments infrastructure and proved the approach works within EU financial regulations. That's a harder bar than a sandbox test, and clearing it is what makes this worth paying attention to.
The scale context: Mastercard projects AI-powered transactions could influence 55% of Australian consumer transactions by 2030, reaching A70 billion in transaction value. That's the number driving why they're establishing standards now instead of letting each bank build their own incompatible approach.
How does the Verifiable Intent framework work technically?
Verifiable Intent solves a specific temporal gap in agentic commerce. When you tell an AI agent "find me the cheapest flight to Seattle next month" and it books one three days later, your original authorization needs to carry forward to the execution moment in a verifiable, auditable way. The framework captures your identity, the instructions you gave, and the eventual outcome as a tamper-resistant record -- so when the booking hits your card, every party can confirm a human authorized this class of action.
The design integrates with Google's Agent Payments Protocol (AP2) and the Universal Commerce Protocol (UCP). Selective disclosure means the merchant sees proof of authorization without seeing your specific instructions, the issuer can verify the agent's identity without seeing merchant details, and so on. Each party gets exactly what they need for their role in the transaction, nothing more.
One thing to flag for builders: Verifiable Intent handles authentication and authorization traceability. It does not handle spending limits, merchant category restrictions, or per-session caps. That's a separate problem that the framework explicitly leaves to you.
Get the AI Agent Briefing
One email per week. The best AI agent news, tutorials, and tools -- written by someone who actually builds with them.
Subscribe Free
Why the governance gap is the real design challenge for builders
Mastercard's Verifiable Intent solves authorization: it proves an agent acted with permission. What it doesn't solve is governance -- the pre-execution check that decides whether an agent should spend a specific amount, at a specific merchant, at this specific moment. That layer is missing from every major framework in 2026, and most teams are patching it with system prompt constraints that LLMs routinely override when task completion pressure builds.
A developer analysis of the AI payment flow identified six steps: Intent, Discovery, Selection, [Governance], Payment, Confirmation. The governance step -- a deterministic policy evaluation that runs before execution -- has no standard solution. Here's what each major tool category currently offers, and why it falls short:
- LangChain and CrewAI: Post-transaction monitoring, not pre-execution enforcement. They can tell you what happened, not stop what's about to happen.
- Payment processors (Stripe, Visa): Prevent unauthorized charges at the account level, but can't evaluate contextual rules like "max 0 daily on food." They enforce account limits, not intent-level limits.
- LLM providers: Organization-level spending caps only -- not useful for per-transaction or per-session policy enforcement.
- System prompts: The most common approach and the most dangerous. LLMs prioritize task completion. Under unusual inputs, they reinterpret constraints. "Max 0 per day for food" becomes "0 per meal, food is broad, this counts."
The result is that most production payment-capable agents ship with what one developer analysis called "hardcoded limits, Slack approval bots, or spending constraints in system prompts" -- none reliable at scale. The governance gap isn't just inconvenient -- it's an attack surface.
The reference architecture worth studying: Coinbase Agentic Wallets (launched February 2026), built specifically for this problem. It provides programmable spending caps per session, individual transaction size limits, token scope restrictions by merchant category, time-bound permissions with automatic expiration, and real-time revocation if anomalous behavior is detected. The design principles apply even if you're not using crypto infrastructure.
Who else is building agent payment rails in 2026?
Every major payments company launched or expanded an agentic commerce product in Q1-Q2 2026, and the speed is notable. Visa launched Intelligent Commerce Connect on April 8, 2026 -- 100+ global partners, 30+ actively building in the sandbox, and an explicit prediction of millions of consumers using AI agents for purchases by the 2026 holiday season. Visa's Agentic Ready program launched in Europe with 21 named issuing partners including Barclays, HSBC UK, Revolut, and Santander.
Stripe announced the Machine Payments Protocol (MPP), developed with crypto firm Paradigm, supporting USDC on Base network alongside traditional cards -- a signal that agentic payment rails may end up more crypto-native than current consumer payment infrastructure suggests. American Express launched the ACE (Agentic Commerce Experiences) developer kit on April 14, 2026, requiring biometric authentication before any agent executes purchases and offering purchase protection for erroneous agent transactions. Of the major players, Amex has the most conservative and arguably the most security-serious design. Google's Universal Commerce Protocol is live in Google Merchant Center with 20+ endorsing partners including Walmart, Best Buy, Target, The Home Depot, Wayfair, Etsy, and Zalando.
The market projection: agentic commerce TAM was 35 billion in 2025 and is projected to reach .7 trillion by 2030. Every major player racing to establish standards now is a bet that whoever defines the rail captures the volume.
What are the real security risks builders need to understand?
The most serious structural risk in agent payment systems isn't transaction fraud -- it's privilege escalation. Traditional fraud targets individual transactions. AI agents hold delegated authority enabling continuous action without re-authentication, meaning one compromised agent equals unlimited transaction authority within its permission scope. The attack surface moves up the stack to wherever authority was granted -- which is typically much less well-monitored than the transaction layer itself.
Security data from H1 2026 shows the gap: 48.9% of organizations can't monitor their own machine-to-machine agent traffic, 48.3% can't differentiate legitimate agents from malicious bots, and only 23.5% find existing security tools effective against agent-based attacks. Only 14.4% of organizations deploy payment-capable AI agents after full security and IT approval processes.
Real incidents illustrate what this looks like in production. A mid-market manufacturer deployed an agent-based procurement system; attackers compromised the vendor-validation agent through a supply chain attack and approved fraudulent orders from shell companies -- .2 million in losses before detection. The attack was slow and systematic, exploiting delegated authority across weeks of transactions rather than triggering single-transaction fraud detection.
One more thing worth flagging: OX Security disclosed remote code execution flaws in Model Context Protocol implementations in April 2026 -- the same protocol Stripe, PayPal, and Worldpay use for agent payment integration. The payment-adjacent attack surface is much larger than the payment rail itself. Builders who treat MCP security as someone else's problem are building payment agents on a foundation they haven't vetted.
FAQ
What is Mastercard Agent Pay?
Mastercard Agent Pay is a payment authentication framework that lets AI agents execute purchases on behalf of consumers with full cryptographic verification. It uses the Verifiable Intent framework -- a tamper-resistant record linking consumer authorization, agent instructions, and transaction outcome -- to prove to every party in the chain that a human authorized the agent's action. The standard is open-source and built on FIDO Alliance, EMVCo, IETF, and W3C specifications.
What is the Verifiable Intent framework?
Verifiable Intent is Mastercard's open standard for authenticating AI agent transactions. It captures three elements in a tamper-resistant cryptographic record: the consumer's identity and authorization, the instructions given to the AI agent, and the transaction outcome. Each party in the transaction (issuer, acquirer, merchant) receives only the minimum information relevant to their role via selective disclosure technology. The spec is open-sourced on GitHub and integrates with Google's Agent Payments Protocol and Universal Commerce Protocol.
Are AI agent payments safe?
AI agent payment frameworks like Mastercard's Verifiable Intent solve authorization verification -- proving a human said "yes" to a class of action. But governance (deciding when and how much an agent should spend in a specific context) remains largely unsolved. Only 14.4% of organizations deploy payment-capable agents with full security approval. 48.9% can't monitor their own agent traffic. The primary risk is privilege escalation: a compromised agent holds delegated spending authority across multiple transactions without re-authentication, unlike single-transaction fraud.
Which companies have launched AI agent payment infrastructure in 2026?
All major payment companies expanded into agentic commerce in Q1-Q2 2026: Mastercard (Agent Pay + Verifiable Intent, live since Q2 2025), Visa (Intelligent Commerce Connect, launched April 8, 2026, 100+ partners), Stripe (Machine Payments Protocol with stablecoin support), American Express (ACE developer kit, April 14, 2026, biometric auth + purchase protection), PayPal (Agent Ready solution, available early 2026), and Google (Universal Commerce Protocol, live in Google Merchant Center since January 2026).
Get the AI Agent Briefing
One email per week. The best AI agent news, tutorials, and tools -- written by someone who actually builds with them.
Subscribe Free
