Section 1, What Visa and OpenAI Announced
Visa’s Intelligent
Commerce program, announced at the Visa Payments Forum on June 10, 2026, integrates Visa’s
global payment network directly into ChatGPT. The technical architecture has three components:
tokenized credentials, real-time authorization, and user-defined controls.
Tokenized credentials mean the AI agent operates with a payment token, a scoped, revocable
credential that stands in for the underlying card number. The agent never sees the actual account
data. Real-time authorization means every transaction routes through Visa’s existing fraud
detection and authorization infrastructure, the same system that processes billions of consumer
transactions annually. User-defined controls mean the account holder sets parameters before the
agent acts: spending caps per transaction, category restrictions, merchant allowlists or blocklists.
The result is an AI agent that can complete purchases at any of the hundreds of millions of
Visa-accepting merchants worldwide, within boundaries its user defined, using credentials that
can be revoked instantly. The Associated Press reported the announcement as a named partnership between
Visa and OpenAI at the Forum event.
Visa and OpenAI have also stated plans to explore Codex developer application purchases, API-based
and infrastructure transactions, through the partnership. These are stated future plans from the
announcement, not capabilities available at launch. They’re worth tracking because they suggest
the commercial scope of the partnership extends beyond consumer ChatGPT toward enterprise and
developer spending patterns.
—
Section 2, What Mastercard Announced: AP4M
Mastercard’s AP4M, announced one day earlier, on June 10, per prior TJS coverage, takes a
different architectural approach. Where Visa extended its existing network to accommodate AI
agents as a new actor class, AP4M is a purpose-built programmatic protocol designed specifically
for machine-to-machine payment interactions. The key architectural distinction, based on
prior registry coverage of the
Mastercard AP4M announcement, is that AP4M treats AI agents as first-class participants in the
payment system rather than proxies for human cardholders.
This distinction has downstream compliance implications. Visa’s model places the human account
holder at the center, the agent acts on behalf of the human, within parameters the human set. Mastercard’s model assigns the agent its own transactional identity within the protocol. The legal
and liability frameworks for these two approaches differ in ways that enterprise compliance teams
should evaluate carefully.
**[PRODUCTION-FLAG: AP4M architectural details from the registry brief are limited in the
information provided to the Builder for as of publication. The Filter noted this gap. The comparison
in this section draws on available registry coverage. If the Wire can provide fuller AP4M
technical detail, this section should be expanded before publication.]**
—
Section 3, Architectural Comparison: Tokenized Credentials vs. Programmatic Protocol
The following comparison reflects available verified content. AP4M technical details are drawn
from prior registry coverage and carry the same partial verification status as the Visa
announcement.
Visa Intelligent Commerce vs. Mastercard AP4M, Framework Comparison
| Dimension | Visa Intelligent Commerce | Mastercard AP4M |
|---|---|---|
| Architecture approach | Existing rail extended to AI agents | Purpose-built for programmatic agents |
| Agent identity model | Agent acts as human proxy | Agent as first-class participant |
| Authorization model | User pre-sets spending controls | Enterprise-defined agent authorization |
| Merchant acceptance | Hundreds of millions (existing) | Requires protocol adoption |
| Fraud infrastructure | Existing Visa fraud systems | Protocol-level controls (new) |
| Governance mapping | Human-in-the-loop (pre-configured) | Enterprise builds authorization layer |
| Audit trail | Tokenized transaction records | Programmatic protocol logs |
| Availability | Announced at Visa Payments Forum | Announced June 10 (prior coverage) |
| Verification status | Partial, no source page fetched | Partial, prior registry coverage |
Who This Affects
Visa’s approach has one primary advantage: distribution. Hundreds of millions of merchants
already accept Visa. A ChatGPT agent using Visa Intelligent Commerce doesn’t need merchant
adoption of a new protocol, it uses the existing acceptance infrastructure. The security
architecture is also mature: tokenization and real-time fraud monitoring are tested at global scale.
Mastercard’s approach has a different primary advantage: agent-native design. AP4M wasn’t
retrofitted onto a consumer payment system. It was built for programmatic agents. That means the
protocol-level controls, how an agent is authorized, how its transaction history is logged, how
its credentials are scoped, are designed from the ground up for machine actors rather than adapted
from human cardholder frameworks.
The tension between these two approaches is familiar from the history of payment standards. When
contactless payments emerged, existing card rails were adapted (Visa payWave, Mastercard
PayPass) before purpose-built NFC protocols gained traction. The retrofit approach wins on
distribution. The native approach wins on fit-for-purpose functionality. Enterprise adoption
eventually sorted around use case: high-frequency, low-value transactions preferred the native
protocol; high-value, complex transactions stayed on the established rail.
Agentic commerce may follow the same pattern. Consumer-facing AI agents making routine purchases
– subscriptions, small transactions, standardized merchant categories, may route through Visa
Intelligent Commerce on the strength of merchant acceptance. Enterprise AI agents making
complex, multi-step, or infrastructure purchases may eventually route through AP4M or similar
purpose-built frameworks where agent identity and transaction authorization are managed at the
protocol level.
—
Section 4, Compliance and Authorization Implications
The compliance question isn’t whether Visa or Mastercard has better fraud tools. Both do. The question is which framework maps onto an enterprise AI governance policy.
Most enterprise AI governance frameworks, including emerging NIST AI RMF guidance on agentic
system deployment and EU AI Act obligations for high-risk AI systems with financial decision
authority, require some form of human authorization before AI agents take consequential actions. Financial transactions are, by definition, consequential.
Visa’s user-defined controls model aligns directly with the human-in-the-loop requirement:
the human sets the boundaries before the agent acts, and those boundaries constrain every
transaction. That’s a defensible governance posture for compliance review.
AP4M’s agent-native authorization model is more flexible and potentially more powerful, but
that flexibility creates compliance design work. If the agent is a first-class transactional
participant with its own identity, the governance question shifts from “what did the human
authorize?” to “what is the agent authorized to do, and how is that authorization documented
and audited?”
Neither framework eliminates the compliance design work for enterprise deployers. They shift
where that work sits. Visa’s model puts the governance layer in the user-defined controls
configured at account setup. AP4M’s model puts the governance layer in the enterprise’s
agent authorization framework, which must be built and maintained by the deploying organization.
Verification
Partial Visa Press Release (T1 by type), AP (T2), Mastercard AP4M via prior registry coverage, source log incomplete; no pages fetched AP4M technical architecture details in this comparison are drawn from prior registry coverage, not direct source fetch as of publication. Visa Intelligent Commerce Codex applications are vendor-stated future plans.What to Watch
—
Section 5, Decision Framework for Enterprise AI Teams
Before committing to either payment rail for agentic AI deployment, enterprise teams should
work through four questions.
First: what authorization model does your existing AI governance policy require? If policy
mandates human-in-the-loop for all financial transactions, Visa’s pre-configured spending
control model provides a clear mapping. If policy allows autonomous agent operation within
defined parameters with post-hoc audit, AP4M’s agent-native model may be a better fit.
Second: what is the transaction profile of the agents you’re deploying? High-volume,
standardized merchant category purchases benefit from Visa’s universal acceptance. Complex,
multi-step infrastructure or API purchases, the Codex scenario Visa and OpenAI identified
as a future use case, may eventually benefit from purpose-built programmatic protocols.
Third: what audit trail format does your compliance team require? Payment tokenization
generates a specific audit record format. Programmatic protocol logs generate a different one. Whichever format maps cleanly to your AI system audit requirements is the one to start with.
Fourth: what’s your tolerance for framework immaturity? Both Visa Intelligent Commerce and
AP4M are new. Neither has been tested at enterprise scale for agentic commerce specifically. Regulatory guidance on AI agent financial transactions is still forming in both the US and EU. Building deep dependencies into either framework now means inheriting any compliance
clarifications that come later.
The real story isn’t which network will win the agentic payments race. Visa and Mastercard
have coexisted for decades on the same merchant terminals. Both frameworks will likely persist,
serving different use cases and different enterprise risk appetites. The decision that matters
now is whether your AI agent authorization policy is designed independently of your payment
rail choice, so that when those clarifications arrive, you can adapt the rail without
rebuilding the governance framework. Watch the first enterprise pilot disclosures from both
Visa and Mastercard in Q3 2026 for the first hard data on how each framework performs under
real-world agentic transaction loads.