The last few months have been a whirlwind of activity in the AI realm, with agentic commerce being a hot topic. We're starting to slide towards calling this agentic payments, where agentic (being capable of acting independently) is really just a fancy word for an AI model acting on behalf of a user.
Before we dive into this topic, let's take a moment to get some background about some of the technologies we're dealing with. My day-to-day job is being up to speed on technology; however, with the speed at which things move, even I find that difficult. We're going to be talking about MCPs, agents, and payments. Let's quickly learn about those first two since they are new! I'll assume you know what payments are.
Prefer audio? VGS has you covered with a podcast. Listen to how VGS is tackling payment security and PCI compliance in the emerging future of agentic payments.
What is an MCP
In the world of AI, MCP stands for model context protocol. It's an open-source standard developed by anthropic that streamlines the connection between AI models (like LLMs) and external tools, data sources, and services. MCP provides a standardized way for AI models to understand and interact with external information. It allows AI to access databases, APIs, files, and other tools, enabling it to perform tasks that go beyond just generating text.
In the OpenAI / ChatGPT world, there's an equivalent called actions.
Think of an MCP being a way for an agent to be really smart at doing one very specific task, like using a particular service or performing an operation (think purchasing a coffee at a local coffee shop).
What is an Agent
In AI, an agent is a software program that perceives and interacts with its environment to perform tasks and achieve goals specified by humans. These agents can operate autonomously by gathering information, making decisions, and taking actions to accomplish their objectives. Some agents can also learn and adapt based on feedback or experience, allowing them to improve their behavior over time.
Think of an agent as a system that, once asked to order you a coffee, can handle the entire process: gathering your preferences, navigating a coffee provider's website, placing the order, and arranging pickup at a time that works for you—all without needing additional input.
The Current State of Agentic Card Commerce
Okay, so we've got some technical terms down. It's really all software under the hood, but still, computer programs are susceptible to the same mistakes that software can often make.
One interesting thing about AI is that it doesn't know things in the traditional sense—it infers based on patterns and context. While it can be impressively accurate, it isn't always consistent. In technical terms, AI is generally non-deterministic, meaning the same input can sometimes yield different outputs.
That's a critical distinction when dealing with sensitive domains like payments. You don't get credit for handling someone's sensitive data correctly nine times out of ten, but people will remember the one time you got it wrong. In these cases, we need deterministic systems: systems that behave predictably and consistently, with zero room for ambiguity.
That's where model context protocols (MCPs) can help. MCPs are a standardized, software-based way to bridge AI and external tools. They don't have to be powered by AI themselves, which means we can make them fully deterministic if needed, giving us the control and reliability that's essential in high-stakes environments.
Now, in the payments world, we've got this thing called PCI, also known as Payment Card Industry compliance. Basically, it's the card networks looking out for their cardholders and saying, “If you're going to touch someone's card, you'd better be responsible with it.” That means being careful about how you store it, what you do with it, and where it goes.
The simplest and most effective way to stay on the safe side? Lock that card data down and don't let it wander off somewhere it shouldn't. And definitely don't let a non-deterministic AI bot get its hands on it—because the last thing you want is your customer's card number getting pasted into a “contact us” form or sent off to some random site you don't really trust.
The card networks have seen this issue coming for a while. They've been working on solutions to avoid using credit card numbers directly through things like network token products.
Mastercard has even set a goal to eliminate credit card numbers entirely by 2030. Visa is taking it a step further with something they're calling Agentic tokens, built specifically for use by AI agents.
But all of that is still a few years away. So… what are we supposed to do in the meantime?!
Managing Card Data and Payments with Agents
We'll look at this from two views. In the first view, we'll talk about how companies that build and operate agents can keep sensitive data under control, which will help them earn their customers' trust while still allowing agents to handle card data just like any other non-sensitive data. In the second view, we'll look at what merchants who are accepting payments over the internet today can do to retain control over agentic purchases and ensure that agents are able to deterministically find and purchase items for the customers they represent.
Securing Agentic Payments
How do we keep agents and the data they handle secure? I'll give you a hint: As with all problems related to PCI and card data, the simplest solution is scope management. If you keep an agent out of the PCI scope, you don't have to worry about it ingesting a PAN and storing or regurgitating it later. By providing controls for how it interacts with that data, you can also ensure it doesn't accidentally blast that card data into a merchant's contact us form or send it to an unauthorized destination.
The early movers in agentic commerce, such as PayPal, are initially focusing on avoiding PCI scope by leveraging their Staged Digital Wallet to facilitate the purchase transaction and are securing meaningful partnerships. This is a great move, since the wallet already contains a payment instrument, and you can authenticate the user through PayPal's existing mechanisms, you can avoid ever having to collect or transmit PCI data. As we said earlier, scope minimization is the name of the game, and here, PayPal has cleverly allowed agents to completely sidestep the need for card data and enabled commerce. In what I've seen so far, this workflow doesn't, however, allow for natively collecting card data within the chat experience for the user and requires a merchant to support PayPal as a payment method.
Amazon is piloting its Buy for Me product, which appears to be capable of filling PAN information into third-party websites. They quote that using their “agentic AI capabilities, Amazon makes the purchase by securely providing the customer's encrypted name, address, and payment details to complete the checkout process on the brand's website.” This looks really slick and is in the market today.
Stripe and other PSPs have also jumped on the wagon. They've announced Agentic toolkits, which enable agents to interact directly with their APIs for the purposes of performing transactions. With wallet-like functionality in products such as Stripe Link, agents are able to select from a range of payment instruments the user has already stored, and Stripe has also demonstrated an example of using browser automation in their Order Intents product to perform a payment on a Stripe form. I think this is also a nice leap forward, with the caveat that you're playing within Stripe's walled garden. Stripe also introduced instant-issued cards that agents can use with pre-defined budgets and merchant categories. It's a smart move for cardholder control, but on the merchant side, it's messy. Each payment looks like it's coming from a different card, which can screw up loyalty programs and make it hard to trace purchases back to real customers. With Stripe's recent orchestration and unbundling announcements, it's possible this will change in the future, but I haven't seen it happen yet.
Visa's recent agentic commerce announcement has focused heavily on trust. Through leveraging a series of Visa products (both new and existing), Visa is designing a network token based payment solution that: a) highlights requesting user consent, confirming the expected transaction value, b) device binding as part of the payment flow to both avoid passing data through the agent and c) providing a network token that's easily identifiable, and ensuring that the token cannot be used for unintended purposes. This solution looks very intriguing, but isn't yet in the market and will require problem-solving adoption and work from the network, as well as payment acceptance providers, before it can be utilized.
At I/O2025 Google announced it's 'Shop with AI Mode' (don't miss their excellent AI modeling demo too) which provide a fully agentic shopping experience at which point after “clicking the buy button, Google adds the item to the checkout cart on the merchant's website and uses your Google Pay details to secure the purchase”. Similar to PayPal this is likely going to be leveraging the Google Pay where possible however I've heard that this falls back to direct PAN where needed allowing both Google and Amazon to provide what are likely the highest coverage and most seamless agentic commerce experiences that are truly forward looking, not just in terms of what shopping with AI will look like for the user but also in terms of being able to have agents move payment credentials securely.
VGS powers several leading platforms that are enabling agentic commerce with two notable solutions being PayOS and Nekuda who have both developed solutions for accepting and moving payment credentials, Nekuda has written Everything You Wanted to Know About How Agents Will Handle Checkouts which is a great primer on how agentic commerce will be enabled and PayOS has also done a good job of setting the scene for how they plan to power the infrastructure for agentic commerce.
At VGS, we focus primarily on card payments and believe we can play a role here too. Today, for those looking to collect and transact using card data, through the use of VGS Collect and our proxy, agents can collect card data from cardholders within the chat experience and store and transmit that card data to third-party websites and APIs. Differences with the above-described solutions is that the agent can collect new card data, it can send that card data to authorized destinations (think website or API), and it's agnostic of any PSP or provider, allowing more optionality. This solution is in the market today using our proven and reliable technologies and doesn't require lead times waiting for new solutions to hit the market. Once cards are stored on file (collected from the customer), they are available for recurring transactions by leveraging either the original PAN or swapping it for a network token, which can be bound to a device or merchant. This is not a panacea, we still believe there is more work to be done around managing user consent, controls on cards, and insights, but for companies looking to create secure solutions that enable card-based payments without limitations around PSPs or commerce platforms, VGS has a strong role to play.
In summary, agentic commerce is already here and expanding rapidly. Wallets, PSPs, and networks will all expand their offerings, but there's no need to wait. Agentic experiences can be created using a range of payment methods and across a range of media.
Accepting Agentic Payments
On the other hand, several companies are looking to accept agentic payments or provide agent-like commerce experiences. These companies are not as concerned with keeping sensitive data away from their agents; in fact, they may not be running an agent at all and are instead looking to enable platforms such as ChatGPT to bring commerce to them.
Right now, the state of the art is an old technology; demos from OpenAI and others such as the OpenAI Operator demo often highlight screen scraping (ie. web crawling, browser orchestration, etc) is back in fashion with the hope that models can pick the right fields to fill in and figure out their way through complex wizards that are designed to guide humans through making a purchase. These human-centric flows minimize the amount of information gathered, often choosing to err on the side of conversion rate maximization. This is to say nothing about explicitly anti-bot related hurdles such as Captchas, which create friction in the checkout process.
This is poised to change as the industry develops interfaces that allow agents to understand the catalog of products and services that merchants have available for sale and perform purchases on behalf of humans. No longer will the focus be on minimizing the number of questions asked; computers are great at quickly and efficiently providing information when contracts are well-defined. Until we get to this promised land, agents will likely need to escalate to humans when they get stuck or non-deterministically purchase products.
So the big question is: how do you get ready for this? Well, the good news is these technologies are here. Through the use of MCP tools you can now start to expose actions that mimic or mirror existing APIs or website functionality. These tools, along with text hints you provide to the LLM, allow it to understand what goods and services you have for sale, how to make a purchase, and allow you to ask specifically for the information you need to have in a language optimized for machines instead of humans.
Once the agent has this information, it can begin to invoke those tools (think API endpoint calls) in sequence to perform a purchase.
By providing agents with these interfaces, merchants can regain control over the payment experience by both providing streamlined purchase experiences optimized for agents while additionally providing a separate set of requirements should they need more information from the agent as part of the purchase. There are lots of tutorials out there, so if you're technically inclined, take a look. Once you see how they work, you'll realize the simplicity and power they unlock.
These are early days in an exciting new area of commerce. Widespread agentic payments and the technology and patterns powering them are still in the early stages of development. Expect lots of experiments and shifting approaches. Open standards are likely to play a large role here, which is why I'm spending the time highlighting MCP as a viable solution.
The other big area still taking shape is how the industry manages user consent—what the agent is allowed to do, what data it can access, and how users stay in control. These are early days, and the answers aren't locked in yet. But if you're experimenting now, you'll be ahead when these standards start to solidify. Whether you're building the agents or enabling them to shop, the future of agentic payments is already knocking.
Learn how to enable agentic commerce with VGS
Learn More
