Chainfeeds Summary:
The winners in Agentic Commerce are already in the competition. The winner in Pay-per-call will be decided the moment the market opens.
Article source:
https://x.com/tiger_research_/status/2048952577975562247
Article Author:
Tiger Research
Opinion:
Tiger Research: Google is attempting to simultaneously control both the discovery and payment layers, relying on two core standards: UCP and AP2. UCP (Universal Commercial Protocol) is the standard for communication between agents and merchants. For an agent to complete a purchase on behalf of a user, it needs to interact with numerous different services. The problem is that each service has a different structure. Each time an agent discovers a new service and initiates a transaction, a separate integration is required. Google hopes to eliminate this inefficiency with UCP. Once a merchant is configured according to this standard, any agent can connect to that merchant in the same way. AP2 (Agent Payment Protocol) is an authorization standard used to clarify "who authorized what, and the amount authorized" during the transition from discovery to payment. When a human directly clicks the payment button, the actor and responsibility are clear. However, when an agent pays on behalf of a user, the scope of authorization and responsibility become ambiguous. AP2 records the user's initial instructions as an immutable digital contract. Agents can only execute operations within the scope of user instructions, and after a transaction is completed, a traceable record is left, documenting who authorized what and when. In short, if UCP is the standard for discovery, then AP2 is the standard for writing accountability into transactions. OpenAI and Stripe jointly developed ACP (Agent Business Protocol), which was released on September 29, 2025. ACP is an open-source protocol that allows agents to invoke merchants' payment systems and complete purchases on behalf of users. ACP grants permissions through a four-party structure: 1) Buyer, 2) Seller, 3) Agent, 4) Payment Service Provider. The core question of ACP is: "How much payment authority should be granted to the Agent?" Theoretically, if the user's card information is given to the Agent, the Agent can make payments at any merchant, for any amount, and at any time. However, an insufficiently trained Agent might repeatedly purchase unnecessary goods, and hijacked sessions could be exploited. ACP addresses this problem through "delegated payment." The user's actual card information is not passed to the Agent. Conversely, payment service providers (such as Stripe) receive card information and issue a one-time token, which the Agent only processes. This token has four constraints: which merchant it can be used at; the maximum amount that can be paid; when it expires; and which checkout session it applies to. Therefore, even if the Agent malfunctions or is hijacked, the loss cannot exceed the scope of "this one shopping transaction." Mastercard is in the same league as Visa. It is a company committed to maintaining its card network position in the Agent era. Mastercard has chosen a strategy of opening its existing payment network (covering more than 210 countries worldwide) to Agents while building an architecture that allows merchants to easily integrate into its system. In April 2025, Mastercard launched Mastercard Agent Pay, followed by developer tools in September and the Agent Pay integration framework in October, gradually perfecting its Agent payment system. What these components have in common is that Mastercard does not attempt to dominate the market through its own protocol. Its strategy is to ensure Mastercard's involvement in the payment and authentication process regardless of how the market evolves. This aligns with Visa's "payment layer neutrality" strategy, but Mastercard focuses more on merchant integration. Mastercard's real battleground is enabling Agent payments to run without any merchant intervention. Typically, when merchants adopt new payment methods, they need to embed code into their websites. Mastercard eliminates this burden. Through a partnership with Cloudflare, Mastercard has built a structure on the front end of merchant websites that automatically identifies "whether it's a trusted Agent or a malicious bot," allowing only trusted Agents to access the merchant's system. Merchants can accept Agent transactions without modifying any code. Simultaneously, another path is reserved for merchants who wish to achieve deeper integration. Merchants who want their systems to interact directly with Agents can connect through mainstream Agent protocols such as MCP, A2A, and ACP. Ultimately, merchants have two choices: do nothing and accept default traffic; or integrate protocols and build a customized experience. Regardless of the path chosen, Mastercard will be involved.
Content source 
