This should be a 20 page blog… but I don’t have time this week. Big picture thoughts

The April 28, 2026 announcement of Google’s donation of the Agent Payments Protocol (AP2) to the FIDO Alliance signals Google’s desire to move payments from the legacy Device Primary Account Number (DPAN) model to the Digital Payment Credential (DPC) mandate framework. For identity and payment experts, this shift represents more than a technical update; it is an effort to commoditize the proprietary trust moats built by card networks and Apple through a standardized, platform-agnostic infrastructure.

© Starpoint LLP, 2026. No part of this site, blog.starpointllp.com, may be reproduced or retransmitted, in whole or in part, in any manner without the permission of the copyright owner. Also, see our Legal/Disclaimer(this is a highly opinionated and partially informed blog). Enterprise readers, please consider an Enterprise Subscription(not required for Starpoint Clients).

The current DPAN ecosystem is built on a high-cost, high-assurance provisioning process that banks have invested in for over a decade. This process is designed to ensure that the hardware device is legitimately owned by the cardholder (see blog tokens and binding).

• Rigorous Multi-Factor Checks: Provisioning involves account verification messages (AVMs), PAN-based risk score assessments, and teleco data matching to verify the device’s history.
• Step-Up Authentication: Issuers often require out-of-band (OOB) verification, such as One-Time Passwords (OTP) sent via tenured email or phone records.
• Token Assurance Levels (TAL): The resulting DPAN carries a TAL that signals to the issuer the strength of the original binding, creating a semi-permanent credential anchored in the handset’s hardware.

This “hard binding” creates a significant barrier to entry, as the bank must perform a heavy “Identification & Verification” ceremony for every device-card combination.

The transition to DPCs is strategically weighted by the uneven distribution of DPANs across the mobile fleet (Apple wins hands down)

For Google, DPCs are a strategic necessity. By driving standardization through FIDO and EMVCo, Google can neutralize Apple’s closed-loop hardware advantage and the industry’s investment in DPAN-specific ID&V.

EMVCo and DPC

EMVCo’s Announcement is what prompted today’s blog. At a high level DPCs are not a permanent surrogate but a payment-specific application of Verifiable Digital Credentials (VDCs). The key threat of the DPC model is the enablement of non-card schemes at parity.

• Parity via Generic x509 Certs: By utilizing standardized cryptographic primitives and generic x509 certificates (often managed by Google’s legacy Device Policy Controller team), non-card schemes like PIX and UPI can participate in agentic transactions with minimal friction.
• The Wallet as Identity Anchor: In Google’s vision for DPCs Google (the wallet) performs the primary identity work via the Android Credential Manager (ACM). The wallet becomes the “Credentials Provider” (CP), signing mandates that treat the underlying funding rail as a generic instrument.
• Erosion of Network Governance: DPCs allow for “Selective Disclosure” (SD-JWT), proving specific attributes without revealing sensitive PAN data, which effectively commoditizes the card network’s traditional role as the exclusive arbiter of transaction data.

Networks Must own Authentication

While Google’s DPC strategy fits their fragmented starting point, it misaligns with the foundational need (regulatory) of financial institutions to verify and authenticate the four pillars of a transaction: the User, the Instrument, the Actor (Agent), and the Action (Payment).

1. User Verification: DPANs use heavy ID&V to verify the human; DPCs rely on the wallet’s attestation of the identity.
2. Instrument Authentication: DPANs are bound to the specific card account; DPCs treat the account as a pluggable attribute in a VDC.
3. Actor (Agent) Trust: Card networks want to own the “Licensed Agent” registry (Scenario 2); Google’s AP2 donation moves this to the community-led FIDO working groups.
4. Action (Mandate) Governance: Banks require “Normalization of Intent,” where they define the semantics of what an agent can do (MCCs, TTLs, limits). DPCs risk making the bank a passive observer of opaque third-party mandates.

Despite Google’s push for DPC parity, banks are motivated to evolve their existing DPAN provisioning into a persistent Identity Provisioning framework, mirroring the BankID Norway (see blog). In this scenario, the bank does not surrender the identity role to the wallet; instead, it leverages the already-verified device as a sovereign identity anchor.

• From Payment to Identity Rail: Banks are transitioning from issuing simple payment surrogates to issuing hardware-bound “Identity Credentials” into the device’s secure element alongside the DPAN.
• The Sovereign Control Plane: Like the Norwegian model where a single bank-issued ID is used across public and private sectors, the mobile device—already vetted by heavy bank ID&V—becomes the authoritative signer for agent mandates.
• Direct Authentication vs. Wallet Attestation: By evolving the DPAN into an identity rail, banks ensure that the ultimate authority over the “Four Pillars” (User, Instrument, Actor, and Action) remains within the financial domain.
• HOW DPCs are signed will be determined by EMVCo. The provisioned DPAN, a provisioned BankID, …etc

This week, I certainly see DPCs as Google’s effort to onboard every payment scheme into Google’s GPay for the expanded launch of Gemini and Buy for Me. But transactions that go unauthorized will be a bad experience. Google is running to scale, but speed could lead to egg on face as either declined or fraudulent agent transactions may put friction and fear in initial consumer adoption.