© Starpoint LLP, 2026. No part of this site, blog.starpointllp.com, may be reproduced or retransmitted, in whole or in part, in any manner without the permission of the copyright owner. Also, see our Legal/Disclaimer(this is a highly opinionated and partially informed blog). Enterprise readers, please consider Enterprise Subscription(not required for Starpoint Clients). 

Exec Summary (3 pages of bullets below)

The politics and incentives around these device graphs are very complex because they define how risk is managed and controlled. Today, Merchants (and their partners) are the leaders because they own the risk (100% in the US, 50% in the EU). Today’s blog is a recap of the politics and the forces driving perfect authentication, and how this would profoundly impact the politics and the competitive positions of key payment stakeholders.

The threat of device graph extinction event is driven Agentic and the realization of Google AP2 (Verifiable Credentials). By outlining the politics of device data, my hope is to educate innovators and incumbents as they embrace (or defend) their positions. My view? I think we are 2 yrs away from mass adoption of device data. Historically, payments and identity have been bundled to the advantage of Banks and Networks (see blog), they are thus best positioned to lead. Google is best positioned to unbundle and create an alternative that works beyond commerce. 

• Today’s blog is an update to Data Games and Perfect Authentication is a Nightmare for Banks, and eCom politics and Scenarios. 
• Within Payments, the ability to manage risk is the #1 factor in margin and competitive differentiation. Sharing data (ex 3DS) or eliminating device information (ex FIDO and Payment Passkeys) is NOT something that stakeholders lean into. 
• Agentic Commerce is a forcing function around the device graph for 2 reasons: 1) the M2M flow interrupts the flow of device information and eliminates behavioral data if the consumer doesn’t directly interact on with the merchant in checkout (Human in the loop vs machine to machine – see AP2 Blog).  2) Platform FIDO (in the near term) takes place before payment in order to permit the trusted MCP/UCP consumer-merchant-platform interaction, specialized agent interrogation, integrate loyalty discounts, and payment preferences.  
• Merchants own the risk in eCommerce today (100% of merchants in the US, ~50% in EU). Their 30 yrs of investment in risk and fraud is not something they will give up easily, as they fear costs of increased VAS and new partner dependencies (ex Google/Apple). The top retailers have managed fraud down below 10bps, and are also very protective of the payment instruments given to them by their customers, Cards on File (see blog), as they work to avoid the merchant costs associated with tokenization (they don’t control). 
• The principal tools used by merchants to manage this risk are 1) device graph and 2) behavioral data (e.g., time spent shopping on site) to screen out “bad bots”. Large merchants have built their own fraud systems, mid-tier buy them from companies like Feedzai, longtail merchants rely on their processor (e.g., Stripe Radar). 
• Google’s UCP rolled out last week with several large retail partners at NRF (WMT, Target, Macy’s). While 90% of UCP focus is top of the funnel innovation, the major payment news surrounds the UCP embedded flow, where Merchants control a Human in the loop (HIL) iFrame (see blog) to minimize merchant system impact by maintaining device data “status quo” either directly (iFrame, Stripe takes a similar approach to ACP). 
• Issuer politics around eCom risk data is a very long story. My friends in Europe see it much more clearly as 3DS is operable there. As discussed in 3DS and FIDO2, EU Issuers like step up authentication because it shows the value of their brand and drives bank app usage. Merchants hate bank step-up because it impairs conversion. While a liability shift is possible in Europe, declines force major retailers to seek 3DS exceptions as they take on the risk .
• The 3DS spec is technically operable; the network challenge is the incentives (vs. mandates) that encourage merchants to put in quality data and Issuers to take on action that data with a liability shift while retaining authorization rates (without a step-up). To resolve Issuer Investment challenges in 3DS, Visa and Mastercard logically rebuilt 3DS to work in the cloud so that they could ensure merchant data consistency, and provide shared data science across all issuers (w/ ACS integration). Additionally new rules sets (DAF and TAF) were created to govern the process of device verification as it evolves into a FIDO/Passkey model.  Network were less than thrilled, as this is core to how they differentiate (Ex Low Fraud rates at Target, and Stripe Radar). 
• The US is even more complex, a market that has resisted 3DS. For the last 15 yrs, the Top 6 Issuers in PAZE have worked to build a mobile wallet to compete with ApplePay. Paze sits within the early warning bank consortium that managed collaborative risk data (and runs Zelle). want to create a differentiated wallet. Paze is operable and has solved the bank side of payment, but the wallets’ network effects require both consumer and merchant. As one top retailer said “V/MA are the devil we know, we have gotten to a happy place thru 30 yrs of litigation and negotiation, we will not help the banks build a new brand. Just look at how they treat us in disputes”.  The failure of Paze to gain merchant traction has led them to focus on Agentic as their last hope. Unfortunately, Paze Issuers don’t seem to realize that the vast majority of transactions will be HIL (near term) as solutions like ACP and Visa TAP provide merchants a PAR for the use of existing cards on File, while Google’s FIDO (login w Google) has 4B+ Users, most linked to payment instruments and a Google device graphs that is unmatched. 
• While the Verifiable Credentials (VC) is still the core of AP2, the governance issues associated with managing trust outside of Google’s domain is a 2 yrs hurcle (see M2M Trust and Governance and AP2).  
• Every stakeholder must manage authentication within their domain, but very few can manage it beyond their domain as this requires a commercial construct with active governance (see M2M: How to Resolve Trust and Governance Gaps). Today the incumbents are Visa and Mastercard (blog). 
• Network innovation is tough (see blog) as existing participants have made investments on current rules and competitive dynamics. Agentic is forcing function, networks have the best plan, but no one wants to give up control. Merchants want to keep device data away from networks and Issuers, Banks want to perform authentication outside of the network, Processors work to build pipes around the network, government bodies work to build authentication outside of payment (ex eID, UIDAS).
• Authentication is important to Google too with over 8B devices and 3B consumer accounts. Thus Google is very well placed to create a new network, or provice an alternative to Bank KYC that is based upon a lifetime of consumer behavior. Their commercial and governance model is based upon an Advertising/AI construct that delivers sales to merchants and helps merchants use their data to build better customer experiences.  
• Within the UCP embedded flow, the merchant owns the checkout from Gemini through an iFrame. This direct consumer device interaction allows merchants to capture risk and fraud data directly. The downside here is that this is a human-in-the-loop (HIL) agentic transaction (not one automated in a machine to automatically purchase on your behalf). 
• iFrames are not new and have a long negative history in payment. Back in 2008 when 3DS was launched, an iFrame would pop up and ask for your bank login and password. This led to fraud, abandonment, bank credential theft and many other things. 
• While modern browsers have evolved the tech and security of iFrames, the customer experience of a new window is sub-par, and creates a “human in the loop” restriction on agentic. In Europe, you can imagine coupling this iFrame checkout with a mobile step-up authentication (arghh). This iFrame approach meets the near term device data needs of retailers as they minimize change to existing fraud infrastructure. While the embedded flow provides the data, the device data in isolation will not be sufficient behavioral data (ex time spent shopping and navigating) is key to fraud efficacy. Google has the answer, by providing behavioral and risk signals (much like Stripe ACP uses Radar data). 
• In my view, Google has the best device graph AND behavioral commerce data on the planet. Google’s challenge relates to the selling, packaging and use of the data. For example, retailers need a stable risk signal that is consumed within their downstream risk infrastructure. Google’s agile world constantly evolves and improves there is no such thing as a “version” or integrated testing. 
• Today cards provide the best customer experience. In the agentic future, retailers are losing control of the top of the funnel AND the ability to manage risk, while banks are at risk of losing their lead in identity and authentication. The battle should NOT be for control, but for creating the best customer experience that works across platforms, WITH A COMMERCIAL CONSTRUCT that incents all participants.
• IMHO, No single entity can create a better experience in payment because of the number of stakeholders involved. Shared investment is necessary, and thus shared incentives are necessary to justify the investment.  
• The best in class example of “perfect authentication” customer experience is ApplePay. Here banks invested in KYC and Issuing, Networks in tokenization, standards, governance and commercial terms, merchants in acceptance, apple in wallet, biometrics, hardware and the secure enclave. With ApplePay the device data sharing issues go away. Merchants pay nothing extra beyond a tokenization fee (1bps).  In agentic, Apple must control consumer authorization to ensure the continued efficacy of their credential(s). Thus Apple, Networks, Issuers and Retailers all have a need to authenticate, wIll this be done 4 times?   
• V/MA (and MSPs) must own authentication: instruments, messages and participants. It is impossible for a network to operate without this control. Trust, risk and value can not flow without governance, and investments can’t be made without incentives. The only proven alternative is a government mandate with a government service (India UIDAI). As I outlined in Payment Governance, trust across domains requires either a commercial construct or a government mandate.  
• The power of V/MA authentication flows from the bank credential. They are the distribution network, rule maker and connector across all parties. This card bundle of payments and identity is the most profitable banking product in history. The biggest GAP in card is in card-not-present (CNP) transactions, the dependency on non-credential information (device data) to manage risk. 
• New credentials for identity (eID, VC, DL mDOC, …etc), combined with new commercial frameworks (MSP led Google/OpenAI), and non-card payments (Stablecoin, PayByBank) within a customer experience that is no longer controlled by the retailer (Agentic) threatens all current stakeholders and their competitive positions. 
• Today, Google and Apple provide the best authentication. Apple has the lead in secure credential management, Google has the lead in breadth of accounts and devices covered. The gap for both is in IDENTIFICATION (bank quality KYC). We all know that having 100 different ID/Passwords is unmanageable, and the reliance on probabilistic device ID for fraud is archaic.  The tech is there to evolve this, what is missing is the forcing function. 
• The question Bank CEOs should ask? Do we continue efforts that create friction in authentication, or are we creating a fertile environment for alternatives that will deliver far greater customer experience? Is the benefit of providing a working bank alternative (outside of Visa/MA) greater than the risk of losing authentication to Google? If you were a google engineer and had 9-12 months to build something successful, would you bother working with any bank directly?
• Device graphs are messy businesses (see Authentify Blog). As opposed to deterministic ID (binding a KYC’d human to a device), device graphs are probabilistic. They proliferate in the advertising world and the payments/fraud world both within companies and within specialists. Where many laws cover deterministic identity and PII, probabilistic data is the wild west. Commerce Signals (the company I founded) managed both (see Role of Identity and Trust in eCom). Given the politics in the space, and the potential for “perfect authentication,” you can understand the concern of all the specialists (many looking for the exits). But what strategic buyer would possibly want to engage?

Introduction

The politics and incentives around device graphs are arguably the most complex, yet least understood, dynamics in the modern payment ecosystem. Having spent the last two decades at the intersection of banking, ad-tech, and payment networks, I can tell you that risk management is the single greatest factor driving margins and competitive differentiation. Today, we are staring down the barrel of an extinction event for the traditional device graph: the rise of Agentic Machine-to-Machine (M2M) commerce and the realization of Google’s Agent Payments Protocol (AP2).

My view? We are approximately two years away from the mass adoption of agentic payment flows that will render our current fraud infrastructure obsolete. Historically, payments and identity have been bundled to the advantage of Banks and Networks. They own the “hard” credentials. However, as the marketing funnel collapses into a direct interaction between a consumer’s AI agent and a merchant’s inventory, that bundle is has the potential to unravel as identity is important to the top of the funnel as well. In a world of many agents the permission to take action on a consumer’s behalf, or a merchant’s request for understanding “who is asking” before offering an answer, will drive a collapse of division between marketing and payment identity. In machine-to-machine (M2M) interaction, probabilistic identity is replaced by deterministic identity (with permissions).

This blog is a review of the politics of device data and the forces driving “perfect authentication”. I am writing this to educate the innovators and the incumbents as they embrace (or defend) their positions.

5 Themes

1. Merchant Dominance: Merchants own the risk today (100% in the US, ~50% in the EU). They will not cede control of the checkout experience or their device data easily.
2. The Agentic Interruption: M2M flows sever the device data and behavioral data link (mouse movements, time on site) that underpins current fraud models. This creates a “gap” that forces a move from probabilistic risk to deterministic authentication.
3. Google’s Lead: Google not only possesses the best device graph on the planet, they also possess the best behavioral data (across all services, 4B+ accounts and 8B+ devices), largest FIDO authentication solution (log in with Google), and a new commitment to device bound credentials on the phone in the Titan M2 architecture with a the Android Ready SE Alliance to move credentials into secure hardware. 
4. The Governance Moat: Google has all the technical components to make M2M work within their W3C VC based AP2 Protocol, but trust cannot flow between domains without a commercial construct or a government mandate. Here, Visa/MA have the encumbrance, operating rules, governance and existing network to make this work. The challenge is both merchants and issuers are VERY reluctant to give up control of authentication. The alternative is NOT a merchant auth, or a bank auth… the alternative is one led by Google with the commercial construct being Agentic demand. 
5. The Bank’s Dilemma: Perfect authentication commoditizes the bank’s risk engine, erasing their competitive advantage. Banks are fighting a divisive war that may result in diminished control for their credentials. Issuers should NOT think of network services as competing with their own plans, V/MA are the distribution and governance arms of a bank credential.

To understand why the industry is stuck in a “Cold War” over authentication standards, you have to follow the liability.

Merchant Perspective

In the US eCommerce market, the merchants ownt the risk. If a transaction goes sideways, the chargeback lands on their balance sheet. Over the last 30 years, top-tier retailers (Amazon, Walmart, Target) have invested billions into proprietary risk stacks. They have managed fraud down to below 10 basis points (bps) through the sophisticated aggregation of two things:

• Device Graphs: The digital fingerprint of the hardware.
• Behavioral Data: The “cadence” of the user—how long they shopped, what they looked at, how they type.

This investment creates powerful inertia. Merchants view their fraud data as a competitive moat. They are fiercely protective of the Cards on File (COF) entrusted to them by consumers because controlling the credential means controlling the routing (and thus the cost). They resist network tokenization schemes because they fear the loss of control and the introduction of new fees (e.g., 1bps fee or 10bps non-tokenized penalty). Large merchants build their own systems; mid-tier buys from packaged SaS like Feedzai or Forter; the long-tail relies on their processor, like Stripe Radar.

Google’s Universal Commerce Protocol (UCP) rolled out at NRF with Walmart, Target and others. While 80% of UCP is top of the funnel data flow, the payment headlinewas that these merchants demanded a way to keep their device data flow and existing investments. Thus UCP created an Embedded Flow (an iFrame). Why? Because an iFrame allows the merchant to keep a human in the loop (HIL) and interact directly with the human on their deviceto capture device telemetry. Evidently, these merchants are willing to sacrifice the “magic” of a fully autonomous agentic purchase to maintain the integrity of their 30-year-old fraud models.

Note that I go deeper into the history of iFrames in section below.

Bank Perspective

As I outlined, often to Banks’ discomfort: Banks want weak authentication. Or, more accurately, they want authentication that they control and that requires their proprietary data to verify.

Banks are the original data businesses. Their efficacy (auth rates, NCL, NIM) relies on the premise that they know the customer better than anyone else. They underwrite credit and manage transaction risk based on decades of proprietary signals. “Perfect Authentication” a state where identity is cryptographically guaranteed via FIDO/Passkeys linked to biometric hardware presents a paradox.

If authentication is perfect, transaction risk drops to near zero. If risk is zero, the bank’s proprietary transaction risk models become worthless. The differentiation between a massive bank like JPMorgan Chase (with its multi-billion dollar fraud infrastructure) and a small community bank evaporates.

This dynamic is best described by the “Bear at the Campsite” strategy.

If a bear comes into your campsite, you don’t have to be faster than the bear; you just have to be faster than the other campers.

The “bear” is fraud. The big banks want fraud prevention to require massive capital investment so that small banks cannot match them. By maintaining a system where risk is probabilistic and expensive to manage, they create high barriers to entry. “Perfect authentication” democratizes security, leveling the playing field and commoditizing the issuer’s role.

This is why US banks have spent 20 years trying to build their own identity layers (Authentify, Zelle ID) and failing. These failures weren’t technical; they were political. They refuse to participate in open standards that they do not completely govern.

Network Perspective

Visa and Mastercard sit at the nexus of this conflict where Issuers have the loudest voice. They know that a network can’t exist without controlling the authentication of participants, instruments and transactions. Almost every attempt to create a pathway to liability shift in eCom has been rebuffed, from 3DS, SRC, Payment Passkeys. It’s not a technical problem, but one of incentives and control. 

V/MA understand the their role as the identity infrastructure of the internet is at risk. Fortunately today UCP is a messaging protocol (the HTTP of agentic) without a commercial construct. But for cards to remain the best customer experience, they must work in new flows like Agentic. Agentic is a forcing function like we haven’t seen before:

• Verifying Actors: Certifying which AI agents are “legitimate.”
• Verifying Actions: Cryptographically binding a human’s intent to a machine’s execution.
• Guaranteeing Liability: Selling the commercial framework that dictates who pays when things go wrong.

New services like MA Agent Pay, Visa TAP, are coupled with rule changes (DAF/TAF) and existing tokenization services (VTS/MDES) to fix the problem. These are not just technical specs; they are commercial frameworks. Banks don’t want “another ApplePay”, but what should really concern them is an unbundling of identity from card. The threat is real as States and government provision digital credentials that have near the efficacy of Bank KYC. These credentials are certainly good enough for merchants to own the risk. This is a 2 year threat to banks, and they have been working for 15 years on a mobile wallet. While Google is best placed, they aren’t the only threat as Europe rolls out eIDAS and Wallets expand abiltiy to hold digital credentials. 

iFrames Again? – History Recap 

Admittedly, this section is an incongruent deep dive into the arcane history of iFrames in payments. Non techies should probably just skip this section. But the politics and history provide a useful perspective. 

3DS was launched in 2008 to help banks manage risk in card-not-present authorization. This launch was viewed as one of the biggest tech/fraud failures of all time (see Ross Anderson Whitepaper). It wasn’t just technology failure, imagine the reaction of consumers checking out of their merchant, with a pop up asking for your bank login and password. Yep.. that’s really what happened. 

The original implementation of 3-D Secure in 2008 (3DS 1.0) committed what I consider the “original sin” of payments UX: it trained consumers to enter sensitive credentials into unverified third-party iFrames and pop-ups. As Bruce Schneier famously argued back in 2010, this architecture was a security anti-pattern that conditioned users to be phished. By loading the Issuer’s Access Control Server (ACS) content directly into an iFrame on the merchant’s checkout page, we created a fractured trust model. Technically, this was a brute-force attempt to inject the Issuer into the Merchant’s session to verify identity. However, because the iFrame operates in a separate origin from the parent page (the merchant), it created a “black box.” The merchant lost visibility into what was happening inside that frame (abandonment, latency, …etc) while the issuer was blind to the rich contextual data (mouse movements, browsing history, device telemetry) that the merchant’s frontend had access to. See Schneier on Security.

From a data engineering perspective, the 3DS iFrame acted as a barrier, not a bridge. In the legacy model, the Merchant Plug-In (MPI) passed a limited set of fields to the ACS, but the “Cross-Origin” nature of the web prevented the Issuer from reaching out of that iFrame to read the merchant’s Document Object Model (DOM detailed device/behavior info). This meant that while the merchant possessed high-fidelity risk signals (device fingerprinting, behavioral biometrics, and session context) 3DS 1.0 lacked the envelope to pass it. The issuer was left making authorization decisions based on static data (card number, amount) inside a sandboxed window, effectively guessing at the risk while the merchant sat on a goldmine of telemetry they couldn’t share.

Note: that the absence of a data envelope in 1.0 is fixed today in 3DS2.2, now the problem is: 1) Merchants don’t structure the data and are incontrol of what is shared and 2) Issuers don’t invest in data science to process the device information (except COF). The hurdle is NOT a technical rail, but politics and incentives. Why would Issuers INVEST to Own the Liability? Thus Visa and Mastercard worked to bring the risk decisioning up into the cloud within SRC and Payment Passkeys. 

This technical deadlock is exactly why Stripe engineered a way around the traditional network rails with the Stripe Enhanced Issuer Network. Stripe isn’t looking for a liability shift, they are seeking improve authorization rates and creating competitive advantage for themselves (COF is the only fully onboarded Issuer with BAC and JPM in progress).  Instead of trying to shove device data through the narrow “unstructured” pipe of a 3DS iFrame, Stripe captures and governs the telemetry via their stripe.js SDK on the merchant side and transmits this “rich data” (Radar fraud scores, device fingerprints, and behavioral patterns) directly to the issuer via a side-channel API connection. While this approach creates a competitive advantage for Stripe, it is only for Stripe merchants and COF cards (it doesn’t scale). 

Why the iFrame? Because Walmart, Target, Macy’s, likely want to keep it simple. They have no desire to combine the massive collapse of the funnel and customer experience with a complete change to their back office payment and fraud operations. They want the first step in agentic to be HIL. Note that both Google and OpenAI have plans for their own wallet as they seek to solve the Gordian knot of monetization (see blog).

Merchants are reluctantly leaning into agentic, with the largest merchants reporting a 1-2% growth in eCom GMV (see blog). Their platform demands likely include:

1. Device data
2. Independence from Network or Issuer VAS
3. Integrate with existing consumer account/loyalty systems
4. Control of checkout (and risk)
5. Use of Cards on File and existing optimization (ex known customer w/ COF is managed differently than a new customer on a new device)
6. Wallet neutral

The biggest shortcomings of the embedded UCP payment flow (iFrame approach) are

1. Customer Experience – A pop up at checkout? That could be combined with a step up from bank App in Europe? 
2. Scalability (simillar to Stripe’s case, Issuers don’t invest)
3. Loss of Behavioral info. By forcing the checkout into a credentialless iFrame, merchants have a gap in their fraud models. The merchant cannot see the user’s history. They cannot see if this device was used five minutes ago on a different site. They are trapped in the “ephemeral” moment Google provides.
4. New dependency on Google’s agentic/account behavioral signals
5. No liailbity shift
6. Limited to Human in the Loop (HIL) agentic transactions
7. Device data needs to flow to Issuers for improved auth rates

Could something fix this CX Issue?  Yes, and I’ve shared my thoughts w/ Google. They range from using existing bank credentials in the assurance data (avoiding bank step up) to using Google FIDO in both Google-Merchant and Google-Network/Issuer (key provider here is LoginID).  

While Google’s native flow provides a much better customer experience, it creates complex dependencies and would require much more substantial merchant investment to update back office fraud/risk systems.

Important to note that the Native flow does NOT offer a liability shift. Only a network approved authentication schemes can fall within the DAF/TAF, and the Issuers must have some degree of control on 3rd party schemes.  This is a very complex topic and a future blog. 

Big Tech and Central Banks?

If the battle between Merchants and Banks wasn’t enough, we have a third front opening up: Public Law Trust Models. As I outlined in Part 1 – Identity Models, Government and Governance Structures,  I have watched with great concern as Big Tech assesses alignment to Central Bank (ex UPI, PIX, …etc) and government identity initiatives (eIDAS, UIDAI, ..).  

As discussed, trust requires either a commercial construct or a government mandate. Visa and Mastercard manage a commercial construct based on interchange and bank only membership. The central banks of India (UPI) and Brazil (PIX) have created successful alternative models.  In these systems, Big Tech (Google Pay, WhatsApp) builds the user experience on top of the government rail. The cost of transfer drops to near zero. The role of the card network as the “trust intermediary” is eliminated because the government provides the bank participation mandate and the underlying law for trust.

Within the identity sphere Europe is currently building the European Digital Identity Wallet (EUDI Wallet) under eIDAS 2.0 regulations. This government-issued digital identity for every citizen could” displace Visa and Mastercard as the identity infrastructure of the internet. When coupled with SEPA and Open Banking the results are uncertain. 2015 Interchange Fee Regulation (IFR) dropped rates of V/MA in EU to 25/35 bps for Debit/Credit.  Volumes exploded as merchants no longer cared about the cost of card. 

IFR was great for V/MA, as it also took away the incentives for any alternative. While EIDAS plus SEPA could technically fill much of the role of V/MA, how does it displace 50 yrs of investment in card, and change consumer behavior? I sure hope Greenland and diminished US affinity doesn’t do it. 

Device Graph Extinction? 

Not yet, but the mess here shows why few strategic players would want to touch any device graph company. 

Authentication is the process of verifying and identity. At both Citi and Wachovia the authentication teams were in my P&L, while the risk and fraud teams were in payment operations. Fraud teams dealt in an analog model with many imprecise signals, and authentication teams were yes or no. If I let my Auth teams drive the customer experience in a branch they would have armed guards, metal detectors, and tellers behind bullet proof glass. 

Historically the process of authentication and proving your identity was cumbersome. However, all this friction is changing across credential standards, government issuance, law, regulatory requirements, secure hardware storage, biometric device binding. All these innovations are operable today, but the investments in device based auth (and control), define how risk is managed. The ability to manage risk defines margin and competitive differentiation. This means moving away from device graphs will be VERY HARD and require a forcing function.

For software engineers, the thought of using shifting probabalistic device data to authenticate is beyond arcane. W3C VC community, eID and UIDAI all built a better mousetrap that everyone should run to. But the business head understands why adoption is so hard. Change requires an economic incentive or legal/reg mandate. Europe is on course for a legal mandate, but EU banks are insulated as local country banking regulators are not willing to force their banks to take on a liability shift when they have no control over credential issuance.For example what happens when an Italian bank depends on Slovenian government ID that was issued incorrectly? Who owns the risk?  What Europe eIDAS misses is that VC’s require a commercial framework for trust to expand beyond a domain. 

While cross domain is hard to change, digital credentials will be used to authenticate within a domain. FIDO based at first, but due to FIDO’s inability to manage more than bi-lateral interaction (and software storage), Device Bound credentials stored in dedicated hardware (ex Titan M2, Apple Enclave, Samsung Knox), wil be the long term winner. The platform for managing identity credentials (ie mobile) will provide services across payment and non-payment UCs. 

TRUST is the core function of a collaborative network and a multi sided platform (MSP). Payment Networks must control the verification of participants, instruments and messages. Governance and operating rules define how risks and rewards are allocated. Today Card Networks exchange messages with trusted participants. The card commercial framework mandates actions on the messages. While ISO 8583 covers most message exchanges, new message sets and new operating rules are certainly possible (ie Network of Networks).    

Historically, possession of the card (Actor) and the swipe at the terminal (Action) were technically and legally fused. But in the Agentic era, this bundle has been broken. An authenticated user (Actor) gives a general mandate to an AI Agent (a secondary Actor) to execute a purchase (Action) at a future time. If the network cannot natively authenticate both the Actor (the human mandate) and the Action (the specific agent request), it loses its reason for being.   

By allowing Apple or Google to define a new commercial AGENTIC construct (with multi use credential management) they could become the best source of truth particularly has they also have both an identity graph and behavioral information. Thus the networks are competing for their most critical value-add. For example, if Google owns the identity, and the Central Bank owns the settlement rail (FedNow/UPI), the Card Network is left with credit risk management. 

Message to Issuers: Focus on what you are great at within your domain. Leverage networks to distribute your product and provide a scaled commercial construct.