Rubail Birwadker of Visa says agentic commerce will only scale if identity, permissions and risk controls are built into the transaction.
Transcript
This is Monday Conversation, a PYMNTS Podcast. Karen Webster sits down with the visionaries behind the trends for the story is shaping what's next in payments and commerce. In this episode with PYMNTS CEO Karen Webster, Rubail Birwadker, Visa's Senior Vice President and global head of growth, explains why agentic commerce will only scale if identity, permissions, and risk controls are built into the transaction.
Karen:Hey Rubail, great to see you. Looking forward to today's conversation about identity in an agentic world and all of the things that go along with establishing and creating trust in this new commerce environment. So thanks so much for taking the time.
Rubail:Thanks for having me, Karen.
Karen:So let's start with perhaps a little bit of context. Before we get into the nitty-gritty of the flow, let's talk about the flow. How do you envision commerce on these AI models to work? What's the experience?
Rubail:It really depends over what time horizon we think about the experience. I think over a long enough time horizon, eventually this moves to a what I might imagine a even the next level of what we call like a one-click checkout, which is, you know, I think Amazon and others have done an incredible job of creating such a seamless way of going from discovery to a post-purchase life cycle. And an agentic world, I think a version of that maybe even without more time, maybe even without a button. So the version of like what the human confirmation is, I mean, there'll remains to be seen how it'll play out. But that's that's why I believe a payment journey is ultimately going to look like once we do have enough consumer trust and enough commerce sort of like flowing through the ecosystem.
Karen:I I agree with you. I also think voice is going to be an important enabler to the experience. It's just so much easier than engaging with you know a prompt or a type or something like that. So I agree with that. So so let's okay, so let's let's double click on on that. So in that world, agents will begin making purchases for people, obviously also businesses. Um what does the trust layer look like and is it different than what exists today? Obviously, there are standards that need to be set and adhered to. Who who does all of that and what needs to change?
Rubail:Um great question, Karen. Um, but I do think that both trust and identity in an agentic world look relatively different versus the way it's sort of like come together in the e-commerce environment for a number of reasons, but mostly because in an e-commerce environment, authentication tends to be more on an event-based. And I think in an agentic world, given that you're dealing with really, really smart pieces of software, there has to be some form of continuous validation of what I might call would be of agent behavior. Um, which means that just traditionally you just have to look at it in a very, very different with a very different lens. And the kind of data payloads and information do you need in order to do this sort of like validation, repeated validation, is going to look very, very differently than a purely human buying something from a seller or a merchant in an online environment.
Karen:So even though the person is directing the agent to act on their behalf.
Rubail:Yeah, I mean, this this is where it starts to get interesting, which is, you know, while there's a lot of talk about agentic commerce and what does it really mean, I think what we've observed in the initial stages so far, you're like eight months into this overall ecosystem, is human in the loop is not going anywhere away anytime soon.
Karen:Right.
Rubail:Um, like true autonomy of commerce still feels like it has a little bit ways to go, mostly because you know, we're still very, very, very, very early innings into this. And the deeper a human being is involved in the loop, I think, you know, the closer it looks, like it looks like a little bit more sophisticated, intelligent form of what we really see in an e-commerce environment, which is you're binding a payment credential to a human being, which is time-bound, permission bound. Perhaps you know it has some form of um controls around where and how the payment credentials being used, there are biometrics associated with it, but the further and further away we get away from a human in the loop to an autonomous world, um, you know, just there's going to be need of like better, better data, honestly, to do better ongoing authentication of these agents.
Karen:If if I think about though autonomy today, it's sort of my subscribe and save on Amazon, right? I mean, uh it just stuff just shows up on the 11th of every month that I have pre-ordered. And sometimes they'll tell me that it's out of stock or they'll let me know that prices have generally increased. I I rarely get notices that prices have decreased, but it stuff just shows up. So, in a sense, it's autonomous after that initial setup.
Rubail:Yeah, I think I think you said that right, which is the parts of agentic commerce, which are so much more, we think, incrementally better than an e-commerce environment is, it just does take out a lot of drudgery out of like the you know single purchase-by-purchase um like process that a human being has to go through. I think you know, subscriptions do that really, really well in an e-commerce environment, but it starts to get a little bit trickier when it's not something that's on a recurring basis. Like, for example, how often do you go and think about the payment that you made to Netflix? Like, not very often. You probably put your card in there like several years ago, it got updated in the background if the card expired, and you probably didn't even think about it. Um, so it does take the drudgery out. The second piece is it connects discovery really well to checkout because it just gives better personalization and intelligence around you bought something and there is a possibility. Again, you know, a lot of this like remains in the promise of what a gente can do because we're seeing what it's doing in discovery to port over to what it might do in commerce, which is it takes intelligent signals and it gives you a much more refined funnel to put your money more put to get more for your money or get more effective things for your money. Um, and both of those things I do think are somewhat related to the autonomy of agents, but it's just related to like you know living and breathing in an agentic environment. Um, but truly, I think the autonomous piece, which we haven't really seen like play out yet, but you know, again, there is it's just bets on like you know when and how these things sort of like come together, is when it's truly making decisions based on a set of parameters on your behalf, um, not in real time. And that's and that's the scenario I think that'll that'll feel like really, really, really automatical when that actually comes through. And again, in that context, identity and kya become even more critical.
Karen:Agree, but I'm still initiating this. I want to take a trip, and here are my parameters and here are the limits, and just go do it for me. I'm still it's not autonomous in the sense that agents are just sort of scurrying around um buying things just because they sort of think that I might want them.
Rubail:Correct. And and and thankfully so.
Karen:Thankfully so. It could get pretty ugly at my house if uh if that in fact were a use case. Let's um what does KY mean KYA mean to Visa?
Rubail:It's from our from our cleanest perspective, for us, it's really verifying the agent and what we what we really refer to, agent is like another piece of software or the representative of whichever identic environment you're in. Um, verifying that agent's cryptographic identity. It's just how do you establish a real root of trust on the link between the authenticated human being or a business? That's one, to the agent and the payment credential associated with the agent and the scope of its authority. So for us, that's it. And again, you know, we are we are again in the payments commerce business. We're not in a broader, it's like broader business. So for us, uh, you know, we like we do a lot of thinking around knowing your agent when it has an intent to buy means a lot more. It is a lot more specific to the world that we live in. Because once you have an agent that has a, say, for example, a Visa credential associated with it, you know, some of the work that we've done with our trusted agent protocol, and we can pass that signature through the CDN layer, um, we believe like the agent has already verified with Visa that it has gone through the process, it has an authenticated token associated with it, and it can pass that specific signature with whatever parameters that they might be, right? Spell limits, merchant categories, time, window, behavior patterns, whatever it might be to the end merchant. If we can sort of like create that custom pipe in a standardized fashion that works consistently across everyone, I think that's where KYA starts to look like really, really it starts to come together very uniformly, at least as it relates to commerce.
Karen:Well, it also creates a standard that's interoperable, right? I mean, I think that's too many, too many protocols battling for protocols these days.
Rubail:Yeah, I mean, it's uh I have to say that has been one of the most interesting insights that has come together over the last eight or nine months. And by the way, it's natural. Any new technology, any new paradigm, um, you know, you'll see there's a lot of fragmentation. And for good reasons, you know, protocols have come in because they're trying to solve a very, very specific problem. But ultimately, our belief is that um anything we build, at least at Visa standards, should be set through industry bodies because then it consistently works the same way for everyone. Uh, merchants, and you know, it's not just merchants in the United States, but like hundreds of millions of merchants all around the world, they need a consistent way and fashion of recognizing this well with uh regardless of like you know which agent sort of like it's it's representing. And then you know, it can create good interoperability. So for us, you know, payment networks, issuer stand technology standard parties are really the place to really create consistency. That's one. And the second thing is yes, I think individual protocols are gonna exist, just like custom pipes exist today. Um, and you know, they have a really, really good place. And I think they're gonna be very successful. They just have to be, we have to figure out how to make them complementary with like the broader standardization. And that's the work you know we continue to do day in and day out.
Karen:That's the only way that it will ignite and scale. I mean, otherwise the consumer will have a frustrating experience and merchants will have an integration nightmare.
Rubail:It's it's it's a huge nightmare because there is a lot that's happening at the seller level. You know, their traffic patterns are changing, you know, it's human beings and agents are showing up. People are sort of like accessing, they are doing discovery very differently than it happened before. They have access to better information, how to make it accessible, easy. There are chances where pricing is getting sort of like, you know, like the brand is getting commoditized.
Karen:Yeah.
Rubail:And there's a lot that they have to do, and integrations are very, very huge. So, you know, having a low-code, no-code way for merchants to do this consistently globally across all agents and you know, every payment method. You know, we have like nearly nearly 5 billion payment credentials around the world. You know, if you add like all the payment credentials across card networks, it's like you know, several billion. And how to do that consistently is is is scale, scale is hard.
Karen:Scale is hard, which is why there aren't very many global networks in the world. Um, but do you think tokens are that digital trust badge? I mean, is that is that your hypothesis?
Rubail:Um, purely for cards, we we really do believe that. We think tokens are a fantastic representation of originally, like just to like a little bit of history on tokens, when we first introduced them with the original tokenization platform, you know, Apple Pay is a very good example. And you know, now it's proliferated everywhere. We do tens of millions of tokens today. Um, it is always the goal was always security and figuring out how do you sort of like not let PII information sort of like move all around the ecosystem. And then as you abstracted away the PII, there's a lot of things that we learned. You could make a token very, very configurable. They can start to represent a human being if it's correctly authenticated and tied to a specific device. Over time, we think they can represent agent identity. We believe we can, you know, there's a way to sort of like you know surround it with like permissions and payment capabilities. And the good news is like, you know, tokens are a consistent standard across card networks. So that also makes it very, very easy if you are a seller or a merchant on your end, because the majority of the sellers around the world now accept tokens. So, you know, just we can add a whole bunch of configurability without compromising security. In fact, actually making security even more uh paramount. So we we we we really believe a lot of the promise in the future of how commerce is going to move is gonna deeply, deeply be involved with tokens representing a fundamental building block from a network perspective.
Karen:Yeah, it's a foundation, it exists. It just makes it just makes sense.
Rubail:Yeah, instant representation, lifecycle management, um all of the above without actually compromising your actual PII. It's just it's it's it's a excellent, it's an excellent evolution over the last decade and decade and change of like how card payment networks have evolved.
Karen:And and they can become increasingly smarter with attributes related to preference and history and more rewards and all of the things that you know today represent points of friction in any e-commerce experience.
Rubail:I agree. We believe so.
Karen:So what are the fraud, new fraud vectors you you worry about? G given we've got the strong foundation, we have tokens, we have the prospect of interoperability and the standard, there's still fraud, right? Um what do you worry about and what are you building to do your very best to uh to prevent it?
Rubail:Yeah, I think uh it's a great question, Karen. I think we've uh spoken about this before, but you know, I think the most interesting thing purely from an ecosystem protection security fraud perspective is in an agentic environment, you have a new entity, which is an agent that is sort of like sitting in the middle between a consumer and a merchant. Typically and historically, and there are exceptions to it. You know, marketplaces are a good example exception where you are ultimately in a merchant environment, physically or in an e-commerce environment, you physically know what you're doing at a merchant. And now it's somewhat abstracted away with in between with an entity that has, you know, sort of like some level of autonomy to take your payment credential and go and sort of like you know, submit it at a merchant's payment checkout. So that just has the opportunity to introduce all kinds of new vectors that we've never thought about before, right? Agent impersonation from a merchant perspective, unauthorized permission is an idea, like you know, synthetic merchants. You could get fooled because this merchant couldn't be real and they just like made this up to sell you something and then disappear overnight, data tampering, high velocity, automated fraud. Like there's all kinds of things that we think about. And in our risk scoring, we spend a lot of time. If you know, our risk and identity team spends a lot of time figuring out how to incorporate in a world where agentich commerce is large and material, how do we incorporate agent-specific signals, behavioral patterns, which are a deviation from like the programmable constraints? Because you know, we have an enormous amount of like, you know, model data about the history of e-commerce, but agentich is new. And you know, new things are, we just need to build enough models to make sure that we have enough predictability in our models that incorporate the metadata without, and obviously doing all of this in real time during a transaction without slowing down the transaction flow at scale for billions of transactions. So doing all of that while still maintaining the trust, safety, security in the way it work works across borders, right? You could be buying something from a seller in Singapore and do all of that through an agentic environment. So so that's that's we spent a lot of time thinking about that.
Karen:But but how how does that manifest itself in the in the consumer experience, right? Because in the early days of e-commerce, there was a lot of friction introduced into the process so that everyone could learn, right? I mean, and and there still is friction that's introduced in the process. I think because there is now the the new fraud vector related to AI, I've noticed myself, you know, there have been much more, maybe around the holiday season as well, there've been many more validations, you know, is this really you in the in in the process? Um is that is that likely to happen or are we better than that now?
Rubail:Um we've learned a lot in the last 30 years. We've gotten a lot better. You know, it was it hasn't worked perfectly. Um and you know, there was a lot of uh fragmentation in e-commerce, if you remember. And some of it still exists. But if you remember, you would go in and there were all these like NASCARization of the checkout buttons, checkout page, is what we used to call it. And everything had a different authentication method and a different chargeback guarantee. And in many cases, you know, you had a Visa card or a different network card underlying many of these. So like the promise of the brand still existed, but it was it was complicated and fragmented. I think we've learned a lot over, especially over the last decade and a half, with the rise of mobile and rise of apps. And if we do our job right, then as from a consumer perspective, there should be no real discernible difference in the way a consumer interacts with and benefits from an e-commerce transaction than they would have in an agentic environment. If anything, you know, they both consumers and merchants would benefit from a much more tiered risk framework. And it all comes ultimately, it all comes down to like trust. And we believe you know, consumers really truly trust their Visa brand and they need to feel comfortable that the same protections that they have on when they use their. Visa card, regardless of the environment they're using it in. Physical commerce, e-commerce, mobile commerce, app commerce, sort of an agentic commerce environment, you know, their money is safe and they have like the right sort of like, you know, the money is safe. Um so we haven't done our job, right? If a consumer believes like, you know, they have to operate differently or go through a different flow, which has like more friction because they're in an agentic environment versus a different environment. So hopefully, um, if nothing else, it actually has a much more enhanced experience with hopefully better security given the vectors we talked about.
Karen:I I think because consumers do trust the Visa brand, their expectation is that nothing will happen. So it puts a lot of pressure on you in these new in these new environments to really understand the behavior of this new entity called the agent that can be easily spoofed by bad guys who you know obviously are looking for every opportunity to um infiltrate uh the commerce opportunity.
Rubail:Thankfully, we've got a very, very bright team across various functions at Visa that are working very, very hard to ensure that uh you know we are we are ahead of the curve on this.
Karen:What are the dependencies that need to be overcome in order to really scale what we're talking about with standards, with with trust across all merchants and issuers? Are there gating factors that you're working to overcome or obstacles that you're working to clear across across the payments ecosystem? Because there are, you know, this is still very new, it's moving very, very quickly. I think the expectations of consumers are that they're able to do this because they're using these tools today, um, these models today, to do a lot of different things, including, you know, including purchase. So what are some of the things you're working on?
Rubail:Yeah, it's uh it's a great question. I think um the big gate, the the way to think about, and the way I would characterize it as is the building blocks that we need to have in place to make sure we enter a world which has more consistency, more clarity, better authentication, better fraud protection in an agentic world is we just, you know, like the starting point still can you know continues to be those providing the agentic experiences. We need to get the integration in. We need to sort of like roll out what those experiences look like. And we're working with many of them on what does it really look like. And again, also making it complementary. So, you know, like you mentioned it correctly, like there are a bunch of protocols that are sort of like trying to figure out like how to make the commerce experience work. And where we are focused on is how do we ensure that authenticated card network credential tokens are deeply embedded in all those protocols to be accepted and they represent the same. So we have like we have that work to do. We have like a bunch of integration work to do, and over time, we have to roll these standards out uh consistently across the various payment bodies, whichever they might be, and then see adoption. So I'm with you, it's very early. We'll still continue to see enough fragmentation over the next, I would say, you know, several months. But at some point you'll start to see some convergence, especially as you start to see like more and more volume sort of like flow through the pipes. Yeah. Because that's when you know the edge cases start to show up. And if you're building a bunch of custom pipes in different ways for different payment methods, then it becomes very, very complicated to solve for all edge payment methods, which is why people like standardization. So our hope and goal is, and we firmly believe that over time this is all going to get standardized. And so, in every every effort, like I think our consistent goal is let's embed agentic tokens, authenticated agentic tokens where we can in these methods, because those fundamental building blocks will serve us really, really well over a period of time.
Karen:And we'll accelerate adoption and scale.
Rubail:We hope so.
Karen:Rubail, thanks for your your time. Great conversation, always a pleasure. Thanks again. Happy holidays, too.
Rubail:Thanks, Karen, happy holidays.
Narrator:That's it for this episode of the PYMNTS Podcast, The Thinking Behind the Doing. Conversations with the leaders transforming payments, commerce, and the digital economy. Be sure to follow us on Spotify and Apple Podcasts. You can also catch every episode at payments.com forward slash podcasts. Thanks for listening.