Visa Card-Based MPP Spec: Threat Model for Agent Payments

Visa published an IETF Internet-Draft and an npm SDK on March 18 that extend the Machine Payments Protocol to card rails — routing encrypted network tokens through the same HTTP 402 challenge-credential loop that MPP uses for stablecoin payments. For developer teams evaluating Visa's card-based MPP specification, the spec text reveals exactly where the threat model diverges from on-chain flows, and what that means for agent identity, credential scope, and dispute handling.

What the Card Charge Spec Actually Defines

The draft — formally draft-card-charge-00, authored by J. Brans at Visa and published March 24, 2026 — is an IETF Internet-Draft hosted at paymentauth.org. It defines the card payment method for use with MPP's charge intent, which covers one-time payments processed immediately upon credential receipt. It does not define a card-based session intent; the session primitive, which enables continuous streaming micropayments against a pre-authorized balance, currently exists only for Lightning and Tempo chain escrow. Card flows are therefore limited to per-request charge settlement at this stage.

The spec declares itself PSP-agnostic. A server operator using the card charge flow selects a Server Enabler — a payment service provider (PSP) or processing entity that decrypts and settles the transaction — but nothing in the spec mandates Visa's own processing stack. A server could route the decrypted credential through any processor that handles encrypted network tokens. The Client Enabler side, which provisions the token, should use network token services such as Visa Intelligent Commerce per the spec's SHOULD-level recommendation, but the interface is defined as a profile that any compliant vault provider or token service provider (TSP) can implement.

According to paymentauth.org, the full spec set now includes charge method specs for Card, Lightning, Solana, Stripe, and Tempo, plus session specs for Lightning and Tempo. A Discovery spec and a JSON-RPC and Model Context Protocol transport spec are also published, suggesting the protocol is designed to compose with MCP tool-calling patterns — agents discovering paid endpoints via MCP and then settling payment via MPP in the same interaction.

draft-card-charge-00 full specification

The Three-Party Problem Stablecoin Flows Don't Face

In a stablecoin-based MPP charge — say, a Tempo or Solana charge — the agent wallet that holds the funds and the agent identity that signs the request are, in practice, the same cryptographic key. The agent funds an ephemeral wallet, and that wallet's signing key produces the payment credential. Identity and payment authority are unified in a single key pair.

Card flows decompose this into three distinct roles: the agent making the request, the Client Enabler provisioning the payment token, and the network token itself. The agent has no direct access to card material at any point. The underlying permanent account number (PAN) is never transmitted. The Client Enabler — a vault provider or TSP sitting between the agent and the card network — provisions a network token and generates a one-time cryptogram specific to that transaction. The cryptogram is encrypted with the server's public key before it reaches the MPP Authorization header. The Server Enabler on the merchant side decrypts it and sends only the token and cryptogram to the card network for authorization.

This separation creates a structurally different attack surface. With a compromised stablecoin credential in an MPP charge flow, an attacker has a signed payment proof tied to a specific request hash — useless for replay, limited by the idempotency key. With a compromised card MPP credential, the attacker has an encrypted blob they cannot decrypt without the server's private key, and a cryptogram that is single-use. The card's spending limit and billing relationship, however, remain on the card account held by the vault provider — not scoped to a per-session ceiling the way a session escrow contract is on Tempo.

Tempo mainnet and MPP session mechanics→ /news/tempo-mainnet-machine-payments-protocol-agents

Under the Hood: Network Tokens, Cryptograms, and Encryption

The eight-step charge flow defined in the card spec runs as follows. The client sends a standard HTTP request to a paid endpoint. The server returns HTTP 402 with a challenge containing the amount, currency, accepted card networks, and the server's public encryption key. The client forwards that challenge to its Client Enabler. The Client Enabler provisions a network token from a TSP and generates a cryptogram bound to that specific transaction context, then encrypts both within a credential payload using the server's public key. The client retries the original request with an Authorization: Payment header carrying the encrypted credential. The server forwards it to its Server Enabler. The Server Enabler decrypts and submits to the card network for authorization. On success, the server returns HTTP 200 with a Payment-Receipt header and the requested resource.

The spec defines challenge binding in Section 8.1: the credential payload must contain a hash of the original 402 challenge, linking the cryptogram cryptographically to the specific server request. Combined with the idempotency key requirement in Section 8.2, this makes a captured credential useless against any request other than the one it was generated for — even from the same server. The encrypted payload format uses JWE (JSON Web Encryption) with the server's asymmetric public key, meaning only the Server Enabler — who holds the private key — can decrypt the network token and cryptogram.

The spec also provides an optional hook for Visa's Trusted Agent Protocol (TAP): clients may include TAP signature headers in the retried request for additional identity assurance, per Section 1.1. TAP uses Ed25519 key pairs to sign HTTP requests per RFC 9421, with signatures bound to the merchant's domain and the specific operation being performed. TAP agent registration requires submitting a public key to Visa's registry via POST /api/v1/agents/register, returning an agent_id and a pending verification status. According to Visa's TAP GitHub repository at github.com/visa/trusted-agent-protocol, early adopters of TAP include Nuvei, Adyen, and Stripe.

Visa Trusted Agent Protocol GitHub repository

Threat Model Divergence: Cards vs. Stablecoins for Agent Builders

The chargeback question is the sharpest divergence between the two payment methods. On-chain stablecoin settlements are final. A Tempo charge that completes has no network-level reversal mechanism; if a service fails to deliver, any refund pathway is handled by the service operator or an application-layer dispute system that MPP does not yet define. The card MPP flow runs over standard acquiring rails, which means chargebacks are structurally available — the card network can reverse authorization at the issuer's request.

For a developer building a service that accepts card MPP payments, this introduces an asymmetry not present in stablecoin flows: the receipt in the Payment-Receipt header is proof of payment authorization, not proof of final settlement. A chargeback filed days later by a cardholder whose agent overspent can reverse a transaction that the service treated as closed. Developers implementing card-based MPP server endpoints need to carry the same chargeback reserves and dispute handling they would for any card-accepting service — the protocol layer does not eliminate this obligation.

Credential scope is the second divergence. A Tempo session escrow contract locks a ceiling: the agent deposits a fixed amount, and that is the maximum the session can spend. A card-based MPP charge has no protocol-level spending ceiling beyond what the card issuer enforces at the account level. Nothing in draft-card-charge-00 defines a per-agent or per-session spend cap at the protocol layer. Teams building agents that use card MPP should implement application-level authorization limits — treating the card credential as a broad authority that requires software-side constraints, not a cryptographically scoped budget.

Agent payments infrastructure on Web3 Builder→ /categories/web3-builder

What the SDK Abstracts — and Where Builders Still Own the Risk

According to Visa's announcement, the npm SDK implements the full card charge spec and is designed for terminal-native, programmatic environments. Based on the spec's Client Enabler profile in Appendix A, the SDK abstracts: the token provisioning call to Visa Intelligent Commerce, the cryptogram generation, the JWE encryption of the credential payload using the server's public key from the 402 challenge, and the construction of the well-formed Authorization: Payment header. Developers building agent clients do not interact with network token APIs directly — the SDK wraps the Client Enabler interface.

What the SDK does not abstract: TAP registration and key management, application-level spending controls, chargeback reserve logic for server operators, server-side Server Enabler integration with a PSP, and the selection of a vault provider to act as Client Enabler. The spec's Server Enabler side — decrypting the credential and routing to a card network — requires a PSP integration, which the SDK does not cover. Server operators need a separate acquiring relationship and a Server Enabler that handles encrypted network tokens. The spec is PSP-agnostic, but the acquiring relationship is not — a developer without an existing card processing setup cannot run the server side of a card MPP flow from the SDK alone.

The audit status of the SDK itself was not disclosed in Visa's announcement. The draft-card-charge-00 Internet-Draft expires September 25, 2026, and is explicitly marked a working document subject to change. Teams building against it now should treat the credential schema — particularly the JWE payload structure and the challenge binding format — as potentially unstable through the IETF review cycle.

MPP payment method specifications at paymentauth.org

The milestone to track is whether the card charge spec advances toward IETF RFC status before the September 2026 expiry. Ratification freezes the credential schema and gives PSPs a stable target for Server Enabler implementation — without it, each spec revision is a potential breaking change for SDK consumers. For teams already building on MPP's stablecoin flows, the more immediate integration question is whether a future TAP SDK version ships with a unified client that handles both card and on-chain credential types through a single interface, eliminating the need to maintain two separate credential provisioning paths per agent.