When the machines start shopping: How AI, Visa’s TAP and CPoI® are redefining trust in online payments

Not that long ago, the idea of AI agents making purchases for humans sounded like science fiction. Booking flights, renewing subscriptions, filling shopping carts… all before we even ask.

But today, this is happening faster than many realise. Autonomous agents can now browse, compare, and buy on behalf of consumers. For merchants, this is a new type of traffic – one that looks human and pays like a customer… but isn’t.

Herein lies (another) new problem: how do merchants tell real intent from bot activity?

Convenience vs trust

The payments ecosystem has spent decades refining the customer experience to facilitate security and trust, as well as minimise friction. Cards replaced cash. Tap replaced swipe. Digital wallets are replacing cards. And soon, algorithms will replace us in the checkout process altogether.

Every step forward has made buying easier. But while the in-store experience has evolved into something globally trusted, familiar, and universally safe, the online experience lags.

In-store, the process is underpinned by categoric physical proof. The card is present. The customer is present. Authentication happens through something tangible: a tap and a PIN, creating a moment of confirmation that connects the person, the card, and the purchase.

Online, those confirmations disappear. Card-not-present transactions rely on static data - numbers that can be copied, stored, and reused by anyone, anywhere. As a result, online payments fraud continues to grow, as do false positives.

Now, with AI agents making purchases autonomously, even those fragile indicators of human presence are fading. The system can no longer distinguish between a real customer and an automated one.

That’s the paradox of progress: every innovation designed to make payments easier has made trust harder to prove. Especially online.

Visa’s move: Restoring trust in a bot-driven world

Earlier this month, Visa announced its ‘Trusted Agent Protocol’ (TAP) – a global initiative designed to verify whether a digital agent initiating a purchase is legitimate.

Put simply, TAP lets merchants and card issuers know who or what is behind a transaction. It uses cryptographic signatures and metadata to confirm that an AI agent is authorised to act on behalf of a person.

It’s a significant step toward rebuilding confidence in a world where not every buyer will be human. More broadly, it reflects a growing focus across the payments industry on understanding intent, not just identity, as automation and AI become part of the purchase process.

Let’s look at this further.

If you strip payments down to their core, they hinge on one question: Did the real cardholder make this transaction?

This is what TAP aims to answer when a digital agent is doing the buying. It also happens to be the same question merchants face every day. Especially for high-value transactions.

Let’s say a $10,000 purchase is initiated online. If the anti-fraud systems can’t determine whether it’s a bot, a fraudster, or the genuine cardholder, they’ll default to caution and decline the sale, even if it’s perfectly legitimate.

This isn’t just a technical issue. It’s a visibility issue. Fraud systems see data, not people. They can measure frequency/behaviours, location, and device, but not intent. And without that signal, even honest customers can look suspicious.

This is where Card Present over Internet® (CPoI®) comes in.

Bringing physical proof to the digital world

While Visa’s TAP builds trust in AI agents, CPoI® builds trust for humans by bringing the same card present security you get in-store to online transactions.

With CPoI®, consumers simply tap their card against their own device and securely enter their PIN. It’s an online purchase but processed through the card present rails. The moment of physical interaction is proof of intent. No bot can replicate it. No stolen credential can fake it.

For higher value transactions where risk and friction peak, this human confirmation changes everything. It gives merchants and issuers the same confidence they have at in-store checkout counters, even when the customer is purchasing remotely.

Visa’s TAP and CPoI® are solving the opposite sides of the same problem. And together, they form a symbiotic relationship.

• TAP proves when an AI agent is authorised to purchase on behalf of a human.

• CPoI® proves the right human (the cardholder) is making the purchase.

The combination of TAP and CPoI® closes the loop on digital trust, giving the payments ecosystem a way to verify automated and human transactions with equal confidence. Both recognise the same truth: the future of secure payments isn’t about stopping transactions. It’s about trusting the right ones.

The new era of trust

As AI continues to reshape how commerce happens; the payments industry needs stronger signals of trust - proof that the buyer is either an authorised agent or an authenticated human.

Visa TAP brings accountability to the digital side of the equation. CPoI® brings assurance to the human side. Together, they set the stage for a future where transactions are both seamless and certain; where intent can be proven, and trust is built into every tap.

Because in the next era of payments, knowing who’s buying will matter just as much as what’s being bought.