Modular Payments: Why API-First Rails Are Rewriting Payments Stack
and why those who know how to incorporate stablecoins, A2A transfers, and AI agents have the best changes of staying on top.
Last year, merchants in the United States alone paid $101 billion in card fees, even as global payments revenue raced toward $3 trillion projected for 2028. Meanwhile, Brazil’s Pix rail now handles three-quarters of all consumer transactions, and India’s UPI clears more than 16 billion payments a month with near-zero fees. The gap between what modern rails can do and what legacy pricing still demands has never been wider.
In parallel, two fresh forces are converging on those rails.
First, stablecoins, crypto tokens pegged to fiat, are moving billions in 24×7 settlement and already underpin Visa’s cross-border pilots.
Second, AI agents are graduating from demo videos to production checkout flows, choosing payment methods on behalf of software rather than humans. Both push speed to milliseconds and fees toward commodity rates, but at the same time, the payments industry is also seeing more attack and outages, as Adyen, Marks & Spencer, and Square have proved.
In this newsletter, I will discuss the solution.
I will break down why modular, multi-rail payments are the future, and how they will push the industry even further. As well as share how merchants, PSPs, and acquirers can capture the upside that can come with it, if they can deliver every component through well-documented APIs.
Let’s dive in…
From Monoliths to Mesh: The Architectural Shift
Twenty years ago, a typical merchant plugged into a single processor that bundled tokenisation, risk, routing, clearing, and funding into one quarterly-patched black box. That monolith delivered convenience but at a structural cost: one fixed fee, one settlement window, and one roadmap dictating when new methods would appear, often years late.
The mesh model (a.k.a. modular) dismantles that bundle.
Each function, token vault, 3-DS service, fraud AI, network gateway, exposes a stateless API, while an orchestration layer (either stand-alone or as part of a PSP) stitches them together in real time. That layer is more than plumbing; it is a decision engine that:
Inspects every transaction in <40 ms, then sends it down the rail with the lowest total cost of ownership that still meets risk policy.
Caches scheme rules so it can route U.S. debit to the cheapest network or trigger a pay-by-bank flow when card interchange outweighs conversion drag.
Logs granular metadata, issuer response codes, 3-DS step-ups, risk scores, for continuous model retraining.
Multiple orchestators can attest that when merchants switch from one-size-fits-all routing to such intelligent meshes, they realised 10–20 % lower processing expense and a meaningful lift in approvals, mainly because a retry over a second acquirer happens in milliseconds, not minutes.
Three structural enablers make the mesh inevitable.
First, open-banking mandates in the U.K. and EU forced banks to publish payment-initiation APIs, creating viable account-to-account (A2A) competitors to cards.
Second, ISO 20022 messaging standardises richer data across rails, so an orchestration layer no longer needs a bespoke adapter for each instant-payment system.
Third, cloud compute and containerised runtimes allow even mid-tier PSPs to spin up the routing logic globally without impacting their cap-ex.
New Rails on the Map: Instant, Stablecoins, and AI Agents
While many might not realize it, Instant A2A schemes have already rewritten how domestic volume is distributed.
For example, Pix processed 76 % of all Brazilian transactions in 2024, while UPI crossed 16 billion monthly transfers in India; both displaced cash and shaved merchant costs to cents, in a span of just a few years. In the U.K., HMRC quietly collected £12 billion via Pay-by-Bank in one year, proving that for some instances open banking can outcompete cards if the UX and the merchant makes sense.
Stablecoin settlement now fills the cross-border gap.
Visa moved “millions” of USDC with Worldpay and Nuvei to settle daily obligations, cutting multi-day correspondent flows to minutes. JP Morgan’s permissioned JPM Coin clears $1 billion of internal transfers daily, and over $7 trillion in value travelled across public stablecoins in 2022 alone. Under the EU’s MiCA framework, regulated euro-stablecoins will soon carry explicit reserve and disclosure rules, making them palatable to banks deciding whether to hold or off-ramp.
AI agents, meanwhile, automate the very act of selecting a rail.
Visa’s Intelligent Commerce bundles tokenisation, risk, and spend limits into one callable endpoint. Mastercard’s Multi-Token Network abstracts the underlying instrument, card, account, or deposit token, so an agent can “pay on behalf” without human clicks. And PayPal’s Agent Toolkit takes the long-tail approach, embedding a full ledger in a Python package so any vertical SaaS can delegate invoicing and payout logic to code.
The strategic impact of this is enormous.
As soon as bots, not shoppers, choose the rail, settlement speed and fee transparency become first-order attributes. If your stack cannot quote an approval probability and net cost to an agent inside 200 ms, the transaction will route elsewhere.
Risk, Resilience, and Regulation in a Modular World
But here is the truth, Mesh (modular) architecture does not remove risk; it redistributes it.
Each extra API adds a dependency, and attackers are adapting.
In the first four months of 2025, we witnessed:
Adyen fighting off volumetric DDoS waves that congested its European edge, stretching checkout latency past merchant time-outs.
Marks & Spencer losing contactless payments for four days after an internal security segment severed its cloud token-switch.
Square suffering a one-hour outage because an mTLS certificate expired, proving that “infrastructure-as-code” is only as good as its renewal cron.
None involved exotic zero-days.
All exploited or were caused by mundane gaps, an overloaded edge, a mis-scoped firewall, an expired secret. Yet each translated instantly into abandoned baskets and social-media headlines.
There is a reason why Cybercrime is now a $16 billion U.S. business, despite DDoS bursts lasting mere minutes, and automated scripts generate a third of web traffic.
And regulators have noticed.
PCI DSS 4.0 tightens multi-factor rules and demands continuous monitoring across every service provider in your mesh.
DORA in the EU extends operational-resilience duties to critical third parties, meaning an orchestration vendor outage can trigger fines at the merchant.
MiCA will force any stablecoin rail touching Europe to attach travel-rule metadata, pushing compliance tasks into gateways.
PSD3 drafts suggest stricter customer-confirmation windows that instant rails must meet without sacrificing UX.
The positive side-effect of that, is that innovations in cybersecurity are rising, to meet current and future threats.
Passkey adoption doubled in 2024, with Japanese wallets reporting near-zero phishing fraud after switching from OTP. Visa and Mastercard now co-chair a FIDO working group to standardise this across cardholder authentication. And there is a rise in demand for Cybersecurity specialists across the industry.
Having a modular stack makes it easier for these newer innovations to be plugged in like any other module, and they can be swapped out when a stronger factor appears.
Strategic Consequences: Rewiring the Business Model
The mesh (modular) is an architectural change, but its real force is cultural.
It requires Payment leaders to make the shift from being “processor-centric” to “decision-centric.”
That mindset implies four areas that leaders have to start to take into consideration:
Technology: Engineering roadmaps must move from quarterly releases to weekly rollouts. Observability, latency, auth lift, and fee per rail will become a product metric, instead of being on the ops dashboard.
Partnerships: Sourcing flips from single RFPs to portfolio management. Firms will dual-source acquirers and stablecoin issuers the way banks already multi-home cloud providers. Don’t be surprised if you start to see Vendor scorecards weigh switching friction as highly as feature depth.
Sales & Commercials: When merchants see that routing logic can cut blended fees by double digits, pricing negotiations will start to center on residual value-add, fraud AI, and data enrichment, rather than gateway fees. PSPs unable to prove differential auth rates will watch share shift to cheaper rails.
Finance & Treasury: Instant rails and on-chain settlement compress days-sales-outstanding. Marketplaces that want to provide weekend payouts will start using USDC to unlock working-capital cycles that competitors, stuck in T+2 card funding, cannot match. The impact will be that liquidity risk will start to migrate from batch funding models to real-time balance-sheet exposure that treasury teams must model by the hour.
Regulatory Navigation: Compliance must be modular, too. ISO 20022 ensures data richness across rails, but PCI 4.0, MiCA, and PSD3 impose rail-specific obligations. Maintaining a single policy engine that inserts required fields, 3-DS reference numbers, and travel-rule attributes before crossing a border will be as important as swap pricing is in FX today.
Strategies to Capture the Opportunity
But what is the best Strategy to deal with these changes?
For Payments companies focused on delivering a single solution such as 3-DS, token vaulting, or analytics, the best strategy is to build a great product that is available via an API, as well as build features and components that focus on having a better UI, and integrating the capabilities to deal with new technologies such as blockchain for stablecoins and artificial intelligence.
However, for the Orchestrators, PSPs and Acquirers, I recommend the following:
1. Orchestrators: Become the Neutral Meta-Rail
Orchestrators win when they abstract complexity for everyone else. The play is to deepen decision intelligence: ingest auth codes and issuer-CVM data, feed it into machine-learning models, and surface “next-best-rail” scores merchants can action without reading a spec.
Adyen’s intelligent debit routing cut merchant cost 26% on day one; the next generation should optimise not just cost, but regulatory fit, e.g., route EU consumer payments to MiCA-approved stablecoins after July 2025 and fall back to SEPA if liquidity on-chain is thin.
2. PSPs: Build Rail-Agnostic Checkout Primitives
PSPs sit closest to the merchant UX. Their strategy is to expose a single “/pay” endpoint that can execute card, bank, wallet, or tokenised deposit flows behind the scenes.
Visa’s Intelligent Commerce and Mastercard’s Agent Pay teach one lesson: the first PSP to make those scheme APIs disappear inside its own SDK will ride the agent wave. That requires:
Schema-flexible token vaults (PAN, IBAN, wallet address)
Sub-100 ms fraud-scoring APIs that can operate without browser context
Price cards where savings from A2A or stablecoins are shared with the merchant, aligning adoption incentives.
3. Acquirers: Treat Settlement Speed as a Product
Acquirers once differentiated on BIN reach; now they must differentiate on liquidity. The move is to plug stablecoin rails and FedNow or RTP corridors directly into funding engines, offering merchants hourly or event-driven payouts.
Early movers, JPM Coin for corporates or Visa’s USDC pilots, prove that banks can tokenise deposits without losing regulatory cover. The acquirer that integrates on-chain settlement but offers fiat net-settle finality in the same dashboard will capture global marketplace flows sick of cross-border cut-off times.
Conclusion
The shift to modular, multi-rail payments is not incremental; it is a platform reset that collapses cost, widens choice, and reframes risk.
Firms that re-architect around decision engines, not processors, will route every cent to the optimal rail, fund merchants in minutes, and absorb new regulations with a configuration push instead of a re-platform project. Those that cling to monoliths will wake up to find that bots, not shoppers, have routed the future of payments around them.
Thank You for Reading. Please like, Comment, Share, or Post on Your Social media. I appreciate all the feedback I can get.
P.S. If you want to work with me in a larger capacity, either speaking, advisory, or consulting, feel free to email or DM me.