The Network Advantage
How Visa, Mastercard, and Amex are quietly becoming the Authorization Decision-Makers.
A transaction hits the network. Before the issuer’s system even opens the file, Visa’s AI has already scored it against 500 risk attributes in under a millisecond. It assesses the cardholder’s two-year spending history, the merchant’s profile across every bank on the network, the device, the geography, and the time of day. It’s produced a two-digit risk score and passed it along.
The issuer gets the score. At most institutions, that score lands in a rules engine built fifteen years ago, where it sits alongside manual overlays nobody has reviewed since a fraud spike in 2019. The issuer makes its call.
In a growing number of cases, the issuer doesn’t make a call at all. It’s handed the decision to the network.
For thirty years, the four-party model assigned the authorize-or-decline decision to the issuer. On paper, that’s still how it works. In practice, the intelligence that drives the decision has been migrating to the network layer for over a decade. In 2024 and 2025, the pace of that migration picked up sharply.
In the second edition of this series, Issuer Paradox, we went inside the issuer: the institution that holds the final decision but makes it with the least context. In the third edition, Acquirer Divergence, we looked at acquirers and how the best ones shape what the issuer ever sees. This issue goes inside the layer between them. The networks themselves. The party that increasingly knows more about the transaction than either side of it.
Let’s get into it.
257 Billion Reasons They Know More Than You
The network advantage isn’t that Visa and Mastercard built good AI models. Lots of institutions have decent models. The advantage lies in what those models are trained on.
Visa processed 257.5 billion transactions in fiscal year 2025. That’s across $14.2 trillion in payment volume, roughly 160 currencies, and 329 billion total Visa-branded transactions. VisaNet switches about 78% of those directly. Mastercard processed 175.5 billion switched transactions on $10.6 trillion in gross dollar volume that same year. Here’s a detail that doesn’t get enough attention: Mastercard’s 10-K discloses it switches about 70% of all Mastercard and Maestro-branded transactions. That’s up from 55% in 2020. Mastercard has been systematically pulling more volume onto its own network for years, and the remaining 30%, roughly 52 billion transactions, still generate assessment revenue but don’t feed its AI with the same depth.
American Express plays a different game entirely. $1.67 trillion in billed business across 86.6 million proprietary cards. AmEx doesn’t disclose transaction counts the way Visa and Mastercard do, but the structural difference matters more than the numbers. AmEx is simultaneously the issuer, the acquirer, and the network on every transaction. Where Visa and Mastercard see what passes through the pipe, AmEx sees both ends of it. Cardholder income, credit behaviour, full spending history, linked to specific merchant profiles, business details, and settlement patterns. In open-loop networks, issuers are reluctant to share cardholder data with the network. AmEx simply doesn’t have that problem.
But scale isn’t just a bragging right. It’s what makes the AI work.
A plain way to say it: more training data makes models more accurate. That’s how supervised machine learning works. And the network sits at the only point in the chain where cross-issuer, cross-merchant, cross-border patterns are visible simultaneously.
An individual issuer sees its own cardholders transacting at a given merchant. The network sees every issuer’s cardholders at that merchant. When a merchant is compromised, the network detects the pattern across dozens of banks before any single bank has enough signal to notice it. When a new fraud typology emerges in one market, the network detects it propagating across borders while issuers in the next market are still reviewing their own portfolios.
No single institution can build that dataset. Not even the largest global bank. The moat isn’t the model. It’s the data the model trains on. And every transaction that flows through the network makes it deeper.
What the Models Actually See
Each network has built a distinct AI architecture. They’re all designed to do the same thing: score transactions in real time and influence the authorization decision. The differences matter if you’re deciding what to integrate and how deeply.
Visa runs a three-layer stack.
Advanced Authorization, or VAA, is the longest-running neural network in payments, in production since 1993. VAA scores every transaction on VisaNet against more than 500 risk attributes in under a millisecond, producing a score from 1 to 99 that goes to the issuer. It covers two years of cardholder history, merchant behaviour, device and channel signals, and geography. It’s deployed at over 8,000 financial institutions across 129 countries.
On top of VAA, Visa launched Deep Authorization in March 2024: a recurrent neural network built specifically for card-not-present e-commerce, trained on petabytes of contextual data. Where VAA scores broadly across all transaction types, VDA scores sequences and context for the channel where approval rates are lowest and false declines are highest.
Below both sits Visa Risk Manager, a configurable rules engine that allows issuers to build custom rules using network scores as inputs. One Latin American issuer that moved to deep VRM integration saw a 7% increase in approval rate and a 90% drop in false positives within eight months. That’s vendor-reported, so discount it appropriately. Even halved, the gap between shallow and deep integration is commercially decisive.
Visa now offers VAA as a network-agnostic product. Issuers can use Visa’s AI scoring on non-Visa transactions. That positions Visa’s intelligence as infrastructure beyond its own rails, and captures data from competitor-branded volume in the process.
Mastercard’s approach centres on Decision Intelligence.
Decision Intelligence uses predictive analytics to score transactions in real time, incorporating account data, merchant information, device signals, and geolocation. The capability was significantly enhanced by Mastercard’s acquisition of Brighterion, an AI specialist, and, like VAA, it is network-agnostic.
In February 2024, Mastercard launched DI Pro, which adds generative AI through a proprietary recurrent neural network with transformer architecture. The innovation: instead of analysing text like a traditional large language model, DI Pro analyses relationships between merchants in a cardholder’s transaction history. It scans over a trillion data points per assessment in under 50 milliseconds.
Mastercard claims DI Pro reduces false positives by more than 85%. I want to be precise about what that means. Mastercard’s own press release qualifies this as “shown in our own analysis.” No independent third party has validated it. And it measures false positives, legitimate transactions incorrectly flagged, not authorization rate improvement directly. The two are related. They’re not the same thing.
In March 2026, Mastercard announced a foundation model for payments, signalling that DI Pro’s approach is being scaled into a platform-level capability. That’s worth watching.
AmEx’s Gen X is the tenth generation of its scoring model.
The current architecture combines gradient boosting machines, a forest of more than 1,000 decision trees, with LSTM deep neural networks running on NVIDIA infrastructure within a strict two-millisecond latency requirement. It processes roughly $1.2 trillion in annual charge volume. What makes Gen X different isn’t the model architecture. It’s the data. That closed-loop visibility means AmEx trains on variables that open-loop networks can only infer. AmEx has maintained the lowest fraud rate among major networks for over a decade, and the data advantage is a large part of why.
Here’s the honest caveat on all three: no independent study has ever compared these systems head-to-head. We’re working from vendor disclosures and structural inference. What we can say with confidence is that the cross-ecosystem data these models train on gives them a structural advantage that no single institution’s model can replicate.
The Token Trojan Horse
Tokenization started as a security feature. It has become the primary mechanism for networks to capture data that didn’t exist in the card-number era. And that data feeds the AI models we just discussed.
Visa has provisioned more than 16 billion tokens as of September 2025. The growth curve tells the story: the first billion took five years, from 2014 to 2019. The most recent billion took about a single quarter. Half of all digital Visa transactions are now tokenized. Over 30% of all Visa transactions, including in-person, carry tokens.
Mastercard reports about 40% of all its transactions are tokenized, up from 30% in late 2024, with 50% year-over-year growth. Both networks have committed to 100% e-commerce tokenization. Mastercard has set 2030 as the deadline for eliminating manual card entry entirely.
Why does this matter for authorization? Because tokens capture information that card numbers never did.
When a network provisions a token, it records data that was invisible in the PAN era:
Device type and operating system
Wallet (Apple Pay, Google Pay, etc.)
Channel: in-app, card-on-file e-commerce, contactless NFC, or IoT
Domain controls restricting where the token can be used
Verification method: biometric, one-time password, or other
The full token lifecycle, provisioning, activation, card updates, suspension, and deletion, creates a longitudinal behavioural dataset that simply wasn’t available when transactions carried raw card numbers. Networks now track credential continuity across card replacements, device migration patterns, cross-merchant token usage, and authentication methods over time.
The impact of the authorization rate is real, though the exact magnitude depends on which figure you trust. Visa reports a 3 to 6 percentage-point improvement in e-commerce transactions. Mastercard’s figures range from 2.1% to 3-6 percentage points depending on the document.
Tokenized transactions carry a richer, fresher credential signal. Issuers trust them more. Approval rates go up. Juniper Research projects network token transactions will roughly double from 283 billion in 2025 to 574 billion by 2029.
Here’s where the flywheel kicks in.
More tokenized transactions mean more training data for the network’s AI models.
Better models mean higher approval rates.
Higher approval rates incentivize more merchants to adopt tokens.
More adoption means more data.
The network sits at the centre of that loop. Visa even built a product, Provisioning Intelligence, that uses machine learning to score token provisioning requests themselves, catching 14 times more fraud than token requestor scores alone. The token issuance process itself became training data.
Tokenization isn’t a security upgrade. It’s a data-capture infrastructure that compounds over time. And the networks control it.
From Scoring to Deciding
For most of the network era, the relationship was straightforward. The network provided a score. The issuer made the decision. That’s changing.
Having worked across these systems for more than two decades, I can map the progression clearly. It happened in four steps, each one feeling incremental at the time. The cumulative effect is structural.
Step one: passive fallback. Traditional Stand-In Processing. When an issuer’s system went down, the network handled transactions using static, portfolio-level rules. Blanket spending limits are nothing smart. Issuers experiencing outages sometimes saw 0% approval rates because the fallback rules were so blunt.
Step two: scoring as a service. VAA launched in 1993. DI followed. The network started providing intelligence, not just routing messages. Most issuers still think this is where the relationship sits.
Step three: modifying the question. This is where it gets interesting. Mastercard launched the Payment Optimization Platform in October 2025. POP sits between the acquirer and the issuer, enriching the authorization message in real time using Mastercard’s global transaction data. It evaluates over a trillion combinations of data elements to construct the optimal request before the issuer ever sees it. Early pilots with Adyen and Worldpay reported 9-15% increases in conversion rates. Those are vendor-reported pilot numbers. But the structural point matters: the network is editing the question before the issuer answers it.
Visa’s Real-Time Account Updater works from a different angle. It updates card credentials in real time during the authorization process, before the issuer applies its decision logic. The issuer doesn’t see the stale credential. It sees the current one. The network fixed the input.
Step four: making the decision. Mastercard’s On-Demand Decisioning, launched globally in October 2025 (excluding India), lets issuers define authorization criteria directly on the Mastercard network. It operates in two modes. In proactive mode, Mastercard responds to transactions without real-time involvement from the issuer. In review-and-modify mode, Mastercard reviews the issuer’s decision and can change it before it reaches the merchant.
Porto Bank, an early adopter, described the experience plainly: the solution required no implementation effort and delivered results with minimal operational risk.
Think about what “no implementation effort” means. The decisioning logic runs entirely on Mastercard’s infrastructure. The issuer’s legacy stack, built twenty years ago and layered with overlays from every fraud cycle since, stays exactly where it is. The quality of the authorization decision is separated from the limitations of the system used to make it.
Visa’s Smarter STIP takes a different path to a similar destination. It uses deep learning to emulate what the issuer would likely have decided during an outage, with a claimed 95% accuracy (vendor self-tested). It demonstrates that Visa can reconstruct issuer-level authorization logic using network data alone.
I want to be clear about how far this has gone. Networks have not become the default decision-maker for authorization of normal traffic. Issuer authorization remains the standard operating model. But the direction is unmistakable: from routing to scoring to modifying to deciding. Each product in that sequence is live and deployed.
And each one is aligned with a straightforward incentive. Transaction processing assessments, the fees that generate core network revenue, are driven by the number of successfully switched transactions. The network makes more money when more transactions get approved. That’s not a criticism. It’s how the model works. And it explains why every product in this section exists.
Follow the Money
If you want to know where a company is heading, look at where it’s earning.
Mastercard’s value-added services revenue, the category that includes authorization intelligence, risk scoring, tokenization, and identity solutions, hit $13.3 billion in fiscal 2025, up 23% year-over-year. That’s roughly 40% of total revenue. Core payment network revenue was $19.5 billion, or about 60%. Five years ago, VAS was a much smaller share. It’s growing faster than the payments business itself. Eighty-five percent of it is recurring.
Visa’s VAS revenue reached $10.9 billion in fiscal 2025, up from $8.8 billion the year before. That’s 25 to 26% growth in constant dollars, significantly faster than core processing. At their February 2025 Investor Day, Visa identified a $520 billion total addressable annual revenue opportunity for value-added services.
Neither company publicly discloses per-transaction pricing for AI authorization products. Those numbers are buried in bilateral contracts with rebates and incentives. But the macro picture is clear. The fastest-growing revenue line at both networks is the one that includes selling intelligence back to the institutions that generate the data.
Mastercard CEO Michael Miebach has framed the strategy explicitly: more digital payments create more opportunities for value-added services. More services drive more digital payments. When you hear a CEO describe a “virtuous cycle” between core payments and intelligence services, believe the revenue mix. It says what the strategy deck can’t.
The networks are becoming intelligence companies that happen to run payment rails. The rails are the distribution channel. The intelligence is where the margin is growing.
Who Competes With the Network?
The networks aren’t building this unopposed.
On the acquirer side, the platforms we covered in The Acquirer Divergence hold data that networks don’t have access to. Stripe’s Payments Foundation Model, Adyen’s Uplift, and Worldpay’s authorization optimization all leverage merchant-side context: device fingerprints, session behaviour, IP addresses, and cart-level detail. That data gets stripped or compressed before it reaches the issuer through the network. The acquirer has already scored the transaction. It just doesn’t tell the issuer what it found. Those acquirer models and the network models sometimes conflict. POP enriching a message might not align with what Adyen’s per-issuer tuning has already optimized. The layers of intelligence can work together. They can also get in each other’s way.
Visa made a significant move in December 2024, acquiring Featurespace for roughly $950 million. Featurespace built the ARIC Risk Hub, processing more than 100 billion payment events annually across 180-plus countries. What made the acquisition strategic was what it enabled: Visa Protect for A2A Payments. In a pilot with Pay.UK, Visa analysed billions of historical UK bank transactions and detected 54% of total fraud value beyond what the banks’ own systems found, with a 40% reduction in false positives. That’s Visa’s authorization intelligence expanding entirely beyond card rails.
The most consequential competitive development might be the Capital One-Discover merger, approved in April 2025 at $35.3 billion. Capital One CEO Richard Fairbank framed the logic explicitly: owning a network lets you deal directly with merchants, create more value, and capture the economics of vertical integration. By routing volume to Discover’s network, Capital One can approximate AmEx’s closed-loop advantage by seeing both sides of transactions while setting its own interchange.
For Visa and Mastercard, this creates a problem that goes beyond fee revenue. If Capital One redirects increasing volume off their networks, it’s not just the transaction fees that shrink. It’s the training data that feeds the AI. Every transaction that moves off-network makes the moat a little shallower.
What Happens When the Agent Has No Fingerprint?
Everything in this issue assumes a human at the checkout. The behavioural signals that current authorization models depend on, device fingerprint, session history, typing cadence, and mouse movement, are all generated by people. AI agents produce none of them.
The networks are already positioning for this. Visa launched the Trusted Agent Protocol in October 2025, an open cryptographic framework that gives agents a verifiable identity and, importantly, gives the network visibility into pre-transaction behaviour: browsing, product comparison, and shopping intent. Data that payment networks have never seen before.
Mastercard launched Agent Pay in April 2025, taking a different approach. Its Dynamic Token Verification Code formats agent credentials to match standard card payment fields, allowing AI agents to submit payments through existing checkout forms without any merchant code changes. In March 2026, Mastercard released Verifiable Intent, an open-source framework co-developed with Google, that creates tamper-resistant records of what a user authorized an agent to do.
Both networks are co-chairing the FIDO Alliance Payments Working Group to define how these new credentials interact with existing authentication standards. If agent identity and payment credentials are network-controlled tokens, the networks become the trust layer for a transaction type that no current issuer model can evaluate independently.
Agentic commerce doesn’t weaken the network’s position. It strengthens it.
In the final issue, we will put the full chain together. Issuers hold the authority. Acquirers shape the signal. The networks are becoming the intelligence layer between them. The question for every institution in that chain is the same one it’s been since the start of this series: are you building the capability to participate in that intelligence, or are you waiting for someone else to make the decision for you?
Thank you for reading.
P.S. If you are looking for a Payments Strategist/Data Scientist to help you figure out how to start leveraging data as an asset or like to educate your organization or audience through an event or webinar based on 20+ years of experience, don’t hesitate to email or DM me to set up a call and discuss how I can help.
Or if you just want to show your appreciation for my work, feel free to buy me a coffee, as it helps fuel the next editions.
The gap between Visa's millisecond AI score and a rules engine last touched in 2019 is where billions in unnecessary declines live. Merchants feel this constantly -- same card, same customer, wildly inconsistent approval rates depending on which issuer is on the other side. The network intelligence is there, but it only matters if the issuer actually uses it, and a lot of them are still making decisions like it's 2008.
The real question nobody asks is who's actually accountable when a network-assisted approval goes wrong on a fraud loss -- because that liability question is going to get complicated fast as issuers hand more of the decision upstream.