Card schemes are pricing the identity layer themselves

For three decades the shadow price of authenticating a card-not-present transaction was buried inside interchange. Card number, CVV, an occasional 3DS challenge, all priced together with acceptance. The line item did not exist; the cost did. Issuers absorbed fraud losses and recouped them through the ad valorem portion of the rate. Merchants paid the bundled price and received a verification of sorts in return. The factor of production was real and its rate-card price was effectively zero.

That price is now visible. Visa introduced a Digital Commerce Service Fee in January 2025 at 0.0075% of every authorised card-not-present transaction, separate from interchange. In April 2026 the rate rose to 0.015% on domestic CNP and 0.035% on cross-border CNP, paid by merchants rather than passing through the interchange ladder (Merchant Cost Consulting summary of the Visa pricing schedule). Mastercard’s Value-Added Services line, which now includes identity solutions alongside cybersecurity and decisioning, reached $3.9 billion in Q4 2025, up 26% year on year, and accounts for roughly 40% of total Mastercard revenue (Yahoo Finance coverage of Mastercard Q4 2025 results). Identity has a metered price, the price is rising, and the question worth contesting is not whether it exists but who collects it.

The fintech narrative settled some time ago on an answer. Identity SaaS firms (Prove, Persona, Stytch, Socure, Plaid Identity) would intermediate the high-risk transaction, charge per verification, and own the layer the schemes had failed to monetise. The empirical record points elsewhere. Persona raised $200 million Series D at a $2 billion valuation in April 2025, with marketing copy that did the rhetorical work for free: “the verified identity layer for an agentic AI world” (PRNewswire announcement). The framing is investor positioning. Whether the rent actually flows to Persona will be settled by the same contracting decisions the schemes are now making against it.

Socure has the cleanest revenue picture in the cohort, and the most diagnostic strategy. Annual recurring revenue crossed $340 million in 2026, with sub-1% gross dollar churn and 130% net dollar retention (Biometric Update on Socure ARR). Per-verification pricing for mid-volume buyers in the 10,000 to 50,000 per month band has been reported at $0.50 to $1.50 (Vendr Socure pricing data). Johnny Ayers describes Socure’s approach as consolidating name, email, phone, address, date of birth, SSN, IP, device, and biometric signals into a single decisioning surface (FFVC interview with Ayers). The leader in identity-for-payments is therefore re-bundling at the SaaS layer rather than unbundling anything; the question is whether the schemes will let that bundle sit between them and the merchant.

Prove tells a less flattering version of the same story. Latka’s data shows revenue contracting to roughly $63 million in 2025 from $83.7 million in 2023, against years of public framing as the identity-for-payments pure-play (Latka revenue data on Prove). A pure-play whose revenue declines while the addressable market expands is not the proof point an investor expects from a thesis about layer capture.

Stytch is the most diagnostic exit. Twilio entered a definitive agreement to acquire Stytch on 30 October 2025 and closed on 14 November (Stytch acquisition announcement). Reed McGinley-Stempel framed the transaction directly: “In the age of AI, identity isn’t just another piece of the stack.” The exit reads cleaner than the framing. An identity platform positioned as the layer ended up absorbed into a communications and authentication suite, which is to say the market re-bundled the asset into adjacent infrastructure rather than letting it stand alone as a priced product.

The aggregate sizing matches. Independent estimates of the global identity-verification market for 2025 cluster between $14 billion and $17 billion, with projections to roughly $29 billion by 2030. Even tripled the figure is small relative to the combined net revenue of Visa and Mastercard, which exceeds $70 billion annually. The standalone IDV market is real but not transformative, which is the wrong scale to be picking up rent that grows with CNP volume.

The schemes have read the same data and acted on it. Visa’s Trusted Agent Protocol launched on 14 October 2025 with thirteen named partners (Adyen, Ant International, Checkout.com, Coinbase, CyberSource, Elavon, Fiserv, Microsoft, Nuvei, Shopify, Stripe, Worldpay) and Cloudflare as a co-developer, the most concentrated demonstration to date of identity-layer infrastructure operating under a single network’s control (Visa investor relations release on Trusted Agent Protocol). Agentic tokens are issued only after the agent is authorised to act for a verified business or funding source, and the authorisation sits at the Visa layer (Visa Intelligent Commerce overview). Identity assurance is now a separately metered scheme product, sold under Visa branding, distributed through partners Visa selected, and priced into the network’s own taxonomy of fees.

Visa Payment Passkey is the other side of the same play. The first merchant-side rollout, with noon Payments in the Middle East in late 2025, replaced OTP and 3DS challenges with FIDO-bound device biometrics and routed the economic benefit through authentication-programme incentive flow rather than a per-verification fee (noon Payments announcement). The merchant pays through eligibility for lower interchange on tokenised credentials; network-tokenised CNP runs up to ten basis points below non-tokenised (Visa press release on tokenization milestones). The price is real, but it flows through the network’s pricing taxonomy rather than a Persona or Socure invoice.

Mastercard does not separately disclose identity-line revenue. The line sits inside Value-Added Services, alongside cybersecurity, decisioning, and analytics. The non-disclosure is itself informative. A network confident that identity was a separately captured rent would disclose it; a network compounding identity revenue inside a broader bundle would not. VAS grew 26% in Q4 2025 against an installed base where identity solutions have been selling for years, which suggests the rent is being accumulated under that bundle rather than leaking out to standalone identity vendors.

Click to Pay is the corroborating absence. EMVCo’s Secure Remote Commerce specification reached version 1.5 in 2025 with federated identity and improved out-of-band card-authentication invocations (EMVCo SRC 1.5 update). What EMVCo has not published is current transaction volume or merchant-count data. The schemes publish what is working; the silence on Click to Pay is the silence of a play that is not yet winning at the merchant edge.

FIDO’s October 2025 Passkey Index reads better than most observers credit, with the caveat that adoption is concentrated. 75% of consumers recognise passkeys; 69% have at least one. 48% of the top 100 websites support them. Amazon alone accounts for 39.9% of total passkey share (FIDO Alliance Passkey Index). The headline figures travel, the concentration tells the truer story about the long tail of merchants, and the truer story is that scheme-led authentication still sits closer to the start of the curve than the end.

The economics here have a textbook reading. Jean-Charles Rochet and Jean Tirole established in 2003 and again in 2006 that platforms in two-sided card markets maximise surplus by tying complementary services together rather than letting them unbundle (Rochet-Tirole CEPR DP 6132). The honour-all-cards rule is the canonical example; the prediction generalises directly to any service the network can attach to acceptance. Card networks will resist letting a complement become a separately-priced layer outside their control whenever they can re-tie it. Trusted Agent Protocol and Payment Passkey are what re-tying looks like when the complement is identity.

The constraint on the tying is regulatory, and the rules sit unevenly across jurisdictions. The CFPB’s 1033 final rule (October 2024) requires third-party data recipients to publish a Legal Entity Identifier and an information-security attestation, but the consumer-identity-verification requirement is institutional rather than per-consumer (Cooley client alert on 1033). The American regulatory hook for unbundling the identity layer is weaker than the European one. The binding consumer-identity layer in Europe sits in PSD3, eIDAS 2.0, and Australia’s Digital ID Act, where verifiable credentials are issued by a wallet stack the networks do not control. PSD3 references SCA seventy times against PSD2’s eight (Norton Rose Fulbright PSD3/PSR analysis). On identity in 2026 the United States is the jurisdiction in which the schemes have the freest hand.

What is forcing the price to surface in the United States is not regulation but agentic commerce. Every agent-initiated transaction raises authentication questions the bundled rate was never designed to answer for free: who authorised the agent, on whose behalf, with what spending limit, with what binding to the human in whose name the agent acts. None of those questions are answered by card number plus CVV plus an occasional 3DS challenge. Each requires a separate identity assertion, separately verified, separately priced. The schemes have read that requirement and started pricing for it. The standalone identity SaaS firms have read the same requirement and answered with verification rounds, agent-flag products, and acquisitions, but the rent capture has not followed the marketing. Persona’s $2 billion valuation is a bet venture investors have placed on a forecast; Mastercard’s $3.9 billion is one quarter of revenue the schemes have already booked.

A skeptic might object that the identity SaaS layer is too small to matter and that the schemes are simply re-pricing existing tying under a new label. The IDV market is roughly $15 billion globally; even tripled it will not shift scheme economics, Prove is contracting, Stytch was absorbed, and the standalone identity layer is a venture story rather than an industry one. That objection mistakes where the rent is going for whether the rent exists. Mastercard’s VAS line is the appropriate measure of identity rent capture, not the standalone IDV market. The unbundling is real, the rent is being captured at the scheme layer, and merchants pay more for identity-assured CNP than for legacy CNP regardless of which entity collects.

A more theoretical objection holds that the schemes are re-bundling rather than unbundling, and the framing is sleight-of-hand. Both can be true. The unbundling is real in the sense that the Visa Digital Commerce Service Fee is a separately metered line item, while the re-bundling is the mechanism by which the schemes prevent the rent from leaking to third parties. The merchant pays a price for identity that did not exist on the rate card five years ago. Who collects that price is the contested question; the existence of the price is settled.

The welfare reading has the Atlanta Fed Payments Forum as a useful anchor. Its October 2025 publication notes that stringent identity verification operates as a barrier to access for unbanked and underbanked participants (Atlanta Fed Payments Forum, October 2025). Identity rent has distributional consequences, not just allocative ones. A factor of production whose shadow price was zero for thirty years and is now a metered scheme line item shifts cost to the participants least able to absorb it. Whether that cost reflects genuine information production (synthetic-ID detection, biometric assurance, cross-institutional fraud signals) or rent extraction enabled by network effects is the policy question that Rochet and Tirole’s framework does not settle.

For issuers, acquirers, merchants, and regulators the operative question over the next five years is not whether identity has become a separately priced layer. That has happened. The question is which entity collects, on what schedule, and through which contractual surface. The answer on current evidence is the schemes, quarterly, through fees that did not exist on the rate card in 2024.