Unlocking Mastercard Verifiable Intent: A New Era of Payment Security

▶ Watch the 60-second version on YouTube

Introduction to Mastercard Verifiable Intent

Mastercard Verifiable Intent (MVI) provides a robust framework for linking consumer authorization with agent transactions via an open-source cryptographic proof layer. Launched in March 2026, this groundbreaking technology was co-developed with Google to enhance transaction security and consumer trust. As developers, we can leverage MVI to build applications that ensure both accountability and privacy in digital commerce.

What is Verifiable Intent?

At its core, Verifiable Intent utilizes cryptographic proofs to create a verifiable link between a consumer's intent to make a payment and the actual transaction executed by an agent—be it an AI assistant or a human agent. This prevents unauthorized transactions while maintaining user privacy. The mechanism relies on digital signatures and zero-knowledge proofs to certify that the consumer has authorized the payment without exposing sensitive information.

Setting Up Your Environment

To get started with MVI, you'll need to set up a development environment that includes the necessary libraries for cryptography. Here’s how you can set up a Python environment to interact with the Mastercard Verifiable Intent APIs:

# Create a virtual environment
python3 -m venv mvi-env
source mvi-env/bin/activate

# Install necessary libraries
pip install requests cryptography

Integrating with the Mastercard API

Once your environment is set up, you’ll need API access from Mastercard. Make sure you have your API keys handy. Below is a sample code snippet that demonstrates how to create a Verifiable Intent request and send it to the Mastercard API.

import requests
import json
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa, padding

# Generate a key pair
private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
    backend=default_backend()
)
public_key = private_key.public_key()

# Create a payload for the transaction
transaction_data = {
    "amount": 1000,
    "currency": "USD",
    "merchant_id": "merchant_123",
    "consumer_id": "consumer_456"
}

# Serialize and sign the transaction
transaction_json = json.dumps(transaction_data).encode()
signature = private_key.sign(
    transaction_json,
    padding.PSS(
        mgf=padding.MGF1(hashes.SHA256()),
        salt_length=padding.PSS.MAX_LENGTH
    ),
    hashes.SHA256()
)

# Prepare the API request
url = "https://api.mastercard.com/v1/verifiable-intent"
headers = {
    "Authorization": "Bearer YOUR_API_KEY",
    "Content-Type": "application/json"
}
data = {
    "transaction": transaction_data,
    "signature": signature.hex(),
    "public_key": public_key.public_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PublicFormat.SubjectPublicKeyInfo
    ).decode()
}

# Send the request
response = requests.post(url, headers=headers, json=data)
if response.status_code == 200:
    print("Verifiable Intent created successfully:", response.json())
else:
    print("Error creating Verifiable Intent:", response.status_code, response.text)

Understanding the Cryptographic Proofs

One of the key features of Verifiable Intent is its use of zero-knowledge proofs (ZKPs). This allows the consumer to prove their intent to pay without revealing the actual transaction details. The cryptographic operations used here ensure that only the authorized consumer can validate the transaction. When implementing this, be sure to consider how to handle public/private key management securely—it's crucial for maintaining the integrity of the proof system.

Non-Obvious Gotcha: Signature Verification

One common pitfall developers encounter is assuming that the signature generated during the authorization will be compatible with all systems. When integrating with other platforms or services, ensure that the signature verification process aligns with their requirements. For example, some services may require a different padding scheme or hashing algorithm. Always refer to the specific documentation provided by Mastercard and the other services you interact with to avoid unexpected issues.

Testing Transactions and Handling Responses

When testing your implementation, you can use sandbox environments provided by Mastercard. This allows you to simulate transactions without affecting real accounts. Be mindful of how you handle responses from the API; not all errors will be straightforward. Implement comprehensive error handling to manage various HTTP response statuses, especially around authorization issues.

Conclusion

Mastercard Verifiable Intent is a powerful tool for enhancing transaction security in payment applications. By leveraging cryptographic proofs, you can ensure that consumer intents are securely linked to agent transactions, providing a level of trust that modern digital commerce demands. As you integrate this technology, keep an eye on key management practices and the specifics of signature verification to ensure your implementation is both secure and effective.