Fintech Layer Cake
Welcome to Fintech Layer Cake. A podcast where we slice big Financial Technology topics into bite-sized pieces for everybody to easily digest. Our goal is to make fintech a piece of cake for everyone. Fintech Layer Cake is powered by Lithic — the fastest and most flexible way to launch a card program.
Fintech Layer Cake
The Future of Payments is Agentic and Tokenized, with Basis Theory CEO Colin Luce and CTO James Armstead
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
The payments industry spent years turning tokenization into a business tool for lock-in. So what does it mean that the same technology might now hold the key to making agentic payments actually work?
Reggie Young sits down with Basis Theory’s Co-founder and CEO, Colin Luce, and CTO, James Armstead — the team behind the programmable token vault platform that has quietly become central to the agentic payments conversation. Colin and James break down what tokenization really is, how it was co-opted as a competitive moat, and why they believe it's the foundational layer that agentic commerce needs to get right.
They get into the reality of agentic payments today — what's hype, what's actually transacting, and why human-in-the-loop is a feature, not a bug. The conversation covers the technical choke points legacy infrastructure wasn't designed to handle, the intent and fraud problem nobody has solved yet, why the industry is over-complicating protocol selection, and what a smarter approach to tokenization could unlock.
Plus: Colin's bold prediction on the fate of PANs, James on why the early winners will just accept the volume, and the pair on why a misspelled email might be the highest compliment you can give someone in 2026.
Reggie Young: Welcome back to Fintech Layer Cake, where we uncover secret recipes and practical insights from fintech leaders and experts. I'm your host, Reggie Young, chief of staff at Lithic. On today's episode, I chat with Colin Luce, the co-founder and CEO of Basis Theory, and James Armstead, the CTO of Basis Theory. We cover it in the episode, but Basis Theory is a platform that gives merchants more control over their customers’ card data with a programmable token vault. Basis Theory has quickly become a key player at the center of the agentic payments conversations, thanks to the role tokenization will play there. If you don't know what tokenization is, that's okay. We cover it in the episode.
Fintech Layer Cake is powered by the card-issuing platform, Lithic. We provide financial infrastructure that enables teams to build better payments products for consumers and businesses. Nothing in the podcast should be construed as legal or financial advice. If you enjoy Fintech Layer Cake, please give us a review on Apple, Spotify, or wherever you listen.
Colin and James, welcome to Fintech Layer Cake. Really excited for our conversation today. We were chatting before recording that I've been following Basis Theory for a while. You guys are doing- it's kind of niche stuff that most folks won't understand, but it's not niche in its impact. It's very impactful, and touches a lot of fintech.
Probably a good place to start, and Colin, I'll throw this question at you, we're going to probably be talking about tokenization a lot in this episode, and tokenization can mean a lot of different things. Before we dive in, could you give listeners, explain it like I'm five, version of what tokenization is and what problem Basis Theory is solving?
Colin Luce: I will attempt to. I've never been great at the explain it to me like I'm five. But I will say I often start with referring to it as OG tokenization, because I think our friends in the crypto industry have stolen it from us, and that is almost like the de facto what people think of with tokenization now.
James Armstead: We’re back, though.
Colin Luce: I think tokenization, at its core, was really developed as a data security technology. Now, as we just talked about, I think as it relates to fintech and the broader payments ecosystem, it's become a critical piece of infrastructure for moving data around, storing data on devices, on merchant sites, et cetera. But at the core of it, it's a data security mechanism that essentially obfuscates sensitive data and replaces it with non-sensitive data, again, with the intention of making this data more portable across the ecosystem.
That said, it always continues to blow my mind when we have these sorts of conversations as I describe it that way in that that's not exactly how it played out. There's these ideas of point-to-point encryption, end-to-end encryption. That's how this industry and ecosystem should work, but that's not how it's played out. Every network, every PSP has all developed their own proprietary tokenization engines and algorithms. As data transfers across the ecosystem, we're still leveraging detokenization to get back to plaintext data, to send it over, to then retokenize it.
I remember when we were first starting Basis Theory, the high in the sky, pie in the sky, whatever they say, thinking, I was like, we should be the people in the industry that change this, and we should think about this more from an industry perspective. And what if there was like a protocol or a spec that everyone built towards and Stripe could understand what Adyen did and Adyen could understand what Visa did, I think we quickly realized that this data security mechanism has really been turned into a business tool to lock people in.
So I'll answer your question like a five-year-old, or answer it as if I'm talking to a five-year-old, which is, if I am passing you a letter that has your name on it and you don't want people to know your name, instead of it coming across as Reggie, what if it was just XY432 so that no one knows you're Reggie, and there was some system in the background, some secret notebook we have that you could turn XY432, or whatever I said, into R-E-G-G-I-E. I guess that's my best attempt at explaining it like you're a five-year-old. But James is really good at describing it like you're a five-year-old. So maybe we should hear his take.
James Armstead: I think that was good. Yeah, that was a good one. Decoder ring.
Reggie Young: Yeah, it's a good analogy. I'm still struggling on the explain it like I'm five version of an issuer processor. On Lithic’s side, that's a fun one that I still am figuring out. So you guys did great on that.
Yeah, I want to spend a lot of this conversation jamming on agentic payments. Basis Theory started as this tokenization compliance play, but now you guys have become the center of agentic commerce conversation, and there's a lot of conversation happening there. How did that happen? How did you guys go from this tokenization to now be pretty core to the agentic payments conversation?
Colin Luce: It's kind of what we talked about at the beginning here, which is tokenization really is the critical infrastructure underpinning a lot of how data and money moves across the Internet today. I think the lay consumer now is an active user of these digital wallets attached to your phone, Google Pay and Apple Pay. And again, well, most people don't know what tokenization is. Same thing, like the underpinning technology of these wallets is tokenization.
To answer your question, I think it was a little over a year ago when we first started having inklings of this agentic commerce thing coming. James, obviously being on the forefront of all things AI, starting with coding and stuff, I remember when he first reached out to me, he's like, hey, so I can see this playing out, and I think I know where this is going. And that's when we started having conversations with the networks first, and obviously they were seeing this, too.
I remember Visa's big product drop for intelligent commerce almost a year ago. It felt like an Apple product release or a Google event. It was so high end. I think they had like a race car out front. Jack was up on stage. It was wild. Look, we were and continue to be just so well positioned for this because the way this is going to play out is tokenization. And so it's not like we've pivoted or shifted what we're doing. We're just extending what we're doing into this new agentic world really. My LinkedIn header says, agentic commerce, with agentic crossed out and token there, because I do think a lot of this is going to be token commerce. It's just not as sexy with the agentic part.
James Armstead: Yeah, I agree. I think that when we started out, I think we had aimed to be as the developer of the infrastructure platform for a payments foundation or you could say tokenization. I think we probably did say tokenization early on. The way, I think, we've really started to view Basis Theory is that we want to be the infrastructure layer, we want to be the platform layer. As you think about how quickly coding changed and you think about how quickly the SaaS is dead argument, which, again, I think that that is a short-lived argument, to be honest, I think that the market will correct itself on all of that, but I think that that's what's helped us be well positioned from a tactical perspective, is we want to be the place that you can build whatever you need to on top of all of these new protocols, all of these new foundations that the networks are putting out. I don't think that every organization has been as well positioned to do that.
If you built a point-in-time solution, built a SaaS product around solving a specific payments problem, you're not as well positioned to pivot directly into allowing native access to all these new services. So I think that the market really did play out for us well in that it made it simpler for people to take an idea and use an infrastructure, just like you can go build something on AWS now much simpler. I'm not saying it was hard before, but now it's way simpler for a new generation of people, a new type of person to build on top of these things.
Colin Luce: It also feels like we're at this unique point in time where there's this convergence of all these megatrends hitting at the same time at the most macro level. Obviously, crypto and AI kind of both coming at this at the same time is really interesting, specifically around this agentic commerce idea. But I think even within the payments ecosystem, I think two of the bigger trends over the past, call it, 5 to 10 years have been this shift towards more distributed and embedded payments and checkout, this shift towards social shopping. If you think about TikTok links and Instagram shopping and stuff like that, that's directly correlated to what we're going to start to see on the agentic side.
And then the other big trend is just this convergence of payments and identity. And I think as we start to think about introducing agents in here as well, there's a lot of talk about KYA and identifying agents and stuff, but ultimately, that's just an abstraction on top of KYC and understanding who the end user is behind these agents. And so it's like just another lens by which we have to think about identity, credentials, linking of the two, provenance across all of these different handshakes across the ecosystem. There's just a lot of these trends that are converging, which I think is super interesting.
Reggie Young: It's an exciting time. Everybody's fundraising, claiming to be an AI native on chain company, and you're good to go.
Colin Luce: I know. We really mistimed our fundraiser a year ago. We should have done it today.
Reggie Young: There's so much noise on social media about what agentic payments is today and what you can do with it. What do you see as the reality of what agentic payments looks like today versus what most people might think it actually is, based on all this sort of noise they're seeing?
Colin Luce: James?
James Armstead: I think that the noise is actually probably that there's more happening than what is happening. Today, I think people believe that there's a lot of interaction happening with consumer brands, and I actually think that that's where the biggest gap is, is I think we're not buying dog food right now, I don't think. We're either trading money and using x402 to make it look like there's a bunch happening. I haven't dug into the data, but just listening and being involved in a bunch of the parties that are also on both sides of the equation for x402, it just feels like there's not a lot going on.
Colin Luce: Don't go into conspiracy theory corner here, James.
James Armstead: I mean, it's just hard to know what's happening over there, right? So I do think there is things happening. I think that there is transactions working. I think that it's more at the infrastructure level. It's more of buying very simple things. We talk quite a bit about where do we think the current state is and where should we be going after. I think it is buying compute. It's sending a text message. It's these small dollar value things that I do think crypto is well positioned for. I think credit cards will ultimately catch up, and the networks won't- they want to play microtrends, I'm sure.
I think that there is stuff happening there. I think where everybody wants or wants to believe that it is is where you're buying consumer brand, like having it, know that I'm out of soap somehow based on something in my house. It could be recorded. Who knows, right? I think that that's what people want to think that it is today, and truly, it just isn't working yet.
Colin Luce: I think there's this perception in the market that agentic commerce or agentic payments means I, as an individual, whether that's a consumer or a business, am going to empower my agent with some sort of payment credential for them to go autonomously transact on my behalf, whether there's this deep intelligence layer behind it, to James's point, that knows I'm out of soap or knows I need dog food or something else. That's a perception. And I think that's where you get all these people raising their hands, like, what about hallucinations? What about fraud? What about all these other things?
I think the reality is, and I think now that we have more data on this, whether it be the OpenAI data with Walmart and them seeing a 2x conversion drop with the embedded stuff relative to the user using the AI for search and discovery, but ultimately wanting to complete the transaction directly on the merchant site, or just the way in which these agentic credentials from the networks are set up, it's all human in the loop. And so I think the reality of agentic commerce today is it's predicated on human in the loop. And I actually think that's a good thing.
James and I were on a different podcast, a competing podcast, a couple weeks ago. One of the quick fire questions at the end was, and I can't remember if it was three years from now or five years from now, but like three years from now or five years from now, how much of the commerce volume will be AI or agentic initiated? And we kind of started in the 20% to 30% range. And Mr. Armstead here had to go throw a wrench in the whole thing, and he said, 100%. And at first, we were like, what are you smoking? But then I think we quickly realized, I don't think it’s crazy as it sounds on the surface.
Again, if you look at it from the lens, not like we're just going to use ChatGPT and say, go buy shit for us, but more like the different modalities by which we interact, even with our phone or with our voice assistant in our car, or- looks like one of the hotter trends right now from Walmart and Home Depot is they're going to build their own AI agents to sit on the website and their mobile apps. I think as stuff like that proliferates, I do think, whether it's the initial entry point or some assisted flow throughout it, it does feel like agents are going to play a role in almost every transaction. It just might not look like how we're contemplating some of this today.
Reggie Young: Yeah, love it. The Privacy.com team has been doing a ton with supporting agentic payment use cases. Essentially, there's a ton of stuff on X right now of companies posting like, hey, sign up for our agentic card support. And then you click into it. It's like, okay, there's a wait list and there's no bank lined up, there's no live product. TBD when it actually happens. They're getting a bunch of press. It's why Privacy keeps saying this thing of, oh, we have a live product. And there's so many names in market that are saying, we have this great card thing and then you click in. It's, oh, this is just marketing, brand building that you build a wait list to try and fundraise on or something.
Colin Luce: Totally. I mean, we talked about it earlier. We feel like we're very well positioned for this moment, but so are you guys and so is Privacy. James and I said that very early on. We were like, oh shit, who's almost best positioned here is the Privacy team.
Reggie Young: Oh, it's exciting. James, this is maybe a good question for you. When an AI agent is executing a payment, what are the actual technical choke points in today's infrastructure that existing legacy infrastructure wasn't designed to handle?
James Armstead: I think the obvious one is just how they actually use the card. Almost all merchants aren't set up to accept cards the way that agents want to utilize them or they want to send them in. They're just not built to go transact through the normal e-commerce flows. I think that's one part of it.
The rest of it starts to get into, I think, how agents are identified and how we understand their intent behind something. Intent is such a funny thing. I think everybody's stuck on, how do we verify the intent of an agent? I think what we've decided in the past is that we don't really care what Colin's intent is. We just care that he clicked the button, and we'll deal with it on the fraud side. We'll start to deal with it on the fraud side. We won’t accept transactions.
And then they get to a point where like, oh, wait, look at all these chargebacks, look at this problem we've created. So they said, oh, time out. We should make sure the person on the other side's intent is correct. We're basically saying, we're coming up with a new term for what fraud really is. And I think we're trying to flip it to a different side of the equation now. We're trying to say, fraud is almost a way that we detect if we think somebody is a right or wrong person, but not about intent that they have. But now we're kind of saying the opposite. We're trying to say, hey, this infrastructure is not prepared for agents to make a decision on Colin's behalf. What was Colin's actual intent? And then how do we verify that intent, and how do we know that that wasn't fraudulent? It's a pretty big gap that I think that there's a lot of people trying to figure it out.
Granted, I think we're trying to figure something out before there's a lot of volume, so I don't think anybody really knows anything. But I do think that there's a pretty big gap in just understanding what this new transact layer really is. And we're basically saying, all these protocols and all this new stuff that's coming out and machine-to-machine payments, none of that is prepared for this new fraud layer essentially. All of that was built for websites and card traffic and understanding, am I clicking the button too fast? There's just a lot of things that are baked into those models that won't matter anymore or detecting real use cases now that you don't want them to detect.
Reggie Young: Yeah. I remember, around a year ago when agentic payments started becoming a really hot topic, everyone was like, oh my God, what are we going to do about chargebacks? It's going to be such a problem. To your point, I'm like, I don't know, what does the actual volume behavior look like? Is it actually a problem? Is there actually that much hallucination that leads to an incorrect purchase? I don't know, it may not actually be a problem. To your point, James, there's not a ton of volume to necessarily scale and see what the actual behavior looks like. So it's a little bit of putting the cart before the horse.
James Armstead: And it's funny. I think that everybody's looking at this like consumers are just going to trust everything anyways. We don't even have a good consumer use case, I don't think, for this. Buying shoes was not the thing. It was like, well, what if it shows up the wrong color? I was like, well, first off, show me how this works in the first place, and then let's talk about if I even trust it.
Again, to Colin's point about the 2x reduction for instant checkout, again, how are you going to trust these things? I go to Walmart's website, and I trust that I'm going to add this to my cart and I know that I'm buying it. There is a layer there that's showing me exactly what's happening. I don't think consumers are stupid in that they're just going to trust whatever the agent's going to do without some sort of verification.
I think we're picking things because we think there's going to be a major problem. But we got to get it, we have to get volume. I think that the winners will actually be the ones that just accept the volume and are okay dealing with the fallout of it and they figure it out in real time, they build the team around it. I really do think that the early winners will be people that just trust that it's going to work out.
Reggie Young: Yeah. We sometimes talk about this is like the boogeyman problem of, is this actually a real problem, or are you psyching yourself up to the point that you don't actually try it out to see if it is a real problem? I think, yeah, we need some volume to test it out.
Colin Luce: And I do think it's the right thing as per this conversation. We just need to get volume. And so anything we can do to take shortcuts and try and fit the existing mold for this new world is generally a good thing. But even that example we just went through right now, if we approached it from a more first principles perspective on how this should work, irrespective of the amount of rearchitecting and work you have to do, there are easy ways to solve for that.
What if it was your agent does autonomously go, quote/unquote, buy this stuff for you, but it's really that they're placing the goods on hold and then you get some confirmation email or text that says, hey, your agent just bought this pair of shoes for you. Here's a picture of them, all this. They're ready to ship out. Hit confirm, make sure you want these. Or do you want to add anything to it? Or maybe you get a daily summary of all the things your agent bought. You can say, yeah, confirm these, but not these. There are ways to mitigate some of these and actually provide better experiences. But again, that just requires a lot of work, and so that's probably unrealistic in the near term.
Reggie Young: We’ve danced around this, but I'd be curious to double-click on how tokenization plays into that sort of card authorization layer. We think about this a lot now, having intelligent transaction authorization being a pretty critical thing. As all the trends converge into programmable payments, you got to have the ability to add smart logic and signals to what an agent spend authority is at the moment that a transaction is happening rather than a lot of legacy infrastructures.
To your point, fraud being dealt with as, after the fact, chargebacks, all that sort of stuff, I'd be curious for agentic payments, how do you guys think about tokenization interacting at that point of authorization? Because I think when somebody thinks about agentic payments and then understands what tokenization is, it's, oh duh, that's going to be probably the solve where a lot of this stuff happens. But what does that actually look like in practice? Don't everybody jump at once on that?
Colin Luce: I'll give you the less technical answer, and I'll let James do what he does best, which is translate what I'm trying to say into a more technical answer. I think part of it is, again, there's going to be multiple different parties involved now in a way that wasn't necessarily how previous versions of commerce work. The mere introduction of an agent is a new party in an already crowded chain of events. And again, I think tokenization historically has played a role in stringing some of these handshakes or multiple different parties together in a transaction flow, and so adding another one and probably adding more than one. If you think about this from a distributed or embedded-type use case, tokenization just inherently plays a better role in that.
As it relates to things like intent and stuff, I think what's interesting about tokens is so long as you architect them the right way, there's the ability to append metadata to them. And so it doesn't necessarily just have to be a token that consists of a 16-digit PAN, but you can include intent data in there, you can include identity data in there, you can include agent authorization data in there. I think you could probably get sophisticated enough where even if you're leveraging existing card rails or network rails to do this, could you do it in a way where some of those fields are encrypted all the way through and can only be read by the issuer as opposed to the network or scheme? Because I think then you can start to, again, leverage existing rails without introducing worries or concerns of the wrong party getting access to the wrong data.
Tokenization is a very flexible technology. I Just don't think we've necessarily used it or thought about it in that way. So I think for agentic commerce, hopefully it's the impetus for us to actually maximize the potential of this technology and of these tokens.
James Armstead: No notes. That was great. Truly, I think that is the exact thing. I think that the gap that we have is a lot of the fundamentals of tokenization and the networks creating network tokenization is that it's a big data sharing problem, and nobody wants to data share. It's the funniest thing. What you end up with is the network starting to offer discounts on rates to get data sharing to happen. They create data sharing programmers, like, hey, just start using network tokens and we'll give you a discount. And then six years later, hey, thank you all for using network tokens. We're going to phase that out, but now we'd really like it if you started sharing more data when you create these network tokens and we do the transaction. That way, we can do more on the backside.
I think Colin's exactly right. There's work to be done, obviously. There's a lot of work to be done, but I think the infrastructure is prepared for some of the scenarios. So now the issuer knows the intent, but how's the merchant talk about the intent? Do they even want to share that? Because in some ways, I think the banks want more data, too. They kind of claim the customer in some ways. So, like, well, sure, they want to go buy dog food, but why don't you tell me that they want to buy dog food, that they bought dog food and then all verified as the bank versus I think the merchant's like, no, no, no. I want to do that verification because I'm the one that owns the chargeback.
I really do think that it's going to force the industry to figure out how they want to do this data sharing practice, and I do think there is some encryption play here. We can do some confirmation with hashing and encryption to verify what's happening at some level. And the bank can verify that without getting every detail that the merchants don't want to share with them.
Colin Luce: Yeah. I think there's a trust question in here and there is, Reggie as a lawyer, an arbitration or arbiter question in here as well, right? So on the trust side, again, Visa is the trusted network. And I'm not throwing shade at that. They are the trusted network. They have, whatever, I don't know the stats, X number of millions of merchants and X number of millions of consumers and stuff. But you know what? Where they don't have trust is from the other two sides, which is merchants are always blaming the networks and the issuers for problems. Issuers are always blaming the networks and the merchants for the problem. The networks are caught in the middle of that.
And so as James alluded to, as we think about data sharing across this ecosystem, that's why I think it has to be controlled programmatically or permissioned in a way where certain parties can read access to data that other parties can't. So there's that trust question, and this is more related to the KYA side of this, but I think, in general, around this idea of intent and stuff, there's a question of, but who's the arbiter of good intent or bad intent? Who's the arbiter of truth here? And that's where I think having full provenance across this ecosystem is critically important to say, I less care about you saying that you're approving the intent. I want to see the actual prompt that the user gave. Show me the prompt. I'm not going to take your word for it, whether you are start-up A or you’re Visa who's saying, no, I verified intent. It's like, that's great, but I want to verify intent. So show me the actual prompt, show me the response, show me the confirmation.
It's like the whole portable identity space, right? Portable identity is this super fascinating concept to think about and, in practice, has never played out because of this trust and arbiter lens. If you're JPMorgan Chase, and BofA has KYC to user, you, JPMorgan Chase, are subject to the same KYC requirements and rules as BofA. And so if BofA says, I KYC this user, why can't JPMorgan Chase rely on that? They're saying, no, that's great, but send me the data, I have to run them through my own KYC. And so I think it's a similar problem that gets played out here.
James Armstead: I do think there's another model in which none of this ends up mattering. I actually think this may actually come true anyways. But in some ways, a lot of this problem exists today, but we thrust it upon the consumer. The consumer needs to figure out if they trust where they're giving their data.
If I go to a website and it looks shady, I may or may not put a credit card in. I'll probably put Colin’s Ramp card in just to make sure it's not my responsibility. Some of it's thrusted upon the consumer, and I think it will actually end up being thrusted upon the consumer in some ways because I think the infrastructure we're talking about is almost harder- business relationships are almost harder to forge than just saying, oh, let's just trust the consumer in some way, or the consumers will demand it.
If you think about Apple Pay, they could just go spend my money today. There's nothing really stopping them. They own the network tokens. They own the authentication. In some ways, they could theoretically change that process to spend whatever money they wanted to of mine. I know there's device encryption. There are ways that they're protecting me from them. But in some ways, I am trusting those platforms, just like I'm trusting a merchant with my data when I give it to them, or putting an agency in front of that where I'm saying, now as a consumer, I'm going to, at some point, trust my agent to go buy things for me. And I think it does.
I see myself, I see other people seeing this as well, you start doing something with an agent, and then you're like, I'm not going to give it everything. Not going to give it the ID of this log because I'm afraid it's going to do something weird. And then you start doing. You see that, oh, it's asking me questions, trusting us not doing the wrong thing and you give it more information.
Obviously, there's prompt injections and problems that you have to worry about, but at the end day, I think the trust in these things is just going to grow and grow and grow, and it will accelerate over 18 months, probably way less than that, but going to give myself a little bit. So then Colin doesn't get on the next podcast and say, James said everybody in 18 months is going to have a hundred percent e-commerce transactions. I do think that there is a world where we ultimately don't solve it at the merchant network bank layer for truly 15 years. Who knows, right? Because that's legal, Reggie. It's a lawyer problem.
Reggie Young: It's good AI won't replace my job anytime soon. I've got at least 15 years, according to you. It's interesting, too. I hadn't thought about it until you were just talking now, but you look at the consumer regulatory chargeback laws and regulations that we have in the US. They put trust on the consumer that they're reviewing their bank statements regularly and submitting their disputes within certain time frames. It's oh, we're trusting you to be a responsible cardholder, and the onus is on you to make sure that you're not seeing whatever fraudulent transaction on your statements. If you don't review it for too long, too much time passes by, then that's on you. n practice, a lot of policies are different. They're more end user-friendly. But yeah, it's interesting.
One last question on the topic of agentic payments. Colin, you've argued the industry needs to modernize- this is a little more technical question, but I want to get into it. Colin, you've argued that the industry needs to modernize the foundational infrastructure first in a way that protocols can be built on top of rather than racing to pick a winner among the protocols. It feels like every other week, we're getting a new protocol to deal with agentic payment. I love for you guys to walk me through that sort of thinking of why should we modernize the foundational infrastructure, and what does that look like in practice?
Colin Luce: I think about it from a few different lenses as it relates to every week there being a new protocol. I think that, again, if we're all saying we actually want this to happen, we want to drive adoption, we want to increase volume, that is not the way to do it. We're over-complicating it. And so I think it needs to be simplified in a way where it's a much more approachable thing to do, especially on the merchant side, to get engaged. I think right now, they're just inundated with all these different protocols and they're throwing their hands up in the air like, what do we do?
Again, good opportunity for start-ups to exist who can build orchestration layers across all of these different protocols. That's great. I'm all for start-up opportunities and entrepreneurship, but it doesn't seem like the best path here. Look, I do think x402 is an interesting lens to look at this from, though, because we're going backwards and saying, wait, there is this thing that exists called 402. What if we just leverage that and rethink how some of this stuff happens? And so I think that has been really interesting to watch to get played out.
I think, six months ago, it would have been like, oh, ACP is going to be the thing, this is going to be the winner. And then there was probably a period in time you're like, watch out for UCP, this is it. And right now, it's MPP and x402. But I think that's right. I think it's how do we adapt existing infrastructure in a modernized way or leveraging modern technologies or approaches. But leveraging existing infrastructure is probably the right approach.
Again, I think the OpenClaw moment changed a lot of people's minds on this. I think MPP and what Stripe's doing with projects has also shifted a lot of people's thinking on this stuff. Every week, yes, there's new protocols, but I think we're starting to see different approaches to using those protocols, too. And I think that's been super interesting to watch. Again, where are those things happening? They're happening down in the CLI. It's not necessarily some new MCP server. It is APIs and things happening in the CLI, which is, again, going back to my point of new approaches to leveraging existing tools, infrastructure, and just ways of working. It's this classic meet the developers where they are, meet the builders where they are.
James Armstead: Yeah. We tend to tell people like, no, the protocols matter when they ask. And I think it's true and not true. In some ways, like Colin just said, they're creating inspiration for what could be. It looked like Stripe is perfectly positioned for their ecosystem to enable their ecosystem to work together. That's why they participate in MPP, I'm sure. It creates a quick way for them to expose their ecosystem, whether they allow anybody else in or not. They can just keep that closing account. We're happy to take you on as a merchant.
I think that it's creating inspiration for projects. It's making it so like you could actually quickly pose something like this. I think what's ultimately going to happen is, whether we agree upon a single one of these or not, I think that the industry is just going to finally find that use case to drive consumer, and it's just going to end up not mattering at the end of the day. I think that it's going to drive people to have APIs. I think to Colin's point, we just truly need machine acceptable ways to interact, and HTML is not a perfect example of this today. I actually think there's chances six months from now that's not true. There's a chance that it's totally fine. Everybody was rushing six months ago to build markdown of their website, and now, in some ways, that doesn't even really matter. It's a little bit better because of token usage. But for understanding the intent or the concept of a website, you don't really need to do that anymore. It just got better.
I think that the models are going to get better, everything's going to get better, and they're going to figure to interact with all of the different ways that merchants and the economy is exposing the ability to purchase things. Ultimately, there will be a protocol that I'm sure will come out on top. But right now, it probably won't be any of the ones that we have today. Maybe, again, a little bit of the exception. I do think MPP is pretty good.
Colin Luce: I do think, though, if we play this out a year or two, there are going to be areas where we really do need to modernize both the technology and our thinking, our business practices, our underwriting approaches, if some of this stuff plays out the way we think it could. Again, if microtransactions play out the way everyone's claiming they are, the reality is merchants just aren't set up today to accept stablecoins. Consumers aren't necessarily all that excited or willing to go interact with stablecoins.
And so if you believe card rails are going to be where it happens, then do we need to think about modernizing our infrastructure such that batching transactions is much easier? That's a way to think about microtransaction. It doesn't have to be like, cards can't work for this, therefore it has to be stablecoins. It's, no, cards can work fine, just maybe not on an individual transaction basis. But what if you batch them on an hourly basis, on a half-day basis, on a 24-hour basis, then they work fine.
I think the other area that I think a lot about is if you believe in this billion-dollar solo founder thing, how are they going to accept payments? Most merchant acquirers aren't set up to underwrite an individual. And so do we have to adapt our underwriting to almost underwrite a consumer for merchant acquiring? And what does that look like? So there's going to have to be some modernization of our thinking on some of this stuff. We're just not there yet.
Reggie Young: I love it. Lots to think about. Excited to see how it all plays out. I’m going to jump to my wrap-up question for today. If you had to bet on one thing being true about payments in 2030 that most people would push back on today, what would it be?
Colin Luce: Despite what MasterCard is saying, I think PANs are going to be around. I think you're going to have to pry PANs from merchants’ cold dead hands. It's not answering your question directly because I don't think most people think that, but MasterCard certainly does. As I've told them plenty of times, I don't think that's going to happen.
James Armstead: Man, I was going to knock you and say something dumb.
Colin Luce: Reggie, this is what I have to deal with every day.
James Armstead: Yeah. I don't know. I think mine is a little less payments infrastructure-y because I can't compete with what Colin just said. Now you're just pandering to me. So stop that, too.
Reggie Young: Pandering? Pun intended?
Colin Luce: Yeah.
James Armstead: Thank you for a job, Colin. I think that the interface will still not just be interacting with an agent all of the time. I think, as much as I believe that or I said that a transaction will be agents, I think that the reality of the situation is that interface isn't perfect. One, chat isn't going to be the interface. It's going to probably be voice or something else eventually. But I still think we're going to still buy things in an economy the way that we do today. I just don't think that it's going to 100% shift to like, I go tell my robot to go buy me whatever on the Internet and it just figures it out.
I think that that interface will still exist. It will change a little bit, but I do think that it's not just going to be chat. I think everybody's like, 100% chat, interface is going to change, browsers are dead, just use the Chrome MCP chat with Claude. Why would you ever touch a browser again? I just don't. Maybe it's not a browser, but I just think in 15 years, it's going to exist. There’s too much dopamine.
Reggie Young: There's so much overhype. I mean, you talked about the SaaS is dead. Folks are over-indexing a lot of the headlines. It's funny, I've been thinking about this because I've spent my entire career working with words. And so I definitely use Claude to help write drafts of things. But I also find that whatever an email that I have to lay out a few points to a bank partner or something, I just default to doing it myself because I'm like, my brain has done the work for a decade plus of here's how to structure that information well, which is what somebody who hasn't spent a lot of their life writing and thinking about words that they go to Claude to do that. And so there's areas where it doesn't make sense to offload stuff in the long term.
Colin Luce: I saw some funny tweet this week that the modern biggest form of respect is actually misspelling words in emails because it shows that you actually wrote the email yourself as opposed to having some agent do it. How funny of a world is it that we live in a sign of respect is misspelling a word in an email.
Reggie Young: I'm getting so tired of the AI slop arms race. I used to use em dashes a ton. I've gotten away from them, and now there's other- as the models keep getting updated, there's new things that's, oh, that's AI now. Crap. I’ve got to change how I write. And I wrote that way because it was a well-structured and effective way to communicate, which is why AI is doing it. But now I can't do it. Otherwise people are like, today I read this.
James Armstead: If you send me an email that's more two sentences, I'm like, this is- if you sent me four paragraphs, I'm like, why did you send me an AI? Even if you wrote it, I'd be like, this is just really long. Do people still type this much?
Reggie Young: Cool. Well, awesome. James, Colin, great to have you on. Great to chat about all things tokenization and agentic payments. If folks want to get in touch or find out more about Basis Theory, where should they go?
Colin Luce: Well, James is a big LinkedIn influencer now, so you can find him- and Twitter, too. He’s famous on Twitter. LinkedIn and Twitter for James. You don't want to hear from me, the meat streets in Mill Valley. No, both of us are very active. Hopefully, if folks have listened to this episode, know that we're not afraid to speak our minds and spread truth. You can find us on LinkedIn and Twitter.
Reggie Young: Awesome. Thank you both so much for coming on the podcast. This has been great.
Colin Luce: Thank you.