Connect with us

Hi, what are you looking for?


Risk Management

Mastercard to Buy Supply Chain Monitoring Firm RiskRecon

Purchase, NY-based Mastercard announced that it has agreed to acquire Salt Lake City, UT-based RiskRecon, an online security monitoring company that focuses on third-party risk management. Terms of the agreement, which is expected to close in the first quarter of 2020, have not been disclosed.

Purchase, NY-based Mastercard announced that it has agreed to acquire Salt Lake City, UT-based RiskRecon, an online security monitoring company that focuses on third-party risk management. Terms of the agreement, which is expected to close in the first quarter of 2020, have not been disclosed.

This is not the first 2019 cybersecurity acquisition by Mastercard. In March, it acquired Ethoca, a firm that helps merchants and issuers to identify and resolve digital frauds such as false chargebacks. RiskRecon, however, has no direct connection with payments, and it is unclear what Mastercard intends to do with the company. It could maintain it as an existing vendor of security product; it could incorporate its services into the security tool kit it provides to its franchisees; or it could do both.

Mastercard’s security posture is a little different to most organizations — it operates with two separate CISOs. Ron Green looks after the Mastercard infrastructure, while Johan Gerber is tasked with looking after the cybersecurity of its franchisees — all the merchants that use Mastercard’s payments services. Breaches in either area would hurt the Mastercard business.

It seems unlikely that RiskRecon is being acquired for the Mastercard infrastructure — it is more usual to buy the product rather than the company. A second common reason to acquire a separate company to grow it, and profit from its product sales while integrating it with one’s own products. Integration isn’t any easy fit between a payments firm and a third-party security monitoring firm.

It seems that the third possibility is most likely: this acquisition is as much for the Mastercard franchise as anything else. Johan Gerber described his role to SecurityWeek earlier in December 2019. This includes sharing information through fusion centers, but more explicitly he said, “We’ve created toolkits for small businesses comprising a bunch of free tools we give them to help them increase their cyber posture.”

It is possible that Mastercard intends to provide RiskRecon services free or at a reduced price to its franchisees while maintaining and growing the company as a commercial service to other firms. There are few clues in Mastercard’s announcement. “The innovations from the talented team at RiskRecon will further accelerate our suite of cyber solutions designed to help financial institutions, merchants and governments secure their digital assets,” commented Ajay Bhalla, president of cyber and intelligence for Mastercard. “Through a powerful combination of AI and data-driven advanced technology, RiskRecon offers an exciting opportunity to complement our existing strategy and technology to secure the cyber space.”

SecurityWeek asked Mastercard about its intentions, but were told, “At this point, since this is the ‘intent to acquire’, we cannot say much more.”

Advertisement. Scroll to continue reading.

Nevertheless, helping franchisees to secure their supply chain through RiskRecon’s third-party risk management services will be an attractive proposition. Although card fraud as a percentage of sales is declining, the overall amount of fraud is still rising. Card fraud is not easy without the card’s CVV number — which merchants are prohibited from storing online by PCI DSS.

Criminal access to the CVV number has led to the Magecart epidemic, where criminal gangs use web skimmers to steal both the primary card number and the CVV number as they are entered into the retailer’s payment form, before the card number is encrypted and the CVV number discarded. A popular method for Magecart attacks has been for the attackers to compromise the merchants’ software supply chain — a process used, for example, in the 2018 Ticketmaster breach.

The precise arguments for Mastercard’s acquisition of RiskRecon will not become known until all the details of the purchase have been completed. It is likely, however, that a primary motive will be to help the Mastercard franchise protect itself better from Magecart-like attacks. 

Related: Magecart Skimming Attack Hits Hundreds of Campus e-Commerce Sites 

Related: Magecart Attack on eCommerce Platform Hits Thousands of Online Shops 

Related: Magecart Hackers Target Mobile Users of Hotel Websites 

Related: Picreel and Alpaca Forms Compromised by Magecart Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.