CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Risk Management

Mastercard to Buy Supply Chain Monitoring Firm RiskRecon

Purchase, NY-based Mastercard announced that it has agreed to acquire Salt Lake City, UT-based RiskRecon, an online security monitoring company that focuses on third-party risk management. Terms of the agreement, which is expected to close in the first quarter of 2020, have not been disclosed.

Purchase, NY-based Mastercard announced that it has agreed to acquire Salt Lake City, UT-based RiskRecon, an online security monitoring company that focuses on third-party risk management. Terms of the agreement, which is expected to close in the first quarter of 2020, have not been disclosed.

This is not the first 2019 cybersecurity acquisition by Mastercard. In March, it acquired Ethoca, a firm that helps merchants and issuers to identify and resolve digital frauds such as false chargebacks. RiskRecon, however, has no direct connection with payments, and it is unclear what Mastercard intends to do with the company. It could maintain it as an existing vendor of security product; it could incorporate its services into the security tool kit it provides to its franchisees; or it could do both.

Mastercard’s security posture is a little different to most organizations — it operates with two separate CISOs. Ron Green looks after the Mastercard infrastructure, while Johan Gerber is tasked with looking after the cybersecurity of its franchisees — all the merchants that use Mastercard’s payments services. Breaches in either area would hurt the Mastercard business.

It seems unlikely that RiskRecon is being acquired for the Mastercard infrastructure — it is more usual to buy the product rather than the company. A second common reason to acquire a separate company to grow it, and profit from its product sales while integrating it with one’s own products. Integration isn’t any easy fit between a payments firm and a third-party security monitoring firm.

It seems that the third possibility is most likely: this acquisition is as much for the Mastercard franchise as anything else. Johan Gerber described his role to SecurityWeek earlier in December 2019. This includes sharing information through fusion centers, but more explicitly he said, “We’ve created toolkits for small businesses comprising a bunch of free tools we give them to help them increase their cyber posture.”

It is possible that Mastercard intends to provide RiskRecon services free or at a reduced price to its franchisees while maintaining and growing the company as a commercial service to other firms. There are few clues in Mastercard’s announcement. “The innovations from the talented team at RiskRecon will further accelerate our suite of cyber solutions designed to help financial institutions, merchants and governments secure their digital assets,” commented Ajay Bhalla, president of cyber and intelligence for Mastercard. “Through a powerful combination of AI and data-driven advanced technology, RiskRecon offers an exciting opportunity to complement our existing strategy and technology to secure the cyber space.”

SecurityWeek asked Mastercard about its intentions, but were told, “At this point, since this is the ‘intent to acquire’, we cannot say much more.”

Nevertheless, helping franchisees to secure their supply chain through RiskRecon’s third-party risk management services will be an attractive proposition. Although card fraud as a percentage of sales is declining, the overall amount of fraud is still rising. Card fraud is not easy without the card’s CVV number — which merchants are prohibited from storing online by PCI DSS.

Advertisement. Scroll to continue reading.

Criminal access to the CVV number has led to the Magecart epidemic, where criminal gangs use web skimmers to steal both the primary card number and the CVV number as they are entered into the retailer’s payment form, before the card number is encrypted and the CVV number discarded. A popular method for Magecart attacks has been for the attackers to compromise the merchants’ software supply chain — a process used, for example, in the 2018 Ticketmaster breach.

The precise arguments for Mastercard’s acquisition of RiskRecon will not become known until all the details of the purchase have been completed. It is likely, however, that a primary motive will be to help the Mastercard franchise protect itself better from Magecart-like attacks. 

Related: Magecart Skimming Attack Hits Hundreds of Campus e-Commerce Sites 

Related: Magecart Attack on eCommerce Platform Hits Thousands of Online Shops 

Related: Magecart Hackers Target Mobile Users of Hotel Websites 

Related: Picreel and Alpaca Forms Compromised by Magecart Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.