Purchase, NY-based Mastercard announced that it has agreed to acquire Salt Lake City, UT-based RiskRecon, an online security monitoring company that focuses on third-party risk management. Terms of the agreement, which is expected to close in the first quarter of 2020, have not been disclosed.
This is not the first 2019 cybersecurity acquisition by Mastercard. In March, it acquired Ethoca, a firm that helps merchants and issuers to identify and resolve digital frauds such as false chargebacks. RiskRecon, however, has no direct connection with payments, and it is unclear what Mastercard intends to do with the company. It could maintain it as an existing vendor of security product; it could incorporate its services into the security tool kit it provides to its franchisees; or it could do both.
Mastercard’s security posture is a little different to most organizations — it operates with two separate CISOs. Ron Green looks after the Mastercard infrastructure, while Johan Gerber is tasked with looking after the cybersecurity of its franchisees — all the merchants that use Mastercard’s payments services. Breaches in either area would hurt the Mastercard business.
It seems unlikely that RiskRecon is being acquired for the Mastercard infrastructure — it is more usual to buy the product rather than the company. A second common reason to acquire a separate company to grow it, and profit from its product sales while integrating it with one’s own products. Integration isn’t any easy fit between a payments firm and a third-party security monitoring firm.
It seems that the third possibility is most likely: this acquisition is as much for the Mastercard franchise as anything else. Johan Gerber described his role to SecurityWeek earlier in December 2019. This includes sharing information through fusion centers, but more explicitly he said, “We’ve created toolkits for small businesses comprising a bunch of free tools we give them to help them increase their cyber posture.”
It is possible that Mastercard intends to provide RiskRecon services free or at a reduced price to its franchisees while maintaining and growing the company as a commercial service to other firms. There are few clues in Mastercard’s announcement. “The innovations from the talented team at RiskRecon will further accelerate our suite of cyber solutions designed to help financial institutions, merchants and governments secure their digital assets,” commented Ajay Bhalla, president of cyber and intelligence for Mastercard. “Through a powerful combination of AI and data-driven advanced technology, RiskRecon offers an exciting opportunity to complement our existing strategy and technology to secure the cyber space.”
SecurityWeek asked Mastercard about its intentions, but were told, “At this point, since this is the ‘intent to acquire’, we cannot say much more.”
Nevertheless, helping franchisees to secure their supply chain through RiskRecon’s third-party risk management services will be an attractive proposition. Although card fraud as a percentage of sales is declining, the overall amount of fraud is still rising. Card fraud is not easy without the card’s CVV number — which merchants are prohibited from storing online by PCI DSS.
Criminal access to the CVV number has led to the Magecart epidemic, where criminal gangs use web skimmers to steal both the primary card number and the CVV number as they are entered into the retailer’s payment form, before the card number is encrypted and the CVV number discarded. A popular method for Magecart attacks has been for the attackers to compromise the merchants’ software supply chain — a process used, for example, in the 2018 Ticketmaster breach.
The precise arguments for Mastercard’s acquisition of RiskRecon will not become known until all the details of the purchase have been completed. It is likely, however, that a primary motive will be to help the Mastercard franchise protect itself better from Magecart-like attacks.