Risky Business Soap Box: Why Mastercard Became a Cybersecurity Vendor

Podcast: Risky Business | Host: Patrick Gray
Guest: Johan Gerber (Executive Vice President of Security Solutions, Mastercard)
Date: October 16, 2025
Total Content Length: ~30 minutes (adverts and non-content excluded)

Episode Overview

In this special "Soapbox" episode, Patrick Gray dives deep into Mastercard’s evolution from a global payments brand to a significant player in the cybersecurity ecosystem. Together with Johan Gerber, Executive Vice President of Security Solutions at Mastercard, they explore the rationale, operational details, and strategic vision behind Mastercard's foray into threat intelligence—including its high-profile acquisition of Recorded Future—and how this fits into a broader trend of financial and cybercrime convergence.

1. Why is Mastercard in Cybersecurity?

[01:54 - 03:35]

Core Thesis:
Mastercard recognizes that fraud prevention can’t be limited to transactions alone. In today’s interconnected economy, preventing fraud and protecting brand integrity requires proactive cyber threat intelligence (CTI) and ecosystem-wide defenses.

Fraud is often detected too late:
- “When we get to the final transaction, it's almost too late to prevent fraud. So if you really want to be preventative and be proactive, you need to move upstream.” (Johan Gerber, 01:54)
Identity and device integrity are pivotal challenges:
- Two persistent problems:
  1. Are you who you say you are? (identity problem)
  2. Is this device authorized to do what it’s trying to do? (cyber problem)
Massive ecosystem connections:
- Mastercard operates between 3.5 billion consumers, 150 million merchants, and over 22,000 financial institutions globally.
- Hacking anywhere in the network can affect Mastercard’s reputation and the entire payment ecosystem.
Brand and ecosystem protection:
- "Every time somebody hacks into a business and steals your data, sells it on the dark web, it becomes a problem eventually for us and our brand and the integrity of our brand." (B, 02:44)
- Proactive cyber capabilities are now essential.

2. Understanding Mastercard’s Data and Threat Detection

[04:24 - 07:49]

Data visibility mythbusting:
- Mastercard doesn’t see customer names, addresses, or items purchased—just tokenized or raw card numbers, transaction amounts, merchant names, and timestamps.
- PII exposure is minimized; actual rich PII is kept upstream from Mastercard’s core network.
Attack vectors Mastercard faces:
- Brute force on network: Enumeration of card numbers used to create counterfeit cards.
- Institution compromise: Example given of a 2013 Middle Eastern bank breach, where transaction authorization systems were subverted to enable mass ATM withdrawals.
  - "It was 40 million, it was 5 million in the first four minutes… they hit them at scale." (Johan Gerber, 05:59)
- Dark web card sales/test transactions: Criminals test stolen cards; threat intel helps Mastercard block these transactions before consumer impact.
- Attack propagation: Intelligence sharing helps prevent attack replication across geographies.
Proactive intelligence sharing:
- Mastercard uses threat intel to alert banks and stop attacks elsewhere before they spread.

3. Fusing Fraud, Cybersecurity, and Threat Intelligence

[07:49 - 12:02]

Convergence of fraud and cyber:
- Historically distinct—now blended due to overlapping threat actors, TTPs, and monetization pipelines.
- “Cybercrime and fraud nowadays is almost impossible to disconnect the two.” (B, 09:51)
Broader intelligence application:
- Mastercard collaborates with banks and governments, sharing actionable intel across sectors.
- Recorded Future acquisition:
  - Not just for financial services; Recorded Future serves 47+ governments and broad enterprise.
  - “We still want to expand its footprint because… there’s a tremendous amount about all the attacks that's coming that we can provide to the whole world and the same to government as well.” (B, 10:54)
- RiskRecon (third-party risk):
  - Acquired and deployed network-wide to baseline vulnerabilities and share threat landscape findings with banks.
  - Enables prioritization and remediation of high-risk vulnerabilities.

4. Operationalizing Threat Intelligence

[12:02 - 13:49]

Limits of Mastercard’s visibility:
- Doesn’t see originating IPs or merchant site infection details by default.
- But with Recorded Future intel and partnerships (e.g., ShadowServer), Mastercard now can identify compromised merchants and even work on takedowns.
  - “In July, we started disabling through law enforcement and relationships with companies like Shadow Server to actually take down some of those underlying infrastructure below them…” (B, 12:57)
- Bundled services span both banks and merchants aim for proactive criminal infrastructure disruption.

5. Is This Truly Cybersecurity, or Just Payments Security?

[13:49 - 16:47]

Is Mastercard now a cybersecurity vendor?
- Cybersecurity is now part of Mastercard’s Services Division—serving to make its brand safer, stickier, and more valuable for consumers and businesses alike.
- The rationale: Secure environments drive more transactions and economic growth, directly benefiting Mastercard.
- Small business security is a special focus area, with AI-driven, scalable solutions seen as increasingly important.
- “Security in this online system is foundational to that… Trust and integrity in this online ecosystem is fundamental to our future success.” (B, 14:59)

6. Current Landscape of Online Criminal Ecosystems

[16:47 - 21:20]

Present-day threats:
- Ransomware remains the biggest, most immediate threat, especially for small businesses.
- The distinction between cyber and financial crime is vanishing:
  - Fraudsters use cyber techniques (phishing, deepfakes, malware) to steal and monetize.
  - Stolen data flows from cybercriminals to fraudsters, creating a marketplace for identities, phishing, and laundering tools.
  - Managed service offerings in the underground (from "hacker-in-a-box" to "money laundering-as-a-service").
- "A lot of the data that gets offered on the dark web marketplaces are being pumped into AI models to create deep fakes, to create phishing scams…" (B, 20:34)
Nation state and geopolitical drivers:
- Cyber “weaponization” by nation states blurs the lines between criminal and strategic attacks.

7. Tackling the Identity Problem

[21:20 - 25:21]

Identity validation remains unsolved:
- Mastercard’s recent acquisition of Ekata focuses on creating a robust "identity graph" (attributes, addresses, phone numbers, etc.), not performing live capture or biometric checks.
- The approach is risk scoring based on the history and integrity of identity elements and associated devices.
- Mastercard’s focus is on transaction assurance for established identities; setting up identities (e.g., live photo capture) is left to issuers.
- “There's no silver bullet for this stuff, but you put device IDs in and you start binding these things... [to] give those good transactions a really happy path.” (B, 23:54)
- Prioritize making the good customer journey frictionless, while applying intensive scrutiny to “high risk” activity.

8. The Future: AI and the Evolution of Financial Crime

[25:40 - 30:23]

Outlook on AI as an enabler (for both offense and defense):
- Criminals are already using AI—automated exploitation, red-teaming, custom malware.
- But AI also offers defenders radical automation:
  - Automated vulnerability detection, patching, and hunting.
  - For example: AI-generated YARA rules for threat hunting at scale.
  - "We've got AI that automatically writes your Yara queries for you and then go threat hunting.” (B, 27:40)
- SME cybersecurity is expected to markedly improve—with AI “SOC agents” democratizing access to advanced detection and response.
- The arms race will persist, but AI may help “balance the playing field” between attackers and defenders.
  - “Manual labor didn't disappear because we had factory assembly lines... Intellectual labor... won't disappear because we have AI models. We just won't have to do the mind numbingly repetitive annoying stuff like writing YARA rules and then figuring out how to query large data sets with them.” (A, 29:04)
- The greatest challenge will be operationalizing AI-driven defense—especially getting solutions into small businesses at scale, which will require multi-stakeholder collaboration across telcos, hosting providers, etc.

Notable Quotes & Memorable Moments

“Cybercrime and fraud nowadays is almost impossible to disconnect the two.” — Johan Gerber [09:51]
“Every time somebody hacks into a business and steals your data, sells it on the dark web, it becomes a problem eventually for us and our brand…” — Johan Gerber [02:44]
"Manual labor didn't disappear because we had factory assembly lines with robots on them and, you know, intellectual labor... won't disappear because we have AI models. We just won't have to do the mind numbingly repetitive annoying stuff like writing YARA rules…” — Patrick Gray [29:04]
"We've got AI that automatically writes your Yara queries for you and then go threat hunting.” — Johan Gerber [27:40]
“Trust and integrity in this online ecosystem is fundamental to our future success in a world where everything is connected.” — Johan Gerber [15:28]
"Small businesses… forget that everything is automated. Criminals will just deploy these crawlers and they will attack you. But I do think we have tech... It will remain an arms race, but it's not a doomsday scenario as far as I'm concerned.” — Johan Gerber [28:31]

Timestamps for Key Segments

Why Mastercard Bothered with Cyber [01:54]
Types of Cyber Attacks Observed [04:24]
Fraud vs. Cyber convergence discussion [07:49]
Recorded Future & RiskRecon acquisition value [09:08]
Limitations and extension of Mastercard’s visibility [12:02]
Business rationale for cyber offerings [13:49]
Threat landscape analysis: ransomware, fraud, data marketplaces [16:47]
Identity validation approaches and limits [21:20]
AI’s impact on defense and attack—future predictions [25:40]
AI as intellectual labor automation [29:04]

Conclusion

This episode reveals Mastercard’s strategic shift to becoming a serious cybersecurity player, detailing its efforts in fusing payment fraud detection with broader threat intelligence, its rationale for high-profile acquisitions, and its approach to ecosystem-wide defense. Highlights include frank discussions on data limitations, the blending of cyber and financial crime, and a refreshingly optimistic forecast for AI’s constructive role in cyber defense—especially for underserved small businesses.

Risky Business Soap Box: Why Mastercard Became a Cybersecurity Vendor

Episode Overview

1. Why is Mastercard in Cybersecurity?

[01:54 - 03:35]

Fraud is often detected too late:
- “When we get to the final transaction, it's almost too late to prevent fraud. So if you really want to be preventative and be proactive, you need to move upstream.” (Johan Gerber, 01:54)
Identity and device integrity are pivotal challenges:
- Two persistent problems:
  1. Are you who you say you are? (identity problem)
  2. Is this device authorized to do what it’s trying to do? (cyber problem)
Massive ecosystem connections:
- Mastercard operates between 3.5 billion consumers, 150 million merchants, and over 22,000 financial institutions globally.
- Hacking anywhere in the network can affect Mastercard’s reputation and the entire payment ecosystem.
Brand and ecosystem protection:
- "Every time somebody hacks into a business and steals your data, sells it on the dark web, it becomes a problem eventually for us and our brand and the integrity of our brand." (B, 02:44)
- Proactive cyber capabilities are now essential.

2. Understanding Mastercard’s Data and Threat Detection

[04:24 - 07:49]

Data visibility mythbusting:
- Mastercard doesn’t see customer names, addresses, or items purchased—just tokenized or raw card numbers, transaction amounts, merchant names, and timestamps.
- PII exposure is minimized; actual rich PII is kept upstream from Mastercard’s core network.
Attack vectors Mastercard faces:
- Brute force on network: Enumeration of card numbers used to create counterfeit cards.
- Institution compromise: Example given of a 2013 Middle Eastern bank breach, where transaction authorization systems were subverted to enable mass ATM withdrawals.
  - "It was 40 million, it was 5 million in the first four minutes… they hit them at scale." (Johan Gerber, 05:59)
- Dark web card sales/test transactions: Criminals test stolen cards; threat intel helps Mastercard block these transactions before consumer impact.
- Attack propagation: Intelligence sharing helps prevent attack replication across geographies.
Proactive intelligence sharing:
- Mastercard uses threat intel to alert banks and stop attacks elsewhere before they spread.

3. Fusing Fraud, Cybersecurity, and Threat Intelligence

[07:49 - 12:02]

Convergence of fraud and cyber:
- Historically distinct—now blended due to overlapping threat actors, TTPs, and monetization pipelines.
- “Cybercrime and fraud nowadays is almost impossible to disconnect the two.” (B, 09:51)
Broader intelligence application:
- Mastercard collaborates with banks and governments, sharing actionable intel across sectors.
- Recorded Future acquisition:
  - Not just for financial services; Recorded Future serves 47+ governments and broad enterprise.
  - “We still want to expand its footprint because… there’s a tremendous amount about all the attacks that's coming that we can provide to the whole world and the same to government as well.” (B, 10:54)
- RiskRecon (third-party risk):
  - Acquired and deployed network-wide to baseline vulnerabilities and share threat landscape findings with banks.
  - Enables prioritization and remediation of high-risk vulnerabilities.

4. Operationalizing Threat Intelligence

[12:02 - 13:49]

Limits of Mastercard’s visibility:
- Doesn’t see originating IPs or merchant site infection details by default.
- But with Recorded Future intel and partnerships (e.g., ShadowServer), Mastercard now can identify compromised merchants and even work on takedowns.
  - “In July, we started disabling through law enforcement and relationships with companies like Shadow Server to actually take down some of those underlying infrastructure below them…” (B, 12:57)
- Bundled services span both banks and merchants aim for proactive criminal infrastructure disruption.

5. Is This Truly Cybersecurity, or Just Payments Security?

[13:49 - 16:47]

Is Mastercard now a cybersecurity vendor?
- Cybersecurity is now part of Mastercard’s Services Division—serving to make its brand safer, stickier, and more valuable for consumers and businesses alike.
- The rationale: Secure environments drive more transactions and economic growth, directly benefiting Mastercard.
- Small business security is a special focus area, with AI-driven, scalable solutions seen as increasingly important.
- “Security in this online system is foundational to that… Trust and integrity in this online ecosystem is fundamental to our future success.” (B, 14:59)

6. Current Landscape of Online Criminal Ecosystems

[16:47 - 21:20]

Present-day threats:
- Ransomware remains the biggest, most immediate threat, especially for small businesses.
- The distinction between cyber and financial crime is vanishing:
  - Fraudsters use cyber techniques (phishing, deepfakes, malware) to steal and monetize.
  - Stolen data flows from cybercriminals to fraudsters, creating a marketplace for identities, phishing, and laundering tools.
  - Managed service offerings in the underground (from "hacker-in-a-box" to "money laundering-as-a-service").
- "A lot of the data that gets offered on the dark web marketplaces are being pumped into AI models to create deep fakes, to create phishing scams…" (B, 20:34)
Nation state and geopolitical drivers:
- Cyber “weaponization” by nation states blurs the lines between criminal and strategic attacks.

7. Tackling the Identity Problem

[21:20 - 25:21]

Identity validation remains unsolved:
- Mastercard’s recent acquisition of Ekata focuses on creating a robust "identity graph" (attributes, addresses, phone numbers, etc.), not performing live capture or biometric checks.
- The approach is risk scoring based on the history and integrity of identity elements and associated devices.
- Mastercard’s focus is on transaction assurance for established identities; setting up identities (e.g., live photo capture) is left to issuers.
- “There's no silver bullet for this stuff, but you put device IDs in and you start binding these things... [to] give those good transactions a really happy path.” (B, 23:54)
- Prioritize making the good customer journey frictionless, while applying intensive scrutiny to “high risk” activity.

8. The Future: AI and the Evolution of Financial Crime

[25:40 - 30:23]

Outlook on AI as an enabler (for both offense and defense):
- Criminals are already using AI—automated exploitation, red-teaming, custom malware.
- But AI also offers defenders radical automation:
  - Automated vulnerability detection, patching, and hunting.
  - For example: AI-generated YARA rules for threat hunting at scale.
  - "We've got AI that automatically writes your Yara queries for you and then go threat hunting.” (B, 27:40)
- SME cybersecurity is expected to markedly improve—with AI “SOC agents” democratizing access to advanced detection and response.
- The arms race will persist, but AI may help “balance the playing field” between attackers and defenders.
  - “Manual labor didn't disappear because we had factory assembly lines... Intellectual labor... won't disappear because we have AI models. We just won't have to do the mind numbingly repetitive annoying stuff like writing YARA rules and then figuring out how to query large data sets with them.” (A, 29:04)
- The greatest challenge will be operationalizing AI-driven defense—especially getting solutions into small businesses at scale, which will require multi-stakeholder collaboration across telcos, hosting providers, etc.

Notable Quotes & Memorable Moments

“Cybercrime and fraud nowadays is almost impossible to disconnect the two.” — Johan Gerber [09:51]
“Every time somebody hacks into a business and steals your data, sells it on the dark web, it becomes a problem eventually for us and our brand…” — Johan Gerber [02:44]
"Manual labor didn't disappear because we had factory assembly lines with robots on them and, you know, intellectual labor... won't disappear because we have AI models. We just won't have to do the mind numbingly repetitive annoying stuff like writing YARA rules…” — Patrick Gray [29:04]
"We've got AI that automatically writes your Yara queries for you and then go threat hunting.” — Johan Gerber [27:40]
“Trust and integrity in this online ecosystem is fundamental to our future success in a world where everything is connected.” — Johan Gerber [15:28]
"Small businesses… forget that everything is automated. Criminals will just deploy these crawlers and they will attack you. But I do think we have tech... It will remain an arms race, but it's not a doomsday scenario as far as I'm concerned.” — Johan Gerber [28:31]

Timestamps for Key Segments

Why Mastercard Bothered with Cyber [01:54]
Types of Cyber Attacks Observed [04:24]
Fraud vs. Cyber convergence discussion [07:49]
Recorded Future & RiskRecon acquisition value [09:08]
Limitations and extension of Mastercard’s visibility [12:02]
Business rationale for cyber offerings [13:49]
Threat landscape analysis: ransomware, fraud, data marketplaces [16:47]
Identity validation approaches and limits [21:20]
AI’s impact on defense and attack—future predictions [25:40]
AI as intellectual labor automation [29:04]

wavePod

Risky Biz Soap Box: Why Mastercard became a cybersecurity vendor

Powered by Wave AI

Summary

Risky Business Soap Box: Why Mastercard Became a Cybersecurity Vendor

Episode Overview

1. Why is Mastercard in Cybersecurity?

2. Understanding Mastercard’s Data and Threat Detection

3. Fusing Fraud, Cybersecurity, and Threat Intelligence

4. Operationalizing Threat Intelligence

5. Is This Truly Cybersecurity, or Just Payments Security?

6. Current Landscape of Online Criminal Ecosystems

7. Tackling the Identity Problem

8. The Future: AI and the Evolution of Financial Crime

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Conclusion

Summary

Risky Business Soap Box: Why Mastercard Became a Cybersecurity Vendor

Episode Overview

1. Why is Mastercard in Cybersecurity?

2. Understanding Mastercard’s Data and Threat Detection

3. Fusing Fraud, Cybersecurity, and Threat Intelligence

4. Operationalizing Threat Intelligence

5. Is This Truly Cybersecurity, or Just Payments Security?

6. Current Landscape of Online Criminal Ecosystems

7. Tackling the Identity Problem

8. The Future: AI and the Evolution of Financial Crime

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Conclusion