Inside Mastercard's Push for Continuous Security


Mastercard to Recommend NIST CSF for Continuous Security Between PCI Audits


Cybersecurity for a business model like Mastercard is complex. First, it has the fundamental need to protect its own networks. Second, however, it has a huge global franchise that must also be kept secure to maintain trust in the product.


Security for Mastercard's own infrastructure is led by Chief Information Security Officer (CISO) Ron Green. Security for the franchise ecosphere is handled separately by EVP for security and cyber innovation, Johan Gerber. 


For the franchise, Gerber focuses on four pillars. The first comprises local products -- such as the ability to detect suspicious activity that may be automated criminal activity testing the status of large batches of stolen cards. The second pillar is to help the franchise. "For example," Gerber told SecurityWeek, "we've created toolkits for small businesses comprising a bunch of free tools we give them to help them increase their cyber posture -- and we're doing things to help customers recover their stolen identities." And there is more to come, he added.


The third pillar is around education and collaboration. "We'll partner with other cybersecurity entities and non-profit organizations, governments, and universities -- not just to share information through various fusion centers but also to create education programs. We'll partner with universities to create cybersecurity certifications, programs for our customers, for board members, for senior executives, for engineers, and so forth."


The fourth pillar is standards -- and here Mastercard will be making new announcements in January 2020. This will be in addition to the existing PCI DSS standard. The problem with PCI DSS -- although a thorough and effective requirement -- is it is a s ..