Mastercard’s Gerber: Cybersecurity Needs Its Own Paris Accord

Recent research shows that the average data breach costs financial institutions (FIs) $210 on average per compromised account, and it costs merchants $119. But on both counts, the costs of lost customers and damaged reputations cannot be quantified – and the importance of securing consumer interaction points cannot be overstated.

That’s why companies on all sides of the transaction are going back to the basics of security. It’s easy to design an entirely digital product and to leave the security as an afterthought to be tacked on at the end. It’s even somewhat common practice, Johan Gerber, EVP of security and cyber innovation at Mastercard, told Karen Webster in a recent discussion. It’s also one that, in Mastercard’s opinion, is not compatible with a digitizing world where security has to be baked into every design from the word go.

How to fix it? Priority one, Gerber explained, has to be making cybersecurity resources and tools simpler and more accessible to everyone logging into the connected economy – particularly small businesses. Without that security, he said, it will be almost impossible to build the trust that the connected economy will need to scale and flourish.

Securing the digitizing economy, he said, really can’t be up to any single individual player. Technologies like tokenization and EMV implementation, which are used to secure the connected digital frontier, will be the work of shareholders and regulators coming together to build it out.

“We have to make sure that every interaction and every connection is secure across all systems, which means all the parties have to play in the value chain,” Gerber said. “You have to be able to trust everybody in that chain. That’s the only way it will ultimately scale.”

And cooperation between stakeholders, some of whom may be direct competitors, is a tall order. There can still be too much of a “competitive attitude” in tech culture, he noted, especially around security technology. There might be places where players will be pushed to give up their IP claim on some security technology “for the greater good of the whole industry around the globe to make it accessible.”

That’s a tough ask, noted Gerber, particularly because firms very much want to differentiate themselves, and security is an excellent place to do that. But when it comes to safety and security, building it into the system is fundamental. That’s why Mastercard is hosting its virtual Cyber & Risk Summit in mid-May, aiming to continue to bring those stakeholders to the table to discuss and debate the long-term future the company is trying to build for the digital economy.

According to Gerber, the goal is to create a “Paris Accord” in terms of how the future digital ecosystem will be secured, where all stakeholders are accountable and committed to making it happen.

“I think a lot of it comes from how we get people around the table to start having these conversations, talking about education, and designing a roadmap for how we want to get there over time,” Gerber explained. “And it involves practical conversations and training.”

Prioritizing Security

One of those practical conversations centers on prioritizing security and some of the new technologies that have developed to strengthen defenses against fraud.

“For us, the goal is figuring out how to make sure security is a forethought, not an afterthought,” Gerber said. “How is it part of the design of the product versus ‘oh, we have a problem. How do we bolt on a solution?’ There has to a thought and design process that allows you to deliberately pursue security from the start.”

The challenges are large and looming, Gerber noted, but the right tools and technology can build a secure, smooth and seamless digital journey that aligns with consumers’ increased expectations for their connected experiences. And he believes that artificial intelligence (AI) technology will be a tremendous resource.

“AI allows us to do a lot of these things today – to connect the dots between these various systems in a privacy-friendly way – in a way that can span geographies and different institutions, and still be able to create a beautiful consumer experience and keep it safe,” Gerber said.

Cooperation on Tech Issues

One of the tech-centered issues Gerber wants to prioritize is the Internet of Things. For example, he wants to explore creating a consistent mechanism of security for IoT devices. Such an effort does have a precedent. When digital wallets were developed, the industry created and supported tokenization as the security standard, and the consumer has benefited from reduced digital payment fraud. EMV is another example: The cooperation involved in EMV resulted in reduced fraud, a better consumer experience and faster authorizations, he said.

The fight against fraud is also complicated by the number of intermediaries involved in a typical digital transaction. Gerber said the number of third parties in a typical engagement is “staggering.” In fact, Mastercard recently invested in a company called RiskRecon that provides cybersecurity ratings and insights that enable companies to understand and act on third-party risk management. RiskRecon recently announced that it currently monitors 4.1 million companies within its system.

“With that information, I can then say to a potential third-party partner, ‘before I pull you into this engagement, I need you to improve your cybersecurity environment.’ So we’re looking at this baseline of the third-party environment and using that to push the standard higher and higher. That’s just one way to create some transparency and make sure people connect to one another to understand what vulnerabilities are coming into play. And then we can collectively raise the bar on security.”