Mastercard has announced Mastercard Threat Intelligence, its first threat intelligence solution specifically designed to prevent payment fraud. The announcement, made during Money20/20, arrives less than a year after the company completed the acquisition of Recorded Future, a global leader in AI-powered threat intelligence. The offering combines Mastercard’s global payment network visibility with cyber intelligence curated by Recorded Future, and is available to issuers and acquirers worldwide.
The company frames the launch as a paradigm shift: moving from reaction after an incident to proactive mitigation, sharing risk signals among banks, merchants, and security providers. According to preliminary Mastercard market data, the use of threat intelligence has already enabled ecosystem partners to identify and shut down malicious domains linked to card data theft. In a six-month pilot, these domains affected nearly 9,500 online merchants and were associated with around $120 million in fraud.
“Cybersecurity will increasingly rely on cross-sector intelligence,” summarizes Tracy (Kitten) Goldberg, Cybersecurity Director at Javelin Strategy & Research. “Sharing these indicators meaningfully among dispersed teams and industries allows us to detect trends early and shift from reactive to preventive.”
What exactly is Mastercard Threat Intelligence?
Mastercard Threat Intelligence is a threat intelligence platform designed to provide actionable signals to those who issue and acquire payments (issuers and acquirers). Its unique value lies in two interconnected sources:
- Transactional data and fraud analytics from Mastercard — including patterns of card compromise, geography, timing, attack vulcanization, and network signals.
- Cyber threat intel from Recorded Future, which aggregates and analyzes information from the open web, dark web, and technical sources (IOC, TTP, malware, domains and skimming kits, leaked credentials, phishing campaigns, “brand abuse,” etc.), utilizing AI models and the work of its Insikt Group.
The fusion of these two worlds — payments and cyber threats — enables connecting what occurs at a terminal or website with underlying activities in criminal forums, skimming infrastructure, or next-generation trojans. Most importantly, it allows timely distribution of signals to those who can act: the issuing bank that replaces cards before fraudulent use, the acquirer that blocks compromised merchants or assists in closing leaks, or the merchant itself that fixes their website and strengthens controls.
What issues does it address (and why now)?
Payment fraud and cybercrime are converging: gangs inject skimmers into online stores, phishing campaigns test stolen card data, clandestine marketplaces sell card data, and malware pivots from credential theft to API-based attacks. Without shared intelligence, each actor fights their part of the problem blindly.
Mastercard Threat Intelligence aims to correct this asymmetry through three vectors:
- Detection and takedown: identify malicious domains, skimming panels, mules, and fraud infrastructure; coordinate takedowns and increase zero dwell time.
- Proactive prevention: alert for potentially compromised cards and automate their replacement; feed decision engines to raise authentication thresholds when a transaction suspects a campaign in progress.
- Operational enrichment: inject IOC/IOA and context into SIEM, SOAR, case management, and anti-fraud platforms (rules, models, watch lists) so fraud and security teams work with the same picture.
Initial results and use cases
In its six-month market testing, Mastercard highlights two tangible impacts:
- Domain takedowns: shared intelligence with ecosystem partners to shut down compromised or malicious websites that stole card data in 9,500 e-commerce sites.
- Loss mitigation: those domains were linked to approximately $120 million in fraud. While attribution is not linear — removing a domain does not erase fraud already committed — cutting exfiltration routes reduces the future flow of cards to sale and prevents subsequent waves.
Typical use cases for banks and acquirers:
- Issuers (banks): prioritize proactive card replacement after detecting patterns and signals in forums or paste sites; recalibrate strong authentication (SCA) and limits on attack-prone segments.
- Acquirers (payment gateways/merchants): notify and assist compromised merchants; block payout routes to mules associated with fraud; temporarily suspend high-risk MID until remediation.
- Merchants: harden CSRF defenses, rotate credentials, patch vulnerable modules, and monitor script integrity (subresource integrity, “script management”) based on intelligence received.
A launch amid Money20/20 backdrop
Mastercard is showcasing the solution at stand #13061 at the Venetian Convention & Expo Center during Money20/20 (Las Vegas). Besides interactive Threat Intelligence demos, the company displays identity solutions, dispute management, and Mastercard Agent Pay — its platform for conversational payment operations. Together, they form a narrative of “cyber + fraud + identity” under one umbrella.
The missing piece after Recorded Future
The Recorded Future acquisition — announced in September 2024 and closed in December 2024 for $2.65 billion — anticipated such a move. Integrating general threat intelligence with payment-specific data allows Mastercard to see earlier attacks that result in financial fraud. With Threat Intelligence, Mastercard packages this convergence into a product for issuers and acquirers, leveraging its global network reach.
Meanwhile, the company has been advocating that its “cyber fusion” approach — integrating identity, fraud, intelligence, and disputes — shortens the window between detection and action. When combined with automation (SOAR) and mature NOC/SOC processes, the shift from reactive to proactive becomes measurable: shorter detection times, faster remediations, lower chargeback ratios, and an improved customer experience (preventive replacements with minimal impact).
Availability, integration, and compliance
Availability: Mastercard Threat Intelligence is available globally for issuers and acquirers.
Integration: the service can power existing anti-fraud and cybersecurity platforms (SIEM, SOAR, decision engines, case management), along with dashboards offering trends and operational alerts.
Compliance: Mastercard emphasizes that data sharing occurs under agreements and controls that respect regional privacy and regulatory compliance (e.g., GDPR in the EU), limiting personal data and prioritizing technical indicators and context useful for risk mitigation.
What can change in the fight against fraud?
- Silo breaking: fraud, risk, and cybersecurity teams can operate with common sources, aligning priorities (e.g., an IOC increasing the likelihood of card compromise in a particular country/segment).
- From “hygiene” to “hunting”: Threat Intelligence pushes many entities toward active hunting (threat hunting) rather than relying on static averages and rules.
- Less “over-alerting”: by cross-referencing payment signals with external intelligence, the goal is more relevant alerts and less noise — alarms demanding real action, not false positives (“friendly fire”).
- Improved customer experience: replacing cards before fraudulent use and reinforcing authentication only when justified reduces friction and costs.
Precautions and expectations
As with any launch, uncertainties remain: evolving attacker tactics, the quality of external sources, each entity’s capability to integrate intel feeds into playbooks and automations, and internal process maturity (SOC, DFIR, fraud). Mastercard notes that these are forward-looking statements and results may vary by market and adoption.
Frequently Asked Questions
What is Mastercard Threat Intelligence and who is it for?
It is a threat intelligence platform that combines payment fraud signals with global threat intel (malicious domains, IOC, TTP, dark web activity) for issuers (banks) and acquirers (payment gateways, processors, acquiring banks). Its goal is to prevent scalable payment fraud with actionable alerts and coordinated takedowns.
How does it differ from a “blacklist” or traditional IOC feed?
Beyond IOC, it incorporates transaction context within the payment ecosystem: fraud trends, correlations by geography/segment, and specific fraud cycle signals. This enables prioritizing alerts that truly impact losses and chargebacks.
How does it integrate with my anti-fraud and security systems?
It can feed your SIEM/SOAR, decision engines, and anti-fraud platforms via feeds and APIs, plus dashboards for analysts. Practical tip: define KPIs before integration (e.g., preventive card replacements, takedown rates per campaign, false positive reduction).
Is it available in Spain and the EU? How about GDPR?
Yes, it is globally available for issuers and acquirers. Mastercard states the service operates under agreements and controls respecting regional privacy and regulatory compliance (e.g., GDPR in the EU), prioritizing technical indicators and maximizing privacy.
Source: mastercard