Mastercard applies a cyber security 'report card'

• Key insights: Mastercard and Cloudflare are collaborating on a cyber security "report card" for small businesses and other users. 
• What's at stake: The card brand is looking to fuel its non-payment product diversification. 
• Forward look: The two firms will do-develop a series of security products in the future. 
  

Digital security frequently ranks near the top of corporate worries, making it a natural fit for the card networks' quests to find sources of business beyond card swipes.

Mastercard on Tuesday entered a partnership with technology firm Cloudflare to build tools for small businesses and government organizations to manage cyber threats. The card network is attempting to raise its profile as a risk management provider; this is the latest in a series of product rollouts that focus on the card network's role as a consultant and technology company. 

"With small businesses accounting for about half of the world's GDP, closing the resilience gap is critical to securing the foundation of our global economy," said Johan Gerber, global head of Security Solutions at Mastercard, in a release. 

Security grades

Cloudflare's security technology portfolio is being added to the card network's Recorded Future and RiskRecon, products that assess third party and supply chain risks. Cloudflare and Mastercard have launched a monitoring function that enables users to spot internet-facing domains or software attacks that are running through Mastercard's Recorded Future.This will produce a regularly updating view of risk posture, with an A through F security rating based on checks for security controls, software vulnerabilities, exposed infrastructure and risk from external parties. These grades will appear in Cloudflare's security dashboard with context on criticality and severity. Another function enables security controls, such as a firewall, encryption and automated defenses.  

"For small businesses, critical infrastructure and governments, a cyberattack is more than a technical hurdle. It is an existential threat. Often considered 'target rich but resource poor,' these organizations are strategic targets and are often attacked at a greater rate than global enterprise or Fortune 500 organizations," said Stephanie Cohen, chief strategy officer at Cloudflare, in a release. 

Mastercard did not provide comment for this article by deadline. 

In an earlier interview, Eimear Creaven, president of global partnerships at Mastercard, told American Banker "In a world of evolving payment models, rapid tech advances, regulatory shifts and changing consumer expectations, collaboration with fintech, big tech and traditional financial institutions lets us connect cards, accounts, wallets and real-time rails."

Rival Visa has made a similar move to bolster its security services. Visa in late 2024 acquired Featurespace, which Visa used to build a risk hub, leveraging Featurespace to identify risky transactions and build profiles for valid customer activity. For both Visa and Mastercard, the challenge is to tighten security without slowing payment processing or discouraging the adoption of new digital payment options. 

"Improving critical infrastructure cybersecurity and reducing cyber risk is an ongoing, challenging mission," said Dan Cimpean, Director of the Romanian National Cyber Security Directorate and one of the early adopters of Mastercard and Cloudflare's security collaboration, said in a release. "As society and global economies increasingly rely on digital networks, we must combine our efforts across the public and private sectors, across nations and international organizations, to build resilience and prevent cyber incidents. The protection of critical infrastructure is and must be a joint effort."

There are signs of demand for small business fraud prevention. Sixty-five65 percent of financial institutions reported an increase in fraud incidents in 2024, according to Experian's most recent data, adding 46% of small business loan applications showed signs of first-party, or friendly, fraud; 31% of small businesses were targeted by fraudulent lenders or scams during the lending process, AI-driven scams are projected to result in $40 billion in losses by 2027, and

80% of fraud events now occur on digital channels such as online or mobile banking.

Banks, which make up a large portion of Visa and Mastercard's clients, are also concerned about the rising risk of digital fraud. Cloud security, AI security, data and network protections are among the top security risk investment areas for banks, according to American Banker research. 

Services

Mastercard and Visa both face pressure from regulators, legal battles with merchants over fees and the growth of payment fintechs, creating headwinds for the revenue the card networks get directly from payments. Value-added services are a big part of mitigating that threat, creating a strategy for the card networks that has expanded in recent years.

"Mastercard's value to the ecosystem—for open schemes and feared-competitor closed schemes—has never been greater," analysts at William Blair said in a research note issued Tuesday. "We see the company positioned to monetize agentic commerce when (or if) it scales, and the company's leading value-added services offerings, especially around fraud and cyber, will support long-term economic share gains."

At Mastercard, revenue from value-added services increased 23% in the fourth quarter of 2025. This covers revenue from technology sales, data and consulting covering fraud prevention, cybersecurity, credit management, marketing, open banking, real-time payments and data management. Mastercard's network includes more than 220 countries, 150 million merchant locations and 3.5 billion cards. 

"We believe innovation is at least maintaining low-double-digit organic revenue growth as the secular electronic payments shift becomes more complex," William Blair analysts said.