One of them has an incentive sized in the billions of dollars to lie/embellish. The other thinks about worst-case scenarios from sophisticated attackers all day long. Worst-case attacks from sophisticated attackers are an embellishment when you're talking about a CS:GO server, but not when you're talking about one of the largest payment processors in the world.

Anybody who has any understanding of how certs are issued knows that he's right and MasterCard is full of shit. So would anybody who put in 10 minutes of research.

Glad to clear that up for you.

> One of them have to be incorrect, and both have the incentive to lie/embellish.

If it has no impact, they should give him permission to publish the entire list of DNS queries he captured. They won't do that because it gives bad actors hints about their infrastructure.

MasterCard is either lying or ignorant and incompetent.

I think it heavily depends on what az.mastercard.com actually is or does.

Receiving email directed to x@mastercard.com doesn't sound right, since this is only a subdomain of unknown(to me) use. TLS? Probably, but again, the risk depends on what it is, and wouldn't affect users visiting 'mastercard.com.'

re: SSL/TLS certs

My first thought is using one of the ACME-based certificate providers, since DNS control of a domain is sufficient (either TXT record or directing requests to a HTTP server you control).

“Not a risk to our system”

I have no doubt that’s heavily lawyered and is justifiable. What is their “system”… Define it the way you want and the statement is true

Knowing what inflated security researcher egos usually are I wouldn't hold my breath to find out the truth here.