Do you own a business? If you do, it is probably associated with a CPP (Common Point of Purchase). This doesn’t mean that fraudulent purchases were made at your business, only that it was the target of a security breach. This could mean that your customers’ credit card information was compromised.
CPPs often occur at small businesses that do not have a CPP system and this can be devastating to the company’s bottom line. Customers can lose faith in the company’s ability to protect their personal data resulting in lost business and revenue. Early detection of CPPs is vital for businesses, regardless of their size. It will give buyers confidence in your ability to protect their information from data fraud.
In this guide, you will learn what a common point of purchase is and how it can affect your business. You’ll also find the information you need to detect a potential breach before it occurs.
What is CPP?
A Common Point of Purchase (CPP) is the location where credit card information was breached or stolen. The issuing banks of the affected credit cards will perform an audit to determine the CPP. The goal is for the credit card issuer to find the location and respond quickly to prevent additional fraud.
Being associated with a CPP can damage the trust customers have with the business. It is also detrimental to the payment brands that have to send out CPP notifications to all affected parties. There is also the possibility that the credit card issuer will be responsible for paying the fraudulent charges.
Assess your PCI compliance
This is one of the reasons why banks and other financial institutions rely on the automated cybersecurity systems they have in place and update them regularly. These systems can respond quickly to a CPP, and once installed are less expensive than hiring an IT team to constantly monitor for any breaches.
How to Have Early CPP Detection
Third-party credit card fraud has cost financial institutions billions of dollars worldwide. Hackers are becoming more skilled at breaching networks that were thought to be secure. Businesses and credit card issuers can’t solely depend on their current security protocols. This even applies to businesses that are certified to deal with consumers’ personal information.
One effective way businesses can prevent breaches is to have early detection of a common point of purchase by using a three-part security system.
- Use an approach that covers all networks.
Businesses want to build a system that covers all networks. This includes any of the following that applies,
- POSs (Point of Sale)
- Merchant’s database
- Service provider database
Any of these networks can be compromised by skilled hackers. Having a security system that simultaneously monitors all of them will make it easier for a business to detect and respond to a CPP. The system needs to be able to quickly analyze incoming data and detect any potential CPPs.
- Identify the “test” point.
Most credit card thieves perform a “test” run before making a significant purchase. The thief will make one or more small purchases to test the validity of the credit data. However, it’s not always easy to identify a card test, even when it’s done multiple times.
Having a networked approach and combining it with a system that scans for anomalous charges will help identify fraudulent charges at the testing point. Identifying the testing point will shorten the time it takes to detect potential credit card fraud.
- Analyze and list at-risk cards and locations
Identifying common CPP will help businesses stop future credit card fraud. However, their networked system also needs to be able to provide lists of cards that are at-risk. This is usually determined by identifying the location the breach occurred and looking at which credit cards were affected.
Bryan Sartin, part of Verizon Enterprise Solutions stated in a Wall Street Journal interview about the effectiveness of analyzing and listing credit cards and locations,
“When there is a common point of purchase, more than 9 times out of 10 not only do we later find evidence of a security breach, but we can conclusively tie the breach we found to the fraud pattern that’s been reported,”
Implementing a three-part security system will help banks and retailers catch credit card fraud before it turns into a major security breach, but there can also be problems with false positives.
The Downside of Early CPP Detection
In 2013 retail giant Target experienced a major security breach that affected an estimated 41 million customer payment accounts. The same breach also targeted the personal information of 60 million of the retailer’s customers. Ordered to pay 18.5 million to affected consumers, this breach – and others – changed how financial institutions and retailers protect credit cardholders’ information.
However, there is a downside to proactive security measures. It’s not uncommon for there to be false positives during network system analysis. Bryan Sartin goes on to explain – in his Wall Street Journal interview – how false positives can be costly to many retailers.
“CPP is linear enough that it just says look, there’s a problem in these shoppers’ accounts,” Sartin said. “So you have many banks looking at these patterns, and reporting that upstream, and the more noise these banks make about it, the more likely there will be an investigation that could be erroneous. That’s why there is often a period of probably 60 to 90 days after a major data breach that until such time as the investigating entity gets there and [identifies] the at-risk batch of accounts — there’s really no ability for them to identify what’s a false flag and what’s not.”
These false positives often have retailers scrambling to hire outside investigators like RSI Security to search for any signs that a breach occurred. While having an outside security firm check for security breaches and any weak spots in the system, it can be expensive and time-consuming. This is especially true if the suspected breach was the result of a false positive.
Even though false positives can occur, identifying CPPs and preventing further fraud outweighs the potential hassles a networked security system might cause.
This includes the hassle of notifying consumers of potential credit card fraud.
What is a CPP Notification
When a business is associated with a CPP the credit card/payment brands or acquirers are responsible for notifying merchants of the security breach. The credit card brands include Visa, MasterCard, American Express, and Discover. The acquisitions include banks and retailers that issue their own credit cards.
Once a business receives a CPP notice they have ten days to implement adequate measures designed to stop the breach. There are two methods retailers commonly use,
- Cancel the cards that were affected and issue new ones to customers.
- Initiate high-risk indicators on the cards to make it easier to spot any additional fraudulent charges.
Canceling and reissuing new cards is the most effective way to stop additional fraud, it is also the most expensive. Often, high-risk indicators are placed on the cards since it is less expensive for payment brands and acquirers. If fraud continues, then a new card will be issued. Once the security breach is contained and the retailer is in compliance, the acquirer and payment brand will be notified.
Understanding PCI Compliance
All businesses, regardless of their size, want to prevent the need for CPP notification but not all know what their merchant PCI compliance level is. Payment card industry data security standards (PCI DSS) is a set of regulations that are in place to prevent credit card customers’ information from being stolen or compromised. All retailers that accept credit cards need to meet these standards.
The standards are promoted and overseen by the PCI Security Standards Council that is composed of representatives from the major credit card issuing agencies. There are four merchant levels and this can be confusing for retailers. Adding to the confusion is that the various credit card agencies have different standards for each level.
To help simplify PCI compliance, merchants can use their volume of credit card transactions – by brand – to determine their level. If the retailer is part of a franchise there might be additional requirements for compliance.
The number of transactions used to determine merchant levels depends on the credit card issuer. For example, level 1 as defined by American Express has at least 2.5 million AMEX transactions per year, while Visa requires 6 million for its Level 1 rating. The best advice for retailers that are trying to determine their merchant level rating is to communicate directly with the card issuers.
Even though the number of transactions does vary depending on the type of credit card, some level requirements are the same across the board.
PCI Merchant Level Requirements and Penalties
All compliance levels, regardless of the card issuer, must pass an annual attestation of compliance (AOC). This is submitted to the payment brand or acquirer, along with a report on compliance (ROC) and a self-assessment questionnaire (SAQ). Along with annual compliance reports, some levels and card issuers also require a quarterly network scan. Merchants can find a complete list of requirements, and the necessary forms, on the official PCI DSS site.
There are penalties for failing to meet PCI merchant level requirements that go beyond the hassle of having to send out CPP notifications. These penalties can range from fines to federal audits. If a merchant is found to be non-compliant the following fines and penalties can be applied to them.
Retailers that are non-compliant can be fined up to $100,000 every month that they aren’t meeting PCI merchant level standards. The amount of the fine will be based on the number of customers and credit card transactions. Merchants can also be held responsible for any losses the bank or issuer suffered due to an inadequate security system.
Even retailers that are in compliance can still be the target of a security breach. The consequences for this can be mild or severe, depending on how quickly the affected retailer responded to the data breach. In most cases, it is a fine that can range from $50 to $90 per affected cardholder, but this is usually only leveled against merchants that did not respond to the security breach within the allotted 10-day timeframe.
A federal audit normally only happens when the CPP occurs at a large business that is also non-compliant with their PCI merchant level. Not only is this disruptive to the business and can cause a loss in profits, but it can also result in additional penalties from the Federal Trade Commission (FTC).
Other penalties for non-compliance often include a loss in revenue due to a lack of trust from consumers. Civil lawsuits can also be brought against the merchant by customers that were affected by the security breach.
There are several reasons why it is important for retailers to have early detection of a common point of purchase. These security protocols not only protect customers’ personal information from hackers, but it is also beneficial to the business.
Implementing a networked security system and meeting merchant level compliance can be confusing, but the certified team of experts at RSI Security is here to help.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.