Criminals prey on ATMs, gas station pumps, merchant Point-of-Sale (POS) terminals and any other device that will provide them with the debit card information. Once they have the right information, they duplicate the cards and use them multiple times at the common point of purchase (CPP) to drain customers’ accounts.
Cyber-fraud losses are often huge, with criminals stealing thousands of dollars through the use of hacked and compromised cards. Uncovering compromised cards before they are used fraudulently is important. The most crucial part of controlling payment transaction/card fraud is being prepared and proactive.
Wondering how common point of purchase (CPP) can affect your business? Learn more about CPP from the experts at RSI Security today.
What is the Common Point of Purchase (CPP)?
In order to have a firm grasp of Common Point of Purchase (CPP) that can help your business become safe from credit card fraud, it helps to know a little about the history and background of how credit card fraud works.
Credit card fraud dates back to the mid-1990s when e-commerce just really began on the internet. According to The Fraud Practice, with the start of online purchase through credit cards in 1994, the first fraud trend used names of famous people for fraudulent crimes.
In this crime, third-party stolen credit cards with the name of randomly selected celebrities are targeted, giving hackers access to use the cards. The purpose of this may differ, either to buy goods or services or to make a payment to another fraudulent account controlled by a cyber-criminal.
Also, without stealing the card, professional thieves use other techniques to steal card data. In the past, fraudsters used skimming devices on cash machines or point-of-sale (POS) devices to collect information from cards. However, most recently, credit card data are now extracted from hacked databases using malware which can download large databases. Either way, the past transaction of the card owner allows the card details to be compromised.
On March 2nd, 2020, a fresh batch of 282,000 stolen credit and debit cards were for sale in a popular underground crime market. Through a report by Krebs On Security, three different banks were contacted, and they bought back the cards they had previously issued to bank customers.
What did they do with the cards? All 15 cards purchased by the banks were found to have been recently used at a beauty store. Then the banks each tested to determine whether all the cards they bought had been used at the same merchant over the same time period.
This test, known as “common point of purchase” or CPP, is the core means by which financial institutions determine the source or location of a card breach. The test showed that all the cards (15 in total) had been used within the last ten days at the beauty store which is located across the United States.
Modern fraud protection systems need to be able to rapidly analyze vast quantities of transaction information to find the Common Point of Purchase Compromise (CPPC) and act accordingly. Rather than relying on low-level approaches to security breaches, the system needs to work with top-level technologies to be on the same level as the technologies used by the fraudsters.
What Does CPP Mean To Your Business?
In spite of repeated attempts to build more secure systems, better technologies, and analytical models, hackers continue to evolve and adopt new methods to steal valuable data.
Cyber-criminals have transitioned from using simple deception methods to using sophisticated skimming devices, social engineering, and mass database compromises to ply their trade. Over time, systems built to combat fraud on a financial transaction basis have failed to recognize the increasing network of cards that get breached on a daily basis.
However, one sure way to combat these new forms of card fraud is to detect and build the underlying common purchase point (CPP) networks. Once a compromised CPP is discovered, either through an ATM, POS or a merchant/processor database, proactive steps should be automatically taken to prevent further fraud losses.
Either as a large corporation or a small business, if you are a business that accepts a credit card payment, your organization ought to be responsible for protecting payment cardholder data through Payment Card Industry (PCI) Data Security Standards and PCI security standards.
With various security breaches and cybercrimes, adhering to PCI Data Security Standards is critical to keeping your customers’ payment card details safe and secure.
What Does Payment Card Industry Data Security Standard (PCI-DSS) Mean?
Payment Card Industry Data Security Standard (PCI-DSS) is a data security standard created to ensure organizations and small businesses process card payments securely to reduce card fraud. The PCI Standard is administered by the Payment Card Industry Security Standards Council and was created to further reduce credit card fraud.
PCI Validation and Compliance
Since compliance with these standards is crucial, there is a validation of compliance, which involves the evaluation and confirmation that the security controls & processes have been properly implemented as recommended by the PCI-DSS.
Validation of compliance is performed annually or quarterly by any of the following entities:
- Qualified Security Assessor: this is an individual certified by the PCI Security Standards Council to audit merchants for Payment Card Industry Data Security Standard (PCI DSS) compliance.
- Internal Security Assessor (ISA): an Internal Security Assessor is certified by the council to be an assessor capable of performing PCI self-assessments for organizations.
- Self-Assessment Questionnaire: This questionnaire is for companies handling smaller volumes. The PCI DSS self-assessment questionnaires (SAQs) are a validation process to ensure that service providers report the results of their PCI-DSS self-assessment. The merchant is required to complete the questionnaires every year and submit to their transaction bank.
What Does a CPP Notification Mean?
Upon a credit card breach, business owners may be associated with a Common Point of Purchase (CPP). This does not directly mean that fraudulent purchases were made at your establishment. Rather, it means that your business was the target of a breach, during which credit card details were potentially compromised.
It is important to note that the majority of all CPPs are linked to small businesses. If you don’t know the size of your business in terms of credit transaction volume size, you can fill out this brief to download our PCI DSS Checklist and also learn more by reading our PCI DSS Services Data Sheet.
You may be asking yourself what you should be doing as a business owner to prevent your business from any form of cybercrime, especially credit card fraud. You’ve just got an answer to your question!
RSI Security is dedicated to making sure your cyberspace is safe and secure. We offer a line of cybersecurity products and services that can be used to prevent data infiltration and any other network breaches from happening.
Increase your security within the often risky payment card industry by working with payment experts at RSI Security. With a dedicated team, RSI Security is a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV) with over 10 years of experience as top-of-the-line service providers. Find out more about our amazing PCI-DSS services here.