How to uncover common point of purchase

Sophisticated analysis strengthens defense against card fraud

By Manuel Da Silva, Security Intelligence Practice, SAS

A key part to controlling card fraud is staying ahead of the criminals. For issuing banks, a critical aspect of that is the common point of purchase (CPP) analysis. CPP analysis identifies the likely merchant location where card numbers were stolen from, allowing banks to mitigate future fraud on other compromised cards.

What’s the MO?

To understand CPP, it helps to know a little about how the criminal underground works. Professional thieves use a number of techniques to steal the data on the magnetic strips on the back of cards. This might include putting skimmers on cash machines or point-of-sale devices, or using malware to hack into databases and download huge inventories of data. The latter is what recently happened in the case of retail giant Target.

Once thieves get credit or debit card numbers, they sell them on the black market for as little as $20 to $100 each. Fraudsters use the information to create counterfeit plastic cards, which they use to quickly purchase high-priced items before the card is shut down. They also use debit card numbers and the associated PINs to get cash out of ATMs.

What's your defense?

Identifying the merchant location where a card number was stolen requires a sophisticated CPP solution - one that can churn through a vast set of historical data. A successful analysis requires up to eight months of transaction data. This is a challenging task for most banks, which typically store pertinent fraud information on separate systems. For instance, they might log suspicious activities on one system while conducting fraud investigations on another.

By analyzing transactional data at regular intervals, a CPP system can …

• Trace where cards involved in recent fraud were used.
  
• Identify locations where those cards were likely stolen.
  
• Provide a list of at-risk cards used at those same locations within the same time frame.

The solution should alert you to CPP locations in other institutions, because cards you issued may have been used at those locations as well. It should also integrate with your existing analytical fraud solution to influence real-time scoring.

An ideal CPP solution will allow banks to set their own parameters. For example, you may want to search for a CPP based on the number of fraud instances linked to it. Two instances of fraud on cards previously used at the same location might be a coincidence, whereas 100 or more might overlook a potential CPP.

Once a CPP is identified, a bank can take action to mitigate future fraud. In addition to alerting the merchant, a bank can choose how to handle compromised card numbers. Since it is costly to reissue cards, a bank might choose only to reissue those cards with high credit lines, and flag other compromised cards so they will score higher for potential fraud when used outside a user’s normal purchase behavior.

CPP adds a new dimension to fraud analytics that is somewhat at odds with the conventional cardholder-centric view. Banks that want to stay ahead of CPP and contain costs will want to implement more advanced fraud techniques.