How to uncover common point of purchase
Sophisticated analysis strengthens defense against card fraud
By Ian Holmes, Security Intelligence Practice, SAS
A crucial part of controlling card fraud is being proactive rather than reactive. For issuing banks, a critical aspect of that effort is the common point of purchase (CPP) analysis. CPP analysis identifies the likely merchant location from where card numbers were stolen so that banks can mitigate future fraud on other compromised cards. And since identifying a CPP requires a fraudulent loss, the more automated – and therefore quicker – the identification is, the more fraud can be prevented.
What’s the MO?
To understand CPP, it helps to know a little about how the criminal underground works. Professional thieves use a number of techniques to steal card data. Historically, fraudsters used skimming devices on cash machines or point-of-sale devices to collect information from cards. But more recently, this data is being extracted from compromised or hacked databases using malware, which can download huge inventories of data. The latter method is behind high-profile cases recently in the news. But with either method, it’s the actual customer transaction that allows the card details to be compromised.
Banks that want to stay ahead of CPP and contain the costs of fraud need to implement advanced anti-fraud techniques.
Once thieves get credit or debit card numbers, they sell them on the black market. They’ll often sort the cards into portfolios and test that the cards are active. A compromised platinum or gold card can cost as much as US$100 per card, and often comes with a guarantee. Normal cards bring as little as $20 to $100 each.
Before the introduction of Europay, MasterCard and Visa (or EMV – referred to as chip cards by consumers), fraudsters would use customer information to create counterfeit plastic cards that they’d use to quickly purchase high-price items before the cards were detected and shut down. But now, with the additional security of EMV cards physically presented at the point of sale, the fraudsters have turned to e-commerce – or other transactions where the card is not present – in order to stay one step ahead. And instead of high-price purchases, they’re now focusing on high-volume, low-value payments. These transactions often migrate across merchants so quickly that the banks can’t maintain proactive rules.
What's your defense?
Identifying the merchant location (or payment processor) where a card number was stolen requires a sophisticated CPP solution – one that can churn a small set of fraud transactions through a vast set of historical data to look for networks of shared exposures to find a common point where purchases occurred. This is a challenging task for most banks since there is never just one CPP active at any one time.
By analyzing transactional data at regular intervals, a CPP system can gather valuable insights, such as:
- Tracing where cards involved in recent fraud were actually used.
- Identifying locations where those cards were likely stolen.
- Providing a list of at-risk cards used at those same locations within the same time frame.
An ideal situation is where your CPP process can stretch across banks and financial institutions to offer early or stronger confidence in your card usage networks; banks may identify fraudulent use at some locations before the issuer does. Though the process should include automation, a manual or human aspect can ensure confidence in the source of the compromise. Ultimately your CPP process should have some automated routine and integrate with your existing analytical fraud solution to influence real-time scoring.
Your bank should set its own parameters. For example, you may want to search for a CPP based on the number of fraud instances linked to it. Two instances of fraud on cards previously used at the same location might be a coincidence, whereas 100 or more might signal a potential CPP.
Once your bank identifies a CPP, it can take action to mitigate future fraud. In addition to alerting the merchant, your bank can choose how to handle compromised card numbers. Since it’s costly to reissue cards, you could choose only to reissue those cards with high credit lines. Or you could flag compromised cards so they’ll have higher risk indicators when used in certain situations.
CPP adds a new dimension to fraud analytics that is somewhat at odds with the conventional cardholder-centric view. Banks that want to stay ahead of CPP and contain costs will want to implement these more advanced anti-fraud techniques.