Understanding Common Point of Purchase Investigations

1
Understanding Common Point of Purchase
Investigations
Global Payments ISO Academy October 2007
2
Defining Common Point of Purchase

• Visa defines a Common Point of Purchase (CPP) as
  determined when members identify a subset of
  accounts with legitimate cardholder usage,
  containing a single common merchant identifier
  prior to fraudulent activity and not associated
  with a previously reported data compromise event.

3
Defining Common Point of Purchase

• MasterCards CPP program identifies merchant
  locations at which MasterCard account data may
  have been compromised and used to effect
  fraudulent transactions at other points of
  interaction.
• Issuers may request that MasterCard initiate an
  investigation of a merchant for possible CPP
  activity at any time.
• Acquirers have five business days to acknowledge
  a request from MasterCard for a CPP
  investigation.
• Acquirers have 15 calendar days to complete the
  investigation for MasterCard.

4
MasterCard CPP Criteria

• To place an investigation request, the issuer
  must identify and list at least three genuine
  transactions (at least one of which must be a
  MasterCard transaction) involving three different
  account numbers that were each used at a specific
  merchant and used for fraudulent activity
  thereafter.
• The three or more transactions all must have
  occurred within a 90-calendar day period, and the
  oldest transaction must have occurred within a
  180 calendar day period of the CPP investigation
  request.

5
Common Point of Purchase- Example -

• Cardholders A, B, C, and D experience fraudulent
  transactions on their accounts after all having
  made a legitimate purchase at ABC Merchant.
• 2 or more issuing institutions are involved.
• Issuers report fraudulent activity to Visa / MC.
• Visa / MC initiate a CPP investigation based on
  initial data collected.

6
Common Point of Purchase Communication Flow
Communication with HSBC is handled by the Global
Payments Risk Department. Communication with
Visa/MC is handled by HSBC. Global Payments will
coordinate all additional communication with ISO
and merchant.
7
Common Point of Purchase Investigation Flow

• HSBC notifies Global Payments Association
  Compliance and Risk Departments of the CPP
  investigation.
• The Risk Department provides the Relationship
  Manager with the Network Questionnaire.
• The Relationship Manager contacts the ISO and
  provides ISO with the questionnaire and ISO
  contacts the merchant.
• Once the questionnaire is completed and returned
  to the Relationship Manager, the Risk Department
  reviews the information and forwards it to HSBC
  and the associations.
• Associations will review the questionnaire,
  contact HSBC and request a conference call be
  held to discuss the information provided.
• The questionnaire states a response is required
  to Visa within 5 business days. Global Payments
  requires a response within 3 business days to
  ensure that the information can be reviewed and
  clarification can be requested if needed prior to
  submitting the response the HSBC and the
  associations.

8
CPP Conference Call

• Acquirer, V/MC, member, and merchant are required
  to be on the call. 
• Member will contact Risk to inform them of the
  date/time of the call. Risk will provide this
  information to the RM.
• RM coordinates with ISO and merchant.
• The ISO is invited by Visa and MC to join the
  call for informational purposes. 
  Questions/concerns the ISO may have should be
  directed to their RM after the call has ended.
• Visa will decide if the investigation should
  remain a CPP investigation or if an Account Data
  Compromise investigation should begin.
• The Risk department will continue to handle the
  investigation if Visa determines this is a CPP.
• If Visa determines an ADC investigation should
  occur the case is turned over to Association
  Compliance.