2. Defining Common Point of Purchase. Visa defines a Common Point of Purchase (CPP) as determined when members identify a subset of accounts with legitimate cardholder usage, containing a single common merchant identifier prior to fraudulent activity and not associated with a previously reported data compromise event..
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
1. 1 Understanding Common Point of Purchase Investigations
2. 2 Defining Common Point of Purchase Visa defines a Common Point of Purchase (CPP) as determined when members identify a subset of accounts with legitimate cardholder usage, containing a single common merchant identifier prior to fraudulent activity and not associated with a previously reported data compromise event.
3. 3 Defining Common Point of Purchase MasterCard’s CPP program identifies merchant locations at which MasterCard account data may have been compromised and used to effect fraudulent transactions at other points of interaction.
Issuers may request that MasterCard initiate an investigation of a merchant for possible CPP activity at any time.
Acquirers have five business days to acknowledge a request from MasterCard for a CPP investigation.
Acquirers have 15 calendar days to complete the investigation for MasterCard.
4. 4 MasterCard CPP Criteria To place an investigation request, the issuer must identify and list at least three genuine transactions (at least one of which must be a MasterCard transaction) involving three different account numbers that were each used at a specific merchant and used for fraudulent activity thereafter.
The three or more transactions all must have occurred within a 90-calendar day period, and the oldest transaction must have occurred within a 180 calendar day period of the CPP investigation request.
5. 5 Cardholders A, B, C, and D experience fraudulent transactions on their accounts after all having made a legitimate purchase at ABC Merchant.
2 or more issuing institutions are involved.
Issuers report fraudulent activity to Visa / MC.
Visa / MC initiate a CPP investigation based on initial data collected. Common Point of Purchase- Example -
6. 6 Common Point of Purchase Communication Flow
7. 7 Common Point of Purchase Investigation Flow HSBC notifies Global Payments Association Compliance and Risk Departments of the CPP investigation.
The Risk Department provides the Relationship Manager with the Network Questionnaire.
The Relationship Manager contacts the ISO and provides ISO with the questionnaire and ISO contacts the merchant.
Once the questionnaire is completed and returned to the Relationship Manager, the Risk Department reviews the information and forwards it to HSBC and the associations.
Associations will review the questionnaire, contact HSBC and request a conference call be held to discuss the information provided.
The questionnaire states a response is required to Visa within 5 business days. Global Payments requires a response within 3 business days to ensure that the information can be reviewed and clarification can be requested if needed prior to submitting the response the HSBC and the associations.
8. 8 CPP Conference Call Acquirer, V/MC, member, and merchant are required to be on the call.
Member will contact Risk to inform them of the date/time of the call. Risk will provide this information to the RM.
RM coordinates with ISO and merchant.
The ISO is invited by Visa and MC to join the call for informational purposes. Questions/concerns the ISO may have should be directed to their RM after the call has ended.
Visa will decide if the investigation should remain a CPP investigation or if an Account Data Compromise investigation should begin.
The Risk department will continue to handle the investigation if Visa determines this is a CPP.
If Visa determines an ADC investigation should occur the case is turned over to Association Compliance.