When multiple cardholders at your institution start reporting fraud, one of the first questions your fraud team should ask is: where did these cards all shop recently? The answer to that question is, in essence, a Common Point of Purchase.

CPP analysis is one of the oldest and most reliable tools in fraud investigation. But in an environment where fraud moves fast, and organized fraud rings are deliberately designed to evade detection, understanding what a CPP is and how to act on it has never been more important.

What Is a Common Point of Purchase?

A Common Point of Purchase (CPP) is a merchant, or set of merchants, where a statistically significant number of compromised payment cards were used before fraudulent activity appeared on those cards. When fraud analysts observe a cluster of fraud claims across cardholders who don’t share any obvious connection, they look for the common thread in recent transaction history. If a disproportionate number of those cards were all used at the same merchant within a given time frame, that merchant is flagged as the likely CPP.

The CPP concept is foundational to fraud management at financial institutions, card networks, and payment processors alike. It’s the mechanism through which a merchant data breach gets identified, investigated, and communicated to affected parties. Card networks such as Visa and Mastercard have formal CPP programs to facilitate this process.

In practical terms, a CPP is not necessarily proof that a breached merchant caused the fraud. It is a signal that warrants further fraud investigation.

How CPP Analysis Fuels Fraud Detection

CPP analysis works by correlating fraud reports across cardholders and mapping those cards’ recent transaction histories to find overlapping merchants. The more compromised cards that share a common merchant in their history, the stronger the signal that the merchant represents.

This analysis is useful for several reasons, including:

1. It identifies the source, alongside the symptom. Standard fraud detection flags individual suspicious transactions. CPP analysis goes upstream. It helps identify where card data was stolen before fraudulent transactions even begin. That distinction matters for protecting cards that haven’t yet been used fraudulently.
2. It enables proactive card reissuance. Once a CPP is identified, institutions can run their full card portfolio against that merchant’s transaction history. Cards that transacted at the compromised merchant but haven’t yet been used fraudulently can be proactively reissued or flagged for better monitoring. This is one of the most impactful forms of fraud prevention available to fraud teams.
3. It narrows the window of exposure. By pinpointing approximately when the compromise at the merchant occurred, fraud teams can bound the population of at-risk cards and focus resources accordingly.

The Challenge: Most CPPs Go Undetected for Too Long

The hard truth about CPP analysis is that it is only as fast as the data feeding it. Traditional CPP identification relies on fraud reports clustering enough at a single institution to trigger a statistical threshold. That takes time. And time is exactly what fraudsters exploit.

Compromised card data is bought and sold on dark web marketplaces within days of a breach. By the time a CPP becomes statistically visible in a single institution’s fraud reporting, weeks of fraudulent activity may have already accumulated at your institution, and across hundreds of others simultaneously.

This is why static fraud rules alone are insufficient for modern fraud threats. Organized fraud rings deliberately spread their activity across dozens or hundreds of financial institutions at once, keeping volumes low enough at each institution to avoid triggering individual thresholds. What looks like isolated fraud internally may be part of a coordinated attack at scale, and no single institution’s data can surface that pattern on its own.

Why Consortium Data Changes the CPP Picture

The limitations of single-institution CPP analysis are precisely why consortium-level data is so valuable for fraud detection.

When fraud intelligence is aggregated across thousands of financial institutions, patterns that would take weeks to emerge at a single institution become visible in hours or days. A merchant compromise that generates only a handful of fraud reports at your credit union may be generating dozens across the network. Consortium data connects those dots in near real time.

With consortium-level models, compromised merchants are flagged within hours or days. Your institution doesn't have to absorb fraud losses first before the signal becomes visible.

This also addresses the blind spot posed by high-risk merchant categories. As Rippleshot’s Fraud Intelligence Reports have consistently shown, a large number of the merchants our models identify as high-risk do not appear in the internal reporting data that institutions use to write their own rules. By the time a compromised CPP shows up clearly in your fraud reports, the damage is already done.

What Good CPP-Driven Fraud Management Looks Like

Institutions that get the most out of CPP analysis share a few common practices:

• They don’t wait for a formal network alert. By the time a formal CPP communication arrives, significant fraud exposure has usually already accumulated. Effective fraud management means continuously running internal and consortium-level correlation analysis to surface potential CPPs before they’re formally confirmed.
• They pair CPP signals with card-level risk scoring. Identifying a compromised merchant is only part of the picture. Knowing which cards transacted at a compromised merchant helps you focus action on the highest-risk ones without disrupting cardholders who don’t need to be touched. Rippleshot’s Sonar platform combines merchant compromise signals with card-level risk scoring to prioritize exactly this kind of response.
• They use CPP data to improve future rules. Every confirmed CPP teaches you something: which merchant categories, geographies, and transaction patterns tend to precede a compromise. That intelligence should feed back into your fraud detection rules so future fraud is harder to pull off.
• They monitor the right metrics. CPP frequency, time-to-detection, and the gap between compromise date and first fraud report are all meaningful risk management metrics. Tracking them over time shows whether your fraud detection capabilities are improving or falling behind the threat environment.

The Bottom Line

A Common Point of Purchase is a window into where card fraud originates. Used proactively, CPP analysis is one of the most powerful tools available for fraud prevention: it identifies compromised merchants before fraud fully materializes, enables targeted card-level intervention, and supports both operational fraud management and internal compliance requirements. Financial institutions that use CPP analysis are able to consistently reduce fraud and prevent spikes from large data breaches, and minimize cardholder disruptions.  

But CPP analysis is only as effective as the data behind it. Single-institution analysis is too slow for today’s fraud environment. Consortium-level intelligence aggregated across thousands of institutions and millions of daily transactions is what closes the gap between when a compromise happens and when your institution knows about it.

If your fraud team is still relying on fraud reports to surface CPPs reactively, you're seeing the threat several weeks too late. Schedule a demo with Rippleshot to see how our consortium data and AI-powered fraud detection can surface merchant compromises before they become cardholder crises.

‍