Know and understand electronic funds transfer at point of sale (EFTPOS) terminals including checking of the validity of cards, the use of chip and PIN, the use of contactless cards, the use of Near Field Communication (NFC) payment, the communication
6 ICT Applications – Electronic Funds Transfer at Point of Sale (EFTPOS)
1. Introduction to EFTPOS
EFTPOS terminals allow customers to pay for goods and services directly from their bank accounts using debit or credit cards. The transaction is processed electronically and the funds are transferred in real time between the retailer’s bank and the card‑holder’s bank.
2. Key Components of an EFTPOS Transaction
Card – magnetic stripe, EM \cdot chip, contactless (NFC) or mobile wallet.
Terminal – hardware that reads the card, captures the PIN (if required) and communicates with the retailer’s POS system.
Retailer’s computer system – records the sale, sends transaction data to the acquiring bank.
Acquiring bank – the retailer’s bank that forwards the request to the card‑issuing bank.
Issuing bank – the card‑holder’s bank that authorises or declines the transaction.
Network – secure communication channels (e.g., VisaNet, MasterCard Network) that carry the messages.
3. Checking the \cdot alidity of Cards
Before a transaction is sent for authorisation, the terminal performs several checks:
Physical inspection – card is present, not damaged, and the expiry date has not passed.
Magnetic stripe/Chip data verification – Luhn algorithm is applied to the primary account number (PAN) to detect entry errors.
Expiry date check – the terminal compares the date on the card with the current date.
Card verification value (C \cdot V/C \cdot C) – used for online transactions; not read by POS terminals but may be requested for contactless limits.
Card status check – the issuing bank can flag a card as blocked, stolen or exceeded credit limit; this is determined during authorisation.
4. Chip and PIN Process
The EMV (Europay, MasterCard, Visa) chip and PIN method provides a high level of security. The typical steps are:
Customer inserts the card into the chip reader.
Terminal reads the chip data and generates a unique cryptogram for the transaction.
Customer enters their PIN on the secure keypad.
Terminal encrypts the PIN using a public key supplied by the card scheme.
All data (cryptogram, encrypted PIN, transaction amount, etc.) are sent to the acquiring bank.
The acquiring bank forwards the request to the issuing bank via the payment network.
The issuing bank validates the cryptogram, decrypts the PIN, checks the account balance and returns an authorisation response (APPRO \cdot ED or DECLINED).
The terminal displays the result and prints a receipt.
5. Contactless Cards (Tap‑and‑Go)
Contactless cards use the same EM \cdot chip technology but do not require a PIN for low‑value transactions (usually up to \$50–\$100, depending on the region).
Customer taps the card on the terminal’s antenna.
The terminal reads the chip data via radio‑frequency (13.56 MHz).
A transaction cryptogram is generated and sent for authorisation.
If the cumulative amount of contactless purchases exceeds a set limit, the terminal will request a PIN for the next transaction.
6. Near Field Communication (NFC) Payments
NFC extends contactless technology to mobile devices (e.g., Apple Pay, Google Pay). The process is similar to contactless cards but includes additional security layers:
Device stores a tokenised version of the card number; the real PAN never leaves the device.
When the user taps the device, a one‑time dynamic security code (DSC) is generated.
The terminal receives the token and DSC, forwards them to the acquiring bank.
The issuing bank maps the token to the actual account, validates the DSC and returns an authorisation response.
7. Communication Between Supermarket Computer and Bank Computer
The data exchange follows a standardised message format (commonly ISO 8583). A simplified flow diagram is shown below.
Suggested diagram: Sequence of messages from POS → Acquirer → Network → Issuer and back, showing authorisation request, response, and settlement.
7.1 Message Structure (ISO 8583)
Field
Name
Content (example)
0
Message Type Indicator (MTI)
0100 – Authorisation request
2
Primary Account Number (PAN)
1234 5678 9012 3456
3
Processing Code
000000 – Purchase
4
Transaction Amount
000000001000 – $10.00
7
Transmission Date & Time
1122101530 – 22 Nov 10:15:30
11
System Trace Audit Number
123456 – Unique per transaction
14
Expiration Date
2509 – Sep 2025
35
Track 2 Data
1234567890123456=2509123456789
48
Additional Data – Chip Cryptogram
Encrypted data string
52
PIN Data
Encrypted PIN block
70
Network Management Information Code
001 – Request for authorisation
7.2 Security Measures
End‑to‑end encryption (E2EE) of all sensitive fields.
Use of TLS/SSL for the network link between the retailer’s gateway and the acquiring bank.
Tokenisation for NFC and mobile wallet transactions.
PCI‑DSS compliance for all entities handling card data.
8. Summary Comparison
Feature
Chip & PIN
Contactless Card
NFC Mobile Wallet
Security level
High – dynamic cryptogram + PIN
Medium – dynamic cryptogram, no PIN for low value
High – tokenisation + DSC
Typical transaction limit
No limit (subject to bank rules)
\$50 – \$100 (varies by country)
Same as contactless, often configurable
Customer interaction
Insert card, enter PIN
Tap card, no PIN
Tap device, may use biometric/Passcode for device unlock
Hardware required
Chip reader with keypad
Contactless antenna
Contactless antenna + NFC‑enabled device
Data stored on card/device
Encrypted PAN, expiry, cryptogram
Same as chip card
Token, DSC, device‑specific keys
9. Key Points to Remember
Validity checks prevent obvious errors before the transaction reaches the bank.
Chip and PIN provide the strongest protection for in‑store purchases.
Contactless is convenient for low‑value sales but still uses dynamic cryptograms.
NFC payments add an extra layer of security through tokenisation.
All communication follows ISO 8583 messages, is encrypted, and must comply with PCI‑DSS.