Know and understand electronic funds transfer at point of sale (EFTPOS) terminals including checking of the validity of cards, the use of chip and PIN, the use of contactless cards, the use of Near Field Communication (NFC) payment, the communication

ICT Applications – Electronic Funds Transfer at Point of Sale (EFTPOS)

Learning Objectives (AO1‑AO3)

• Explain how EFTPOS terminals work – card‑validity checks, chip‑and‑PIN, contactless and NFC payments.
• Describe the end‑to‑end communication flow between the retailer’s system and the bank’s system.
• Apply ICT skills to produce a receipt, a transaction database, a sales chart and a one‑page website summarising the EFTPOS process.
• Evaluate security, health & safety and legal issues surrounding electronic payments.

1. Core ICT Knowledge Required for EFTPOS (Syllabus Sections 1‑5)

1.1 Computer Systems (Section 1)

• CPU & Memory – Executes terminal firmware; RAM holds the active transaction, ROM stores the operating system and security keys.
• Input devices – Magnetic‑stripe reader, EMV chip reader, NFC antenna, secure PIN pad.
• Output devices – LCD/TFT display, thermal receipt printer, speaker (error beep).
• Peripheral connectivity – USB, Ethernet, Wi‑Fi, Bluetooth (for mobile‑wallet pairing).

1.2 Storage (Section 2)

• Transient RAM for the current transaction.
• Secure flash memory holds encryption keys, PKI certificates and audit logs (PCI‑DSS requirement).
• Daily logs are exported to the retailer’s server – typically a relational database (e.g., MySQL, SQL Server).

1.3 Networks (Section 3)

• Local network – LAN or Wi‑Fi links the terminal to the shop’s POS server.
• Wide‑area network – VPN or dedicated line connects the POS server to the acquiring bank’s gateway.
• Security protocols – TLS 1.2/1.3 over TCP/IP, ISO 8583 messaging format, mutual authentication with digital certificates.
• Network‑security add‑on – Firewalls, intrusion‑detection systems and regular vulnerability scans protect the POS LAN from malware and ransomware.

1.4 Effects of IT (Section 4)

2. EFTPOS Transaction Flow (Section 5 – Communication Systems)

2.1 Step‑by‑Step Process

1. Card presentation – Chip card, magnetic stripe, or NFC device (smartphone, smartwatch).
2. Read & basic validation – Luhn checksum, expiry date, card‑type (debit/credit) check.
3. Authentication

   • Chip‑and‑PIN – Customer enters PIN on the secure PIN pad.
   • Contactless – If amount ≤ the contactless limit (e.g., $50) no PIN is required; otherwise the terminal falls back to chip‑and‑PIN.
   • NFC mobile wallet – Tokenised payment data is sent; the device may require biometric authorisation.

4. Authorization request creation – Terminal builds an ISO 8583 message containing:

   • Merchant ID & Terminal ID
   • Transaction amount
   • Encrypted PAN (Primary Account Number)
   • Timestamp, STAN (System Trace Audit Number), processing code
   • Optional NFC token or cryptogram

5. Send request – Via the shop LAN to the POS server, then over a VPN to the acquiring bank’s gateway.
6. Acquiring bank → Card scheme – Forwards the ISO 8583 message to Visa, Mastercard, etc.
7. Issuing bank – Decrypts PAN, checks CVV/DDA, validates funds, applies fraud rules, then returns an approval or decline code.
8. Response path – Back through the scheme, acquiring bank, POS server to the terminal.
9. Completion – Terminal prints receipt, updates the retailer’s sales database, and logs the transaction for end‑of‑day reconciliation.

2.2 Simplified ISO 8583 Message (Example)

MTI: 0100  (Authorization request)
Bitmap: 12345678...
DE 2 – PAN: 1234 5678 9012 3456
DE 3 – Processing code: 000000
DE 4 – Amount: 000000001250 (USD 12.50)
DE 7 – Transmission date & time: 0911123456
DE 11 – STAN: 000123
DE 12 – Local time: 123456
DE 13 – Local date: 0911
DE 37 – Retrieval reference: 123456789012
DE 41 – Terminal ID: T001
DE 48 – Additional data (e.g., NFC token)

All sensitive fields are encrypted with end‑to‑end encryption (E2EE) before leaving the terminal.

2.3 Transaction Flow Diagram (Suggested for Classroom)

Card → Terminal → Shop POS Server → Acquiring Bank → Card Scheme → Issuing Bank → Response → Terminal → Receipt.

3. Security Measures (Section 6 – Safety, Security & Legal)

• End‑to‑end encryption (E2EE) – Protects PAN from terminal to bank.
• Dynamic Data Authentication (DDA) – Chip generates a unique cryptogram for each transaction.
• Tokenisation – NFC devices transmit a one‑time token instead of the real PAN.
• PCI‑DSS compliance – Mandatory standards for hardware, software, network and operational procedures.
• Contactless limits & velocity checks – Reduce fraud risk on low‑value transactions.
• Multi‑factor authentication (MFA) – Biometric or OTP verification for high‑value or overseas transactions.

4. ICT Application Areas (Section 6 of the Syllabus – Full Coverage)

5. Systems Life‑Cycle (Section 7)

1. Analysis – Identify need (speed, security, integration), gather stakeholder requirements.
2. Design – Choose hardware, define data structures (ISO 8583 fields), design UI (receipt layout, PIN entry).
3. Development – Program terminal firmware, POS middleware, and database schema.
4. Testing – Unit tests, integration tests with bank gateway, user‑acceptance testing, security penetration testing.
5. Implementation – Install terminals, configure network/VPN, train staff, migrate historic sales data.
6. Documentation – User manuals, security policies, maintenance schedule, disaster‑recovery plan.
7. Evaluation – Monitor transaction success rate, fraud incidents, customer satisfaction; propose improvements.

Class Activity

Students map each life‑cycle stage onto the EFTPOS example, noting which ICT skills (e.g., networking, database design, programming) are required at each stage.

6. Safety, Security & Legal (Sections 8‑9)

6.1 Health & Safety

• Ergonomic placement of terminals to avoid repetitive‑strain injuries.
• Secure mounting to prevent theft or tampering.
• Electrical safety – use of certified power supplies, surge protectors and regular PAT testing.

6.2 Data Security

• Strong, regularly changed passwords for POS admin accounts.
• Mandatory firmware updates and patch management.
• Daily audit‑log review and secure backup (encrypted off‑site).
• Use of firewalls, IDS/IPS and anti‑malware on the POS LAN.

6.3 Legal & Copyright Issues

• POS software must be properly licensed; unauthorised copying breaches copyright law.
• Open‑source components (e.g., OpenSSL) must be used in accordance with their licences (Apache, GPL, etc.).
• Compliance with data‑protection legislation (e.g., GDPR) – minimal storage of PAN, consent for e‑receipts.
• Understanding “fair use” when quoting standards or API documentation in reports.

7. Practical ICT Skills Linked to EFTPOS (Syllabus Sections 10‑21)

10. File Management

Create a logical folder hierarchy for daily transaction logs, e.g.:

2025/12/30/transactions.csv

Use consistent naming, version control and cloud backup.

11. Images & Layout

Design a professional receipt template in a word processor:

• Insert retailer logo (PNG, 300 dpi, < 100 KB).
• Use a table for the itemised list, totals and tax.
• Apply borders and shading for readability.

12. Styles & Formatting

Define reusable styles:

• ReceiptHeader – centred, bold, 14 pt.
• ReceiptBody – left‑aligned, 10 pt, single line spacing.

Run spell‑check and grammar tools before exporting.

13. Graphs & Charts

Using a spreadsheet, plot a bar chart of total sales per day for a week. Highlight the day with the highest number of contactless transactions (different colour).

14. Document Production (Receipt)

Produce a printable A4 receipt that includes:

• Merchant name, address, terminal ID.
• Item list, subtotal, tax, total.
• Masked PAN (e.g., 1234 ** 3456) and approval code.
• QR code linking to an online copy of the receipt (optional).

Export as PDF for archiving.

15. Databases

Design a simple relational table Transactions:

Create a data‑entry form and a query: “Total contactless sales for the current month”.

16. Presentations

Prepare a 5‑slide slide‑deck (PowerPoint, Google Slides or LibreOffice Impress):

1. What is EFTPOS?
2. Security features – chip, PIN, tokenisation.
3. Transaction flow diagram.
4. Benefits for retailers & customers.
5. Future trends – biometrics, QR‑code payments.

Use a slide master, consistent fonts, and embed the bar chart from the spreadsheet.

17. Spreadsheets

Import transactions.csv and:

• Use SUMIF to calculate total amount per payment method.
• Apply conditional formatting to highlight declined transactions (red background).
• Create a pivot table summarising daily totals, average transaction value and number of NFC payments.

18. Web Authoring

Students produce a one‑page HTML5 summary of the EFTPOS process.

• Valid HTML5 structure with <header>, <nav>, <section> and <footer>.
• External CSS stylesheet for fonts, colours, margins.
• Include an optimised image of a terminal (< 100 KB).
• Validate the page with the W3C validator.

19. Programming (Simple Scripting)

Write a short script (e.g., Python or JavaScript) that:

• Reads transactions.csv.
• Calculates the percentage of transactions that used contactless/NFC.
• Outputs the result to the console or writes a JSON report.

Demonstrates loops, conditional statements and file I/O.

20. Project Management

Document the EFTPOS mini‑project using a Gantt chart (e.g., in MS Project, Google Sheets or LibreOffice). Include tasks such as “Requirement analysis”, “Hardware procurement”, “Software development”, “Testing”, “Training”. Assign realistic durations and dependencies.

21. Evaluation (AO3)

Write a 300‑word evaluation that:

• Assesses the security strengths (chip, tokenisation) and weaknesses (social engineering, lost devices).
• Considers health & safety (ergonomics) and legal compliance (PCI‑DSS, GDPR).
• Suggests two improvements – e.g., implementing biometric authorisation for high‑value sales and adopting QR‑code payments for offline venues.

8. Assessment Tasks (Exam‑style)

8.1 Knowledge (AO1)

1. Explain why chip‑and‑PIN provides greater security than magnetic‑stripe transactions.
2. State the purpose of the Luhn algorithm in card‑validity checking.
3. Identify two devices that can make NFC payments and give one advantage of NFC over traditional contact cards.

8.2 Practical Skills (AO2)

1. Create a receipt template using styles and tables; export it as a PDF.
2. Design a simple database table for EFTPOS transactions and write an SQL query that returns the total value of contactless sales for the current month.
3. Using a spreadsheet, generate a bar chart that compares the number of chip‑and‑PIN, contactless and NFC transactions over a week.
4. Write a short script that reads the transaction CSV file and reports the proportion of NFC payments.

8.3 Application & Evaluation (AO3)

1. Discuss three security measures used in EFTPOS terminals and evaluate their effectiveness against common fraud scenarios.
2. Analyse the health & safety and legal implications of deploying EFTPOS terminals in a supermarket chain.
3. Propose two future developments for electronic payments and assess their potential impact on retailers and consumers.