The Quantum Leap - Q3 2025
Welcome from our Program Sponsor
Welcome to the first edition of The Quantum Leap, your quarterly update on the Advanced Encryption Standard (AES) Migration Program.
The migration to AES will be the most significant security upgrade for Australia’s national card payments system in the last 25 years.
Each quarter, we will bring you a high-level update on the progress of the program and what’s ahead. We will also provide updates on developments in Australia and globally, and will focus on cyber security, cryptography and the impacts of classical and quantum computing.
Your suggestions for topics in future publications and feedback on our first edition are welcomed. Please feel free to contact us by email at aesmigrationprogramteam@auspaynet.com.au.
We hope you enjoy this first edition.
Riaz Hussain
Program Sponsor & Head of Security & Standards, AusPayNet
What is the Advanced Encryption Standard (AES)?
AES and the Triple Data Encryption Standard (TDES) are cryptographic algorithms that protect sensitive card payment data during transmission and storage.
TDES is currently widely used in the Australian payments system. However, advances in computing technology, including the increasing power of classical computing and quantum computing, present a material risk to the effectiveness of TDES.
Compared to TDES, AES is widely recognised as a more secure cryptographic algorithm that is resistant to the fastest, currently identified quantum algorithms. AES was specifically established by the United States National Institute of Standards and Technology (NIST) in 2001 to replace TDES, offering much greater security and efficiency.
The key differences between AES and TDES, include:
- AES involves multiple and longer key lengths (which contribute to the security strength of algorithms), all of which are more secure than TDES. Longer key lengths contribute to stronger protection.
- AES also employs a more elegant encryption process with a more complex set of operations, which makes it significantly more resistant to cryptographic attacks.
- AES is faster and more efficient than TDES, which is important for processing large volumes of payments quickly.
Adoption of AES would substantially reduce the likelihood of an attack on payments data, increasing the security and integrity of the card payments system as a whole and benefitting consumers and businesses.
AES and Government’s strategic plan for payments
In June 2023, the Australian Government released its Strategic Plan for Australia’s Payments System, setting out key priorities to support a safer, more efficient, and future-ready payments landscape.
One of the key priorities of the Plan is promoting a safe and resilient payments system that protects end-users and safeguards their ability to transact safely and securely. This includes ensuring the payments industry is well-placed to protect against cyber-attacks and requiring the industry to continually uplift system-wide security standards and practices, including encryption methods for card payments systems.
The Plan requires the Australian cards payment industry to begin migration to AES in 2025. This process necessitates the design, development, and delivery of a program to migrate our card payments system from TDES to AES cryptography standards.
AES Migration Program scope
AusPayNet is leading an industry-wide program to migrate the Australian card payments system to AES. The program is planned for completion in 2030/31, subject to any necessary regulatory approvals.
The project has a broad scope, bringing together 55 issuers, 25 acquirers, the card schemes, and almost one million payment terminals and ATMs, with the purpose of moving to a more secure and efficient card payments system.
Image: Typical card transaction flow
We are managing the program through the Issuers and Acquirers Community. This has broad representation across the industry and is the natural framework for this kind of program.
The following illustrates the program’s journey to date.
Early 2022
AusPayNet surveyed Issuers and Acquirers Community Members to understand the appetite to migrate to AES and received strong support for the migration.
September 2022 – June 2023
AusPayNet commissioned a plan of work to develop a Program Initiation Document for the AES migration, which was approved by the AusPayNet Board in mid-2023.
This document foreshadowed an 18-month initiation and mobilisation phase, which we commenced in July 2023.
July – December 2024
This phase delivered the initial versions of the foundational documents for the program, including:
- The Technical Blueprint, outlining the target state for the migration and referencing the various standards that apply across the whole card payments system.
- The Migration Strategy, articulating how we propose to undertake the migration, the principles we will adopt, how we will manage co-existence, and the framework of dates that will apply for both the sunrise of AES and the sunset of TDES.
- The Industry Test Strategy, describing the approach to be taken to testing and certification throughout the program, which is complementary to the approaches adopted by each of the card schemes.
Collectively, this work serves as a key input to card payments system participants in developing their organisations’ own migration plans.
Where are we now?
Our current phase of focus (2025) is on preparation for pilot, currently scheduled for 2026. Key deliverables from this phase include:
- An update to the Technical Blueprint to include amendments to the relevant Australian Standard, AS2805.
- A migration handbook, which will provide further guidance to participants on how to go about the migration and will be the repository of lessons learned as we proceed.
- Industry Testing Plans and the supporting tools that participants will require.
- Requirements for an information management system to enable the industry to track progress.
- An uplift in communications and change activities as the industry mobilises.
Future phases
In 2026, we will focus on the early stages of industry testing and pilot, while from January 2027 onwards, we will be dedicated to the execution and rollout of the migration.
What are we seeing around the world?
In addition to the work being undertaken in Australia, governments and payment system operators globally are taking action, driven by national infrastructure security needs and government policy.
| Jurisdiction | Status | |
 |
In the United States, the National Institute of Standards and Technology (NIST) has disallowed use of TDES for encryption of government data from 2023 onwards. | |
 |
The European Union Agency for Cybersecurity (ENISA) classified TDES as a legacy standard in 2013, recommending the use of AES. | |
 |
The UK Government’s National Cyber Security Centre report (Dec 2024) urges "all sectors to address the risks posed by quantum computing ASAP, accelerating their efforts." They have established Timelines for migration to post-quantum cryptography, calling for migration of critical systems by 2031. | |
 |
In France, Cartes Bancaires is leading the migration to AES, with the interbank network migration completed and over 80% of payment terminals AES ready. | |
 |
Migration to AES has been completed in Germany following a regulatory requirement to do so. | |
 |
The Monetary Authority of Singapore (MAS) issued an Advisory on Addressing the Cybersecurity Risks Associated with Quantum in February 2024 highlighting measures that FIs should consider as part of their quantum transition efforts. |
In October 2024, the G7 Cyber Expert Group (CEG) published its Statement on planning for the opportunities and risks of quantum computing, in which it "encourages jurisdictions to monitor developments in quantum computing, to promote collaboration among relevant public and private stakeholders, and to begin planning for the potential risks posed by quantum computing on some current encryption methods."
These are just some examples of actions being taken to address the risks associated with quantum computing. While there are differences in the approaches of each jurisdiction, the direction and motivation to act are consistent.
What are Australian regulators saying?
Domestically, policy support for the AusPayNet Program is building strongly.
- In November 2023, the Government’s Department of Home Affairs released its cyber security strategy and action plan. This strategy includes an explicit requirement and an item in its action plan to implement quantum-safe cryptographic algorithms to prepare for the potential impact of quantum computing.
- The cyber security strategy also foreshadowed that the cryptography standards would be documented in the Australian Signals Directorate’s (ASD) Information security manual. ASD already prohibits the use of TDES for long-term encryption of ‘Protected,’ ‘Secret,’ and ‘Top Secret’ level documents, therefore requiring the use of AES.
- The Reserve Bank of Australia’s (RBA) Payments System Board (PSB) considered the program in February 2024. Following that meeting, members of the PSB expressed "their strong support for industry efforts to ensure encryption standards continue to meet the high safety standards for card payments expected by the Australian public" and "encouraged industry to progress the migration with sufficient urgency to enable the transition to AES to be completed within industry’s estimated timeframe of five to seven years".
We expect government and regulator support for the program will only continue to strengthen.
FAQs
Is AES really quantum safe?
AES is considered safe from advances in both classical and quantum computing. This position is supported by the various security agencies around the world, such as ASD and NIST.
Should we jump to the next generation post-quantum standards?
Post-quantum standards have been under development for a number of years, primarily through NIST in the United States. These standards are in an early stage of development, with limited practical usage to date. Conversely, AES is well established and supported by a wide range of technology providers. This means that the upgrade to AES would be a far simpler and well understood task than adoption of whole new standards.
Do you need to upgrade ATMs given the decline in cash?
It is important to upgrade all points of access to the Card Payments System. ATMs are considered essential infrastructure, especially for rural and remote communities in Australia, regardless of their declining usage, and ongoing support for cash as a payment method is a necessity. However, the rationale for the upgrade is not related to the decline in ATM usage. The upgrade is necessary to ensure that ATM transactions remain secure and protected against potential security threats. Making ATMs more secure may include replacing or upgrading the devices that protect PIN data when an ATM machine is used, installing new devices to improve security, and updating the ATM’s software and hardware.
Will PINs and card numbers become obsolete soon? If so, why do we need to do this?
The migration to AES with Key Blocks is substantially driven by the need to enhance the security of card payments and protect sensitive information, such as cardholder data and PINs. The decline in the usage of PINs and the emergence of other technologies (e.g. digital wallets) does not change the rationale for this project, as these technologies may not be suitable for all payment scenarios.
How can we get involved if we are not members of the Issuers and Acquirers Community?
Contact AusPayNet to see if you can become a member or talk to AusPayNet Members who are participating in the program.
Contact Us
Please reach out if you would like further information or to suggest topics you would like us to explore in future newsletters at aesmigrationprogramteam@auspaynet.com.au
